Real-Time Captcha is a logical evolution of current biometric techniques based on facial photos or video feeds of the user. It's designed to foil machine learning and image generation software that have adapted to now-standard security systems.
Like current image-video biometric systems, Real-Time Captcha asks users to look into the camera of their mobile device. The new addition is a Captcha that appears on the screen with a random question that a human can answer much faster than an artificial intelligence could.
Mobile devices and online services have changed up their passwords for biometric techniques that verify the log-in attempt by looking at the user's biological features. One such example is the iPhone X, which has facial recognition software. Other devices and systems require brief video segments of the user.
However, cyber-attackers can still spoof or steal these, said Professor Wenke Lee of Georgia Tech. "If the attacker knows that authentication is based on recognizing a face, they can use an algorithm to synthesize a fake image to impersonate the real user," Lee warned. (Related: Bitcoin wallet devices found to be surprisingly vulnerable to hacking.)
Real-Time Captcha was designed to address these vulnerabilities. It is the brainchild of cyber-security specialists from the Georgia Institute of Technology (Georgia Tech) and developed for the Office of Naval Research (ONR) and the Defense Advanced Research Projects Agency (DARPA).
The researchers looked into image spoofing software to find out how cyber-attackers bypass current security. They then designed a system that requires hackers to break a Captcha in addition to generating convincing video.
The widely-used and well-known Captcha stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." It keeps bots outside websites by leveraging a human's superior ability to see patterns in images.
"We are making the challenge harder by sending users unpredictable requests and limiting the response time to rule out machine interaction," said Erkam Uzun, a graduate research assistant at Georgia Tech.
Real-Time Captcha debuted at the Network and Distributed Systems Security (NDSS) Symposium 2018 in San Diego, California.
Log-in requests must pass the following tests imposed by Real-Time Captcha:
According to the Georgia Tech team, challenges will include easy math problems and scrambled letters that a human can recognize and answer while a machine is still trying to make sense of the Captcha.
They tested their new hybrid captcha-biometric system on 30 human and machine participants. The researchers found out that humans could comply with the Captcha question in just a second or less.
Machines, in contrast, required anywhere from six to 10 seconds to decode the challenge and generate an appropriate faked audio and video. "This allows us to determine quickly if the response is from a machine or a human," explained Uzun.
He and his fellow researchers assure that Real-Time Captcha will not be a major drain on bandwidth. The Captcha images are small in comparison to the audio and video that are required by existing biometric systems.
The Georgia Tech group is looking to improve their newly-developed system. They've identified challenges such as background noise disrupting speech recognition software and the need for a secure connection between the device and the authenticating server.
Keep track of cyber-security developments at CyberWar.News.
Sources include: