Stanford researcher Elie Bursztein wrote in a blog that his team was able to break a current version of the NuCaptcha technology with a greater than 90% success rate.
Text-based captcha is a challenge-response test used to ensure that the response is generated by a person, not a computer. Users are asked to read and type a string of distorted characters in order to ensure that the user is a human, not a bot trying to access a website or account. NuCaptcha has developed a video-based captcha technology to improve security and usability by having users watch a video and enter text based on the video.
However, Bursztein and his team were able to compromise NuCaptcha technology by converting the video into frames and analyzing each frame and letter individually via an algorithm.
“Animating the captcha allows the attacker to do a ‘differential’ analysis that helps the attack be more efficient. On the other hand, not animating the captcha is equivalent to having a static (text-based) captcha”, which renders moot any security advantage of using a video captcha, he explained.
The Stanford researcher offered a fix to the vulnerability, which he called tracking resistance. “When successfully implemented, tracking resistance makes video captcha secure against vision/machine learning attacks and more secure than standard text-based captchas”, he wrote.
Christopher Bailey, chief technology officer with NuCaptcha, told Infosecurity that Bursztein’s team was only able to compromise a middle-level captcha puzzle. He explained that the Stanford analysis was conducted in isolation from the cloud-based NuCaptcha platform and behavior analysis system (BAS), focusing only on the captcha puzzle and excluding the effects of the BAS or other security responses.
“The Stanford researchers looked at a specific puzzle set and attacked that puzzle set; they ignored the features of the platform that dynamically change that puzzle. The research was done in isolation from the platform”, Bailey stressed.
The multilayered NuCaptcha platform, which includes the captcha puzzle, the BAS, and a security measures system, is able to adjust its security response in real-time based on the behavior of the entity responding to the video-based captcha puzzle.
“As we integrate with more websites, we get more information about how users behave…and we use that data to create a risk profile. We show the low-risk users the easy to solve captchas….As the assessment of risk increases on a user, we show them progressively more secure captchas, which are less focused on the user and more focused on stopping the bot”, Bailey said.
The animation increases both the security and the usability of the captcha puzzle. “When the letters are moving, particularly when you have a high degree of overlap, the letters are easier to read. Our eyes separate those letters innately….We leverage the additional usability of the animation to increase the security settings”, he related.