Dear computer hackers: GOTCHA!

A new test to prevent hacking could replace CAPTCHAs

Topics: MIT Technology Review, captcha, gotcha, Hacking, Computers, Engineering, protection, robots, ,

Dear computer hackers: GOTCHA! (Credit: Maksym Dykha/Shutterstock)

Distorted pieces of text are often used to prevent computers getting unauthorized access to websites. Now a team of computer scientists think they can do better with inkblot tests instead.

Most people who use the Internet will be familiar with the Completely Automated Public Turing test to tell Computers and Humans Apart, otherwise known as CAPTCHA. These are the distorted pieces of texts that you are regularly asked to identify to prove that you are human. Their goal is to prevent bots from accessing websites, to prevent them leaving spam, for example.

CAPTCHAs have been hugely successful since they were introduced in 2000 by Luis von Ahn and pals at Carnegie Mellon University in Pittsburgh. But in the cat and mouse game of computer security, it was always inevitable that the bad guys would spend significant resources attempting to break the system.

And indeed exactly that has happened. Since there can be only a limited number of distorted texts stored on a given hard disk, it is possible to employ people to crack them in sweatshop conditions. Another possibility is to repost the CAPTCHAs on another website for unsuspecting visitors who complete them thinking they are accessing a legitimate site. Instead, the solutions are used in real time to enter another site illegitimately.

So computer scientists have been thinking hard about how to improve this mechanism to once again thwart hackers. Today, Jeremiah Blocki and pals at Carnegie Mellon University say they’ve come up with a way to do it based on inkblot patterns.

The new approach is straightforward and relies on a user answering a number of questions when he or she first signs up for access to a website. It begins by generating a set of simple inkblot pictures by randomly positioning different colored ink spots in a small area of the screen.

As part of the signup process, the user is asked to write a short phrase that describes each of these pictures.

When the users return to access the site with a password, they are also shown the inkblot patterns and the set phrases that describe them. Their task is then to allocate the correct phrase to each pattern.

They call their new test a GOTCHA (Generating panOptic Turing Tests to Tell Computers and Humans Apart).

Blocki and pals say this ought to foil an automated attack. “We argue that the adversary who wishes to mount a cost effective offline attack needs to obtain constant feedback from a human,” they say.



That’s because only a human can consistently recognize the patterns and thereby link to the phrases on display — at least that’s their hypothesis.

That’s an interesting idea. The human ability to recognize patterns far outstrips anything that computers can do and matching this with the user’s interpretation of random patterns is clever. There is plenty of evidence that pattern recognition is easier than remembering passwords.

But it does raise the question of how well people will remember their original interpretation of an inkblot. This may well be highly dependent on their state of mind at the time which in turn which could be influenced by all kinds of local and temporary variables.

To test this, Blocki and co. tested the idea using Amazon’s Mechanical Turk. They invited 70 Turkers to view a number of inkblot patterns and write identifying phrases, paying them $1 to complete the task. Then, 10 days later, they asked the same Turkers to re-associate their phrases with the inkblot patterns, again for a payment of $1.

The results are not entirely comforting. “Seventeen of our participants correctly matched all ten of their labels, and 69% of participants matched at least 5 out of ten labels correctly,” they say.

Blocki and co. say that the data indicates that a significant fraction of the population could use GOTCHAs. “It also means that the use of our GOTCHA would have to be voluntary so that users who have difficulty won’t get locked out of their accounts,” they add sheepishly.

It’s possible that the tests with Turkers was not representative the way ordinary people would use GOTCHAs. For example, the Turkers may have rushed through the first phase of the tests to earn their money more quickly.

And it may also be possible to improve the recognition rate, perhaps by allowing users to reject images that they find confusing.

That looks to be a clear and necessary improvement if GOTCHAs are to become a common feature of internet security.

Ref:  arxiv.org/abs/1310.1137 : GOTCHA Password Hackers!

View “Will GOTCHAs Replace CAPTCHAs?” and find more technology news from MIT Technology Review.

© 2013 MIT Technology Review

More Related Stories

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 22
  • Close
  • Fullscreen
  • Thumbnails

    Once upon a time on the Bowery

    Talking Heads, 1977
    This was their first weekend as a foursome at CBGB’s, after adding Jerry Harrison, before they started recording the LP “Talking Heads: 77.”

    Once upon a time on the Bowery

    Patti Smith, Bowery 1976
    Patti lit up by the Bowery streetlights. I tapped her on the shoulder, asked if I could do a picture, took two shots and everyone went back to what they were doing. 1/4 second at f/5.6 no tripod.

