Tuesday, December 9, 2008

The OCR X-Prize

A while ago -- in fact, just about a year ago as it happens -- I remarked that the use of Captchas to try to keep bots away is effectively an X Prize for OCR hackers. If there's money to be made by using a bot, as there is with, say, online ticket sales for popular shows, then there ought to be reason for someone to write a better text recognizer to get past the Captcha. I was sort of right, kind of.

Sure enough, people have written better text recognizers. But from what I can make it out, they've done it for fame and recognition (well, at least to publish and not perish) and not for money. There are several academic papers out there, but as far as I can tell no enterprising script kiddie has done the requisite research. There have been reports of real sites invaded by real Captcha-cracking bots, but most likely someone just cadged the work done in the research papers and put it to ill use.

So, Catpchas have spurred research, because OCR has become a somewhat hot topic. They've also spurred actual scammers to crack Captchas, but not necessarily through OCR research. Actual scammers have little reason to invent new OCR algorithms, or even read the literature on the subject. That's not their strong suit. Their strong suit is social engineering. People are good at reading squiggly Captcha letters; spammers are good at getting people to do stuff; ergo, spammers get people to read the squiggly Captcha letters for them.

How do they do this? Put up a site featuring a thrilling pictorial presentation of, say, accounting standards through the ages (they actually used a slightly different subject matter). After each image is the promise of more ... if you can read the squiggly letters in the box. The letters, of course, are taken from a legitimate site that the scammer is trying to crack into at the moment, and the mark's response is fed directly back to that site. The awful beauty of this approach is that it will work for any "reverse Turing test" approach whatsoever.

If they're smart, they wait for a successful response back from the legitimate site before letting the mark proceed. Otherwise the mark could put in anything at all, for example "notarealticketbuyer", and by definition the scam site wouldn't know the difference.

Meanwhile, Captchas have become just almost too hard for humans to read (I came up empty on one today, which is what spurred this post). In other words, they've almost reached the point at which they can no longer discriminate between humans and bots. Clearly rendered text can't discriminate, because both humans and bots can read it easily. Gibberish can't discriminate either, because no one can read it. There is less and less room left in the middle.

No comments: