CAPTCHA crushed, new era of threats emerges

Startup Vicarious has demonstrated software that can break CAPTCHA challenges 90% of the time

If you want to prevent automated hacking and cracking tools from gaming your online authentication systems you'll probably be using a CAPTCHA test (Completely Automated Public Turing test to tell Computers and Humans Apart).

An example of a Web login that uses a CAPTCHA challenge

This technique, which involves challenging the person (or process) trying to login or set up an account with a visually distorted image of a string of characters which has to be correctly entered into a text box before proceeding has proven to be very effective against the bad guys ... so far.

But I guess it was just a matter of time before the relentless march of computer science knocked down the challenge of CAPTCHA. Vicarious, a San Francisco startup specializing in artificial intelligence recently announced that its software can handle up to 90% of CAPTCHA challenges from Google, Yahoo, PayPal,, and other sources.

To understand just how how profoundly this breaks existing CAPTCHA systems consider that a 2011 paper, Text-based CAPTCHA Strengths and Weaknesses, argued:

... we deem a captcha scheme broken when the attacker is able to reach a precision of at least 1%.

Vicarious' CAPTCHA software is based on their Recursive Cortical Network (RCN) technology which is related to the NuPIC technology developed by Numenta (one of Vicarious' founders, Dileep George, was a founder of Numenta). 

Vicarious founders, Dileep George and Scott Brown, presenting

their approach to artificial intelligence

Allow me to digress for a moment and note that Numenta's technology was the basis of an amazing product, Vitamin D, that I reviewed some time ago. Vitamin D is a video surveillance system (now acquired by Sighthound, Inc., and renamed eponymously) that can recognize when a person is visible in a video feed and selectively record events and optionally trigger alarms. It's accuracy is quite amazing.

Sighthound's intelligent video surviellance

What's so amazing about the CAPTCHA breaking demonstration by Vicarious is that it is so effective and doesn't require huge processor resources to operate. 

While some commentators have downplayed this demonstration's implications (mostly because Vicarious has stated the commercial applications of RCN are "still many years away") they couldn't be more wrong. The fact that CAPTCHA has been broken and broken so thoroughly means that the bad guys and national surveillance organizations worldwide will be developing similar technologies and that won't take years; it may well take just a few months.

This is a big deal -- a watershed in security -- and any organization that relies on CAPTCHA systems as part of their online defenses needs to start looking seriously for alternatives and figuring out what they're going to do to improve their defenses.

Your worries below or drop a note to then follow me on, and Facebook.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10