    Once upon a time on the Bowery

    Blondie, 1977
    This was taken at the Punk Magazine Benefit show. According to Chris Stein (seated, on slide guitar), they were playing “Little Red Rooster.”

    Once upon a time on the Bowery

    No Wave Punks, Bowery Summer 1978
    They were sitting just like this when I walked out of CBGB's. Me: “Don’t move” They didn’t. L to R: Harold Paris, Kristian Hoffman, Diego Cortez, Anya Phillips, Lydia Lunch, James Chance, Jim Sclavunos, Bradley Field, Liz Seidman.

    Once upon a time on the Bowery

    Richard Hell + Bob Quine, 1978
    Richard Hell and the Voidoids, playing CBGB's in 1978, with Richard’s peerless guitar player Robert Quine. Sorely missed, Quine died in 2004.

    Once upon a time on the Bowery

    Bathroom, 1977
    This photograph of mine was used to create the “replica” CBGB's bathroom in the Punk Couture show last summer at the Metropolitan Museum of Art. So I got into the Met with a bathroom photo.

    Once upon a time on the Bowery

    Stiv Bators + Divine, 1978
    Stiv Bators, Divine and the Dead Boys at the Blitz Benefit show for injured Dead Boys drummer Johnny Blitz.

    Once upon a time on the Bowery

    Ramones, 1977
    “The kids are all hopped up and ready to go…” View from the unique "side stage" at CBGB's that you had to walk past to get to the basement bathrooms.

    Once upon a time on the Bowery

    Klaus Nomi, Christopher Parker, Jim Jarmusch – Bowery 1978
    Jarmusch was still in film school, Parker was starring in Jim’s first film "Permanent Vacation" and Klaus just appeared out of nowhere.

    Once upon a time on the Bowery

    Hilly Kristal, Bowery 1977
    When I used to show people this picture of owner Hilly Kristal, they would ask me “Why did you photograph that guy? He’s not a punk!” Now they know why. None of these pictures would have existed without Hilly Kristal.

    Once upon a time on the Bowery

    Dictators, Bowery 1976
    Handsome Dick Manitoba of the Dictators with his girlfriend Jody. I took this shot as a thank you for him returning the wallet I’d lost the night before at CBGB's. He doesn’t like that I tell people he returned it with everything in it.

    Once upon a time on the Bowery

    Alex Chilton, Bowery 1977
    We were on the median strip on the Bowery shooting what became a 45 single sleeve for Alex’s “Bangkok.” A drop of rain landed on the camera lens by accident. Definitely a lucky night!

    Once upon a time on the Bowery

    Bowery view, 1977
    The view from across the Bowery in the summer of 1977.

    Once upon a time on the Bowery

    Ramones, 1977 – never before printed
    I loved shooting The Ramones. They would play two sets a night, four nights a week at CBGB's, and I’d be there for all of them. This shot is notable for Johnny playing a Strat, rather than his usual Mosrite. Maybe he’d just broken a string. Love that hair.

    Once upon a time on the Bowery

    Richard Hell, Bowery 1977 – never before printed
    Richard exiting CBGB's with his guitar at 4am, about to step into a Bowery rainstorm. I’ve always printed the shots of him in the rain, but this one is a real standout to me now.

    Once upon a time on the Bowery

    Patti Smith + Ronnie Spector, 1979
    May 24th – Bob Dylan Birthday show – Patti “invited” everyone at that night’s Palladium show on 14th Street down to CBGB's to celebrate Bob Dylan’s birthday. Here, Patti and Ronnie are doing “Be My Baby.”

    Once upon a time on the Bowery

    Legs McNeil, 1977
    Legs, ready for his close-up, near the front door of CBGB's.

    Once upon a time on the Bowery

    Suicide, 1977
    Rev and Alan Vega – I thought Alan was going to hit me with that chain. This was the Punk Magazine Benefit show.

    Once upon a time on the Bowery

    Ian Hunter and Fans, outside bathroom
    I always think of “All the Young Dudes” when I look at this shot. These fans had caught Ian Hunter in the CBGB's basement outside the bathrooms, and I just stepped in to record the moment.

    Once upon a time on the Bowery

    Tommy Ramone, 1977
    Only at CBGB's could I have gotten this shot of Tommy Ramone seen through Johnny Ramones legs.

    Once upon a time on the Bowery

    Bowery 4am, 1977
    End of the night garbage run. Time to go home.

  • Recent Slide Shows

Comments

Loading Comments...