Why can't malware bots figure out the CAPTCHA text/mouse movements?

Are our human brains ability to interpret data in a CAPTCHA text box or make mouse movements so complex that a malware bot cannot yet be programmed to interpret it or replicate it?

I don’t know what you mean by “complex mouse movements”, but human brains are much better at interpreting images than computers are. Bot-writers have managed to defeat some, of course, but most of them nowadays come from Google, which uses real images of text (from OCRed books or from street-view images of addresses) which Google’s own text-recognition programs (which are of course very good) haven’t been able to deal with.

Of course, there’s also an economic analysis involved. At some point, it’s easier for the spammers to just hire folks in the Third World to read captchas than it is to write new and better bots. And that system is impossible to defeat, because those folks in the Third World are, in fact, humans.

I’m guessing you’re asking more about the captchas that say “click here if you’re not a robot,” rather than the older ones that ask you to type in the word/number or pick out the pictures of dogs vs cats. The “click here” captchas work by interpreting clues like the movement of a mouse cursor over the box. A bot will move the cursor immediately or at a uniform speed and direction, while a human will have more variability. A bot might not move the mouse after the click, while a human will reposition it slightly with the click. It’s not so much that our brains make complex mouse movements; it’s that they make unpredictable movements. Programming true randomness like this is extremely difficult.

More details here.

Pseudorandom numbers indistinguishable from true randomness (by anyone who doesn’t know the entropy with which the PRNG was seeded) are easy to generate. The trick here works because human mouse movements, while individually unpredictable, also have structure to them (e.g., that they tend to be a sequence of fast movements with delays between them, not something that smoothly accelerates and slows down).

The reCAPTCHA people are betting that they’ll be better at modeling that structure than the spammers will. It’s okay if the spammers can break this CAPTCHA, as long as that would cost them more than it costs to break the old CAPTCHA in the usual way (like with OCR plus rooms full of typists in China/India). The mouse movements don’t seem to be their only metric, and they also consider e.g. past bad acts from the same IP, and many other factors that they don’t disclose. Security through obscurity is usually bad, but for stuff like this, it’s the only security available; so details of what Google is doing here will necessarily be sparse.

How do those “click here if you’re not a robot” captchas work on a touch screen device? I’ve used a couple on a tablet and they worked fine, so do they have some different method?

This sounds like it would be easy to spoof. Just add a random jitter movement to the mouse program.

As TommySeven noted, it’s not just randomness - I was too simplistic in using that word. Truly human movements are more difficult to program. And mouse movement is only a single part of the overall security model.

So, bots can’t yet pass the Mouse Movement Turing Test.

It’s a forever arms race.

Movements are only one part of it. Now they’ve gone on to other things like “Highlight all parts of a road sign” or “click on all pictures with grass” or “find pictures with storefronts”. Sometimes it’s just one screen, sometimes more tiles come up when you get some right, sometimes you have to do multiple back-to-back quizzes – all still while you’re moving the mouse around.

For now, site owners who implement reCaptcha (it’s a free service offered by Google) can choose the security level they want to use. Setting it to the lowest probably just has it measure your mouse movements. Setting it higher causes some of the other stuff mentioned above. Even these have been cracked with a 70% accuracy rate: http://news.softpedia.com/news/google-recaptcha-cracked-in-new-automated-attack-502677.shtml

reCaptcha itself is learning from its successes, so it’s really just AIs combating each other. We’ll soon be at a point where the test of your humanity would be your failures, not your successes, because only the machines could reliably solve each other’s puzzles and a too-high success rate would mean you’re human. Sort of like the mouse movements – if you’re too good at them, you’re probably a bot. Human hands aren’t that steady and follow certain movement patterns.

Anyway, yeah, services like DeathByCaptcha charge only $1 to have poor humans solve 1000 CAPTCHAs… CAPTCHAs just filter out the low-hanging fruit (the dumb bots) instead of providing perfect security. Good enough for now.

And to address this specifically, the paper on cracking this is here:

This is cracked already, along with more advanced versions of reCaptcha.

Am I the only one who noticed that you need to pass a captcha to log into DeathByCaptcha?

And it’s “for research purposes only”. Yes. Of course.

Yeah, that was funny :slight_smile: