Comments on: 3D-based Captchas become reality

YUNiTi.com announces the first implemented method of Captcha.

[DoesWhat]

The spam bot has a 1 in 9 chance of getting it right compared to a text captcha where the bot has almost no chance of guessing, even with an advanced OCR. I like the idea of advancing captcha and there is probably something is 3D. But this is just matching pictures. The 3D in this example has no relevance.

[DoesWhat]

Apologies, something more like a 1/5832 chance.

[rikkles]

This is very bad. Using a simple wavelet matching algorithm, the spam bot can easily guess what those pictures are. The picts need to have very hard to find image edges. The 3D images need to be within a complex scene, not a black background.

[marquinhocb]

Rickles: Please send us this supposed wavelet matching algorithm, we'd love to see it in action. As far as we're concerned, this captcha is impossible to crack. If we're wrong, we'd love to see a real-world example of it being cracked.

[Hunnter2k3]

If the images were generated with different shading models each time (and maybe even textures?), it would solve this problem instantly.
The Order and 9x9 grid are already rendered differently as it is, so that is 2 separate patterns it would have to match, and pattern matching for complex objects is in it's infancy.

On the complex scene part, even if it were, would it matter?
Not really, the bot could still detect the object due to the colour.
As i mentioned above, unless complex textures are used, there is no point to make a complex background.

The whole reason i went off Myspace was their stupidly long captchas.
Hopefully this will take off more, visual and clickable captchas are much more pleasing than having to type out things, nobody likes typing. (heh)
But on a serious note, since handhelds with touchscreens are becoming more popular, it would make sense to evolve to clickable captchas.

[Hunnter2k3]

Sorry, not 9x9 grid, i never realized there were more images displayed.

Also, Chrome (1.x) can't display the Order image, it displays the other images fine.
I'm not sure it likes &.png.
Not sure if that is meant to be the correct behaviour or not, but i will file a report on for it on the group.

[Hunnter2k3]

Bah, sorry for triple posting, but it appears to not work on any browser i have tried... (FF2, Arora, Chrome 1.x and 0.x)

[marquinhocb]

Sorry about that Hunter2k3, our servers were under heavier load than we were expecting, we've upped the processing cycles for 3D renderings so that this doesn't happen again. Give it a shot now!

[marquinhocb]

Regarding your comment on texturing: that's precise, more layers of complication could be added to the scheme to make it, in essence, impossible to crack with current computing power.

The first of these would be to, say, have 4 boxes to fill instead of 3. That increases the probability of a correct guess to 1/104,000. Next would be to have more than 18 objects (although the user would always be given a "palette" of 18 objects to pick from, otherwise it would take too long to scan the objects). There would be, say, 100 objects, and the user would get 18 randomly picked objects to choose from (out of the 100).

Lastly, textures could be added to objects to make them even more difficult to recognize by software.

But the point here is, even with simple, basic greyscale objects like our captchas, it's still far more complex to crack than letter captchas. Being an experienced software engineer, if I had to pick the task of cracking recaptcha or cracking this new 3d-image based captcha, I'd take the former. Recognizing 2D letters is a lot simpler than making out objects from 3space which have been projected onto 2D.

[haggais]

marquinhocb: "Impossible to crack" sounds like you might be overstating the case ever so slightly...

First off, CAPTCHAs are inherently crackable by cheap human labour, which you can't make unprofitable without making the CAPTCHAs an unreasonable burden for legitimate users. This is not a flaw in this particular system, of course.

As regards this particular CAPTCHA scheme, if you solve it (even manually) for a few dozen, or at most a few hundred rotated views of each object, you're pretty much done, as small rotations (e.g. 10 degrees) of the 3D objects are quite close to simple 2D transformations. Since there only seem to be a few tens of objects from which the puzzles are selected, that's a small enough task to get started, and a library of easily recognisable 3D objects is unlikely to run to millions, or even to tens of thousands.

I have a few more details up at http://technobabblepro.blogspot.com/2009/04/how-theyll-break-3d-captcha.html and an earlier post there.

