NuCaptcha takes on Google's ReCaptcha – Do Not Switch
13. 8. 2011. by Lukrecio Mioc
The other night I encountered the NuCaptcha takes on Google's ReCaptcha article written by Rafe Needleman. I follow and like Rafe's writing for like a decade now – ever since his "Catch of the Day" column at (now defunct) RedHerring.com.
However, I do strongly disagree with our esteemed competitor NuCaptcha and the statements from their press release that I believe led Rafe into writing the article.
NuCaptcha's first claim to fame is: "... aimed at site owners looking for a user-friendly alternative ...", but:
- Attention is a scarce resource on the web, and there is nothing user-friendly about distracting your hard-won website visitors by diverting their attention from a form they have to fill – towards an irrelevant Captcha video they suddenly cannot avoid watching.
- Battery juice is a scarce resource on mobile devices, and there is nothing user-friendly about draining batteries of users' mobile devices by forcing them to play irrelevant video Captcha movies.
- A second is a century on the web, and there is nothing user-friendly about extending page load times by downloading 30-750 kB of Captcha video instead of 2-10 kB of traditional Captcha images.
NuCaptcha's second claim to fame is: "... while providing higher security against spam bots and other threats ...", but:
Traditional image Captcha gives Captcha-breaking bots a single shot at each challenge. One single frame and a single chance to guess it correctly. If just one character is wrong, that particular break-in attempt fails miserably – and the Captcha-breaking bot has to deal with a newly generated Captcha image.
Video Captcha gives Captcha-breaking bots 10, 20, 50, or even hundreds of frames to work with. All different and all containing the same correct answer. This means even a not particularly good Captcha-breaking bot has much higher chances of success, compared to traditional image Captcha breaking. When targeting a particular video Captcha, the bot just has to analyze each video frame as an image. By comparing the results from all frames and taking the most common result of all attempts to guess each character, the bot has a much better chance of getting the Captcha code right.
Conclusion: NuCaptcha Is Flawed By Design
All written above (both regarding NuCaptcha user-friendliness and security) is not something easily fixed by tweaking a few implementation details in the next version – but an inherent design flaw, and a direct consequence of using videos for Captcha purposes. From the perspective of both user-friendliness and security, NuCaptcha is simply flawed by design.
NuCaptcha Implementation Is Naive
To make things even worse, there are also several implementation flaws (according to NuCaptcha's own demo) which make things even easier for an attacker. Since I am not a consultant paid to write a comprehensive guide on fixing NuCaptcha's flawed implementation (of a design that cannot be fixed anyway), I will point out just a few of them.
Check the NuCaptcha demo page, which uses two basic types of video Captcha: one that says "Type in RED moving letters", and the other which says just "Type in moving letters".
- Consider "Type in RED moving letters": of all the examples on the demo page, only the (300 x 250 px large, 750 kB heavy) "Advertising Large" example has anything RED in the video beside the text – in other words, anything that can be considered "background noise" for a Captcha-breaking bot. And even in that one, the Captcha code is in a separate, static part of the video. This makes separation of Captcha text from the rest of the video trivial – just extract the RED parts. The attacker can then focus on analyzing the many available frames of variants of the same text, as mentioned above.
- Consider "Type in moving letters": in this case, the Captcha code characters are indeed the only moving part of the video – and the only RED part as well. So once again, separation of Captcha text from the rest of the video is trivial – just extract the moving parts or the RED parts, whichever is easier.
- All sound Captcha examples use no obvious sound distortion at all, with only a minimal amount of background noise (from a seemingly small pool of noise samples). A 5-10 years old version of the off-the-shelf speech-recognition software from Nuance (for instance) will go through it with extreme accuracy. Strange, considering that those guys from NuCaptcha seem to be old enough to have experienced at least some form of speech-driven IVRs (Interactive Voice Response) on their mobile phones in far more noisy environments over the past decade.
Should I Stay or Should I Switch?
When unfixable NuCaptcha design flaws are paired with implementation flaws, the end result is a very user-unfriendly security-by-obscurity disaster-just-waiting-to-happen. When some brave soul uses it on a site which is an attractive enough target that spammers or hackers will find it worth breaking, it will be broken quite soon.
The NuCaptcha PR campaign calls for you to "Make the Switch", and Rafe's article makes the logical connection to ReCaptcha (the biggest free Captcha service by market footprint). Many other journalists will probably do the same these days as well.
Both NuCaptcha and ReCaptcha are esteemed competitors of our BotDetect Captcha. And in normal circumstances we do not have any reason to prefer one over the other. But these are not normal circumstances. Somebody in NuCaptcha did the PR job right, and got the press coverage needed to make a difference – a difference that can become dangerous for all Captcha market beneficiaries (Captcha vendors, website owners and end-users).
And yes, ReCaptcha is imperfect and plagued with usability and security issues stemming from its own design flaws. There are good reasons why even Google itself does not use ReCaptcha on its most valuable properties. But at the very least, ReCaptcha provides you with security an order of magnitude better than NuCaptcha.
The NuCaptcha PR campaign calls for you to "Make the Switch" – but, with all due consideration, we must respond with "Do Not Switch". Otherwise, both Captcha vendors and websites which need to keep bots away will soon have to deal with yet another flood of factually incorrect and misguiding "Captcha is broken" articles.
Update (2012-02-18): Stanford University researchers break NuCaptcha video security.