Author Topic: Captcha breaking (Read 2041 times)

Chris · « **on:** July 03, 2010, 05:12:32 AM »

I wonder how reliable captcha is. Is current software capable of breaking these or not?

I'm especially interested in recaptcha (http://www.google.com/recaptcha), I know the simple ones were broken ages ago.

This is purely for player's anti bot countermeasure, so:
- no solution above $1000 (I doubt cheaters would pay so much to trick a game).
- probably no solutions with sweatshops (unless these are accessible and affordable to normal people, not spam companies)

JGadrow · « **Reply #1 on:** July 03, 2010, 07:34:40 AM »

Yeah, it's severely broken already. Here's a couple of links, the first actually contains links detailing why (re)CAPTCHA is conceptually flawed.

http://stackoverflow.com/questions/448963/has-recaptcha-been-cracked-hacked-ocrd-defeated-broken
http://www.theregister.co.uk/2009/12/14/google_recaptcha_busted/
http://groups.google.com/group/recaptcha/browse_thread/thread/503840948c58ed7e
http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/

I'm actually wondering when / if hackers have already started creating programs that pipe the audio decipher of the (re)CAPTCHA to an external program in order for their automated program to crack the image. One would think that this method would be a more reliable means of cracking reCAPTCHA.

Chris · « **Reply #2 on:** July 03, 2010, 02:28:13 PM »

Looks better than I thought. The best captcha breaker provide 17.5% success ratio, so if a player has 80% failure rate or worse then it is highly bot possible, otherwise clean?

Take a note, that this is for player anti bot protection only, so plenty of things mentioned in the links do no apply (like you can not change IP or hide brute force attack by ANY means, since you need to do it from the same player's account

Thanks for the links!

bbgames · « **Reply #3 on:** July 03, 2010, 05:07:01 PM »

You could also try looking at setting up a slider based captcha - from the sounds of things, that's worked quite well for they make apps.

JGadrow · « **Reply #4 on:** July 03, 2010, 07:39:26 PM »

IMO, CAPTCHA is usually a bad idea. Create an inconvenience or accessibility issue for your genuine users (which are hard to earn) to keep out spammers.

There's nothing preventing a dedicated spammer from accessing your site and publishing their filth all over. And if they utilize proxies it's difficult to lock them down and out of your site as well. So, you end up fighting spam by hand anyways... In the end, all that you've truly managed to do is irritate your users.

But, I think I'm the minority on this case. Everywhere I go I have to try and decipher these stupid things anymore. Probably half of them I can't even make out and I have perfect vision! lol

Barrikor · « **Reply #5 on:** July 03, 2010, 09:31:08 PM »

My current captcha that I use would be relatively easy to break if someone possessing the required skills wanted to... (@ Chris: I've seen a captcha breaker for Megaupload that works around 90%-95% of the time.)

My thought on the matter is that the best thing for a captcha would be to have the captcha be unique enough that someone would need to write a new captcha-breaker to crack it. If you find that someone can kill your captcha you can always change how it works...

However I think we need to find a way to move away from captchas, the current captchas have so many disadvantages: they break player immersion, they slightly discourage people from completing the form, they use up cpu and memory due to using php's graphics functions every time the image loads, (and not to mention what blind folks think of them...)

Not sure what the alternative will be. (I'm toying around with the idea of something like a list of ten words and a textbox with a question that would ask for multiple words based on some theme..... kinda like a thesaurus, not sure how it'd be generated randomly enough though...)

Harkins · « **Reply #6 on:** July 04, 2010, 12:10:14 AM »

Quote from: JGadrow on July 03, 2010, 07:39:26 PM

IMO, CAPTCHA is usually a bad idea. Create an inconvenience or accessibility issue for your genuine users (which are hard to earn) to keep out spammers.

Chris isn't trying to stop spammers, Chris is trying to stop his players from automating his gameplay. Which implies he does not actually have secret methods to detect GreaseMonkey.

Barrikor · « **Reply #7 on:** July 04, 2010, 12:48:49 AM »

Quote from: Harkins on July 04, 2010, 12:10:14 AM

Chris isn't trying to stop spammers, Chris is trying to stop his players from automating his gameplay. Which implies he does not actually have secret methods to detect GreaseMonkey.

....ah, I see, sorry for going OT

What about adding to the game's forms an <input type=hidden/> that stores a random number generated by php, also have php store the random number in $_SESSION, if the submitted form has the hidden containing the wrong number then have php reject the form submission...? An invisible captcha, so to speak... they'd at least need to load the page with the form before submitting...

Harkins · « **Reply #8 on:** July 04, 2010, 09:34:12 AM »

As I linked, it sounds like Chris's problem is that he can't detect GreaseMonkey scripts, which are a convenient way to automate Firefox (among other things). So a GM scripter wouldn't even notice this defense.

Sunchaser · « **Reply #9 on:** July 04, 2010, 01:18:38 PM »

Is it possible to detect which addons a browser has installed?

Chris · « **Reply #10 on:** July 04, 2010, 02:48:22 PM »

Quote from: Barrikor on July 03, 2010, 09:31:08 PM

(@ Chris: I've seen a captcha breaker for Megaupload that works around 90%-95% of the time.)

The recaptcha style? I know the old captchas are trivial to solve, but does this apply to the modern ones too?
Also, please drop me any link to captcha breakers you came across (all the links I came across were no longer existing).

Various answers:
I do not care about spammers, it is for players automating gameplay.
GreaseMonkey script is not the only bot script, do not be so narrow minded

There is a trivial way to detect GreaseMonkey script, but... there are plenty of buts for that solution.