[karpenterskids]

Taylor's 3-D images were a lot nicer...but either way, 3-D still beats a regular (especially long) captcha anyday. :]

[myles taylor]

They've been using 3D Captchas on Runescape for ages now. The bots still find ways around them. There are no foolproof systems, at least not yet. I'm sure this is promising though. The money is behind the creation of bots though.

[Pete Bardo]

By 3D I assumed you meant three dimensional. I only see 2 dimensions in the images, unless your counting the shading as a dimension. Sure the images show different views of the same object, but what's 3D about it?

[c|net Reader]

The image to match and the matching image are distinct 2D projections of a 3D object.

[hummingkris]

We at hummingbytes have SMS / VOICE Catchas. A SMS / VOICE Captcha will send a Alphanumeric code as a TEXT message or call you on your call and read out the alphanumeric code, which can then be entered on the website to ensure you are a human and not a bot.

This link will take you to a page that demonstrates the SMS / VOICE Captcha.
http://www.hummingbytes.com/demos.aspx?PRODUCT=WebSecurity

[marquinhocb]

What's to stop a hacker from plugging in their cellphone to their computer and having a script that checks SMS's for an alphanumeric code? This is even easier to hack than a classic alphanumeric captcha. If you're going to spam a product, at least make sure it's a good one!

[Dalkorian]

Nice, so if I don't have a cell phone I'm not welcome on your website?

[c|net Reader]

What about those that don't use SMS and don't wish to pay for it?

[hummingbytes]

marquinhocb what are you even talking about ?

I am not sure if you understood what we do OR I am not understanding your reasoning.

If a SMS is being sent to a phone number, which you need to read and then enter in a website to get access, how does a hacker connect their phone to the computer and use a script to hack in ?

[hummingbytes]

Dalkorian, if you do not have a cell phone, then you can always use a land line and use the VOICE part of captcha to get in.

[hummingbytes]

c|net Reader, if you do not want to pay for the incoming SMS, then you can always use the VOICE part of captcha to get access. There is a provision to use Email also if you do not have a cell phone / landline.

[afhill]

Michael Kaplan posted about 3D CAPTCHAs in 2005, and his description thereof states "Patent pending". It would be interested to know what about 3D CAPTCHAs specifically he's hoping to patent...

http://spamfizzle.com/CAPTCHA.aspx

[codynews]

geeze, is this really necessary? I'm tired of all this "captcha" crap already. Some of them are very hard for humans to get right.

Make them simple. If someone can 'crack' them and spam is it really the end of the world? You still stop 99.99% by just using *something*

[Eludium-Q36]

Agreed, this has gotten ridiculous, these captcha images are far more trouble than they're worth.

[marquinhocb]

I agree with you codynews - though you have to admit, clicking 3 types on easily identifiable objects is a lot simpler than trying to make out some of these new captchas (recaptcha included)!

I figure if you're going to make it more difficult for a human to use your site than a script, why even bother. The idea of this 3D captcha is to make it pathetically simple for us, and insanely difficult for scripts.

[c|net Reader]

I prefer not having to skip past all of the spam. More than a little seriously reduces the value of a forum.

This scheme requires too many clicks and must have a bypass for the blind and others with disabilities. That bypass mechanism will probably be weaker and is the more likely attack vector. Thus, I'm not sure 3D CAPTCHAs are any better.

[knowles2]

Cool technology and cool idea. Better than type letters.
Not sure how long it will take to come up with a method of getting computers to learn how to do it, I am sure not as long as people think it will take or required as much processing as people think.

[rjonesx]

Unfortunately this suffers from the same issue of all CAPTCHAs... Simply find a resource out there willing to fill out CAPTCHAs (such as people who think they are filling out CAPTCHAs to get into 1 site, when in reality their answers are being used to crack another)

[MechScape_Ren]

RuneScape has had 3D Captchas for ages now.

[FrankTangoAlpha]

The is a better picture captcha here:

http://www.CaptchaTheDog.com/contact.html

The images rotating with a random number of images makes odds better than 50,000 to 1

[alexschrod]

How does this work for the blind or visually impaired? At least some text CAPTCHAs, like reCAPTCHA, also provide an auditory alternative.