Barrikor · « **Reply #11 on:** July 04, 2010, 05:44:04 PM »

Quote from: Chris on July 04, 2010, 02:48:22 PM

Quote from: Barrikor on July 03, 2010, 09:31:08 PM
(@ Chris: I've seen a captcha breaker for Megaupload that works around 90%-95% of the time.)
The recaptcha style? I know the old captchas are trivial to solve, but does this apply to the modern ones too?
Also, please drop me any link to captcha breakers you came across (all the links I came across were no longer existing).

(Luckily) not recaptcha, it was for captchas that mesh the chars together so they overlap; which is how a lot of captchas on file sharing sites are. I see now that Megaupload itself only has four chars in its captcha, so maybe captcha breaker isn't so great as I thought it was...

I've mostly just seen the bare-bones captcha breakers that occasionally get posted on hacker forums

bbgames · « **Reply #12 on:** July 04, 2010, 08:21:58 PM »

4chan cracked recaptcha, but it took some doing.

aerosuidae · « **Reply #13 on:** July 04, 2010, 08:38:43 PM »

Quote from: Chris on July 03, 2010, 05:12:32 AM

This is purely for player's anti bot countermeasure...

Ever tried to scrape data from Google using a bot? Your IP gets blocked after you exceed a certain number of hits per 15 mins (iirc, might be per hour). The threshold is set high enough that it's impossible for a human to hit it via normal activity. I guess Google also do some magic to cater for NAT with multiple people using one IP. With games, we can simply check IP + user_id activity.

If you have an activity log table appropriately indexed, perhaps you could simply send a player, who exceeds some arbitrary hit rate limit, to the sin bin for a while? Trivial to do if you already track hits or activity. Not so trivial if you don't.

Only works to counter bots that work fast and hit the server fast. Not useful if you're looking to block all bots regardless of their speed. Though, who really cares if some user uses automated stuff if they still only play at a near-human speed

Chris · « **Reply #14 on:** July 05, 2010, 04:59:18 AM »

Quote from: bbgames on July 04, 2010, 08:21:58 PM

4chan cracked recaptcha, but it took some doing.

The "Times pool hack" required them to do manual voting (athrough they made it a bit simplier), so captcha was not really cracked here. It was more of a "social hack" than a software hack, no way players could do it

Quote

(Luckily) not recaptcha, it was for captchas that mesh the chars together so they overlap;

Good

So far the outcome of the conversation is that recaptcha is 100% hack proof for purpose of detecting "automated bots of already registered players" assuming we log the failed solve attempts (80% failure rate or worse is an indication of a bot).

JGadrow · « **Reply #15 on:** July 05, 2010, 08:27:50 AM »

Quote from: Harkins on July 04, 2010, 12:10:14 AM

Chris isn't trying to stop spammers, Chris is trying to stop his players from automating his gameplay. Which implies he does not actually have secret methods to detect GreaseMonkey.

True, but the idea is the same: Inconvenience a majority of your user group to try and detect a minority of your user group.

dsheroh · « **Reply #16 on:** July 06, 2010, 08:36:26 AM »

Quote from: Barrikor on July 04, 2010, 12:48:49 AM

What about adding to the game's forms an <input type=hidden/> that stores a random number generated by php, also have php store the random number in $_SESSION, if the submitted form has the hidden containing the wrong number then have php reject the form submission...? An invisible captcha, so to speak... they'd at least need to load the page with the form before submitting...

...which is something you should already be doing anyhow to protect against cross-site request forgery attacks. (Even though, as already mentioned, it wouldn't impact GreaseMonkey either way, since GM acts on pages that you're viewing in your browser.)

Shrapnel · « **Reply #17 on:** July 06, 2010, 08:39:27 AM »

Quote from: JGadrow on July 03, 2010, 07:39:26 PM

IMO, CAPTCHA is usually a bad idea. Create an inconvenience or accessibility issue for your genuine users (which are hard to earn) to keep out spammers.

There's nothing preventing a dedicated spammer from accessing your site and publishing their filth all over. And if they utilize proxies it's difficult to lock them down and out of your site as well. So, you end up fighting spam by hand anyways... In the end, all that you've truly managed to do is irritate your users.

But, I think I'm the minority on this case. Everywhere I go I have to try and decipher these stupid things anymore. Probably half of them I can't even make out and I have perfect vision! lol

Wow it can be such a vindication when you find someone who agrees with you. I hate CAPTCHA with an unrivaled passion. Some are not so bad, but sometimes it's just impossible to decipher the words they want you to enter. At least once, I just could not enter the right words because they were so ineligable. One of the worst ideas ever imo.

Delifisek · « **Reply #18 on:** July 18, 2010, 04:54:37 AM »

Send activate code via sms...

News:

Author Topic: Captcha breaking (Read 2041 times)

Chris

Captcha breaking

JGadrow

Re: Captcha breaking

Chris

Re: Captcha breaking

bbgames

Re: Captcha breaking

JGadrow

Re: Captcha breaking

Barrikor

Re: Captcha breaking

Harkins

Re: Captcha breaking

Barrikor

Re: Captcha breaking

Harkins

Re: Captcha breaking

Sunchaser

Re: Captcha breaking

Chris

Re: Captcha breaking

Barrikor

Re: Captcha breaking

bbgames

Re: Captcha breaking

aerosuidae

Re: Captcha breaking

Chris

Re: Captcha breaking

JGadrow

Re: Captcha breaking

dsheroh

Re: Captcha breaking

Shrapnel

Re: Captcha breaking

Delifisek

Re: Captcha breaking