Captcha verifies whether it is dealing with a real person or a computer program. The initial verification code is very simple, just enter a few numbers. I don’t know when I started to witness the verification that has become more and more perverted and has become more and more tricks. The verification code is not only a challenge of vision, but sometimes it is a double challenge of vision and intelligence.
There is also the verification code that everyone often sees, guess the letter of the verification code in the picture.
Please calculate the result of the verification code in the picture.
Well, let's go back to the title and talk about how the verification code embarrasses us humans.
The origin of verification code
In 2000, when Yahoo was still the world's largest online email service provider, users of Yahoo Mail often received many spam and scam text messages.
This kind of experience is today, that is, when you come home from get off work, you find that your door is full of couriers.
But pay attention, only one of the couriers is purchased by yourself, and the other couriers are garbage sent by others.
In order to find your own courier, you had to disassemble all the couriers. At this time, you may only regret that you have this express delivery.
At that time, not only Yahoo, but also many Internet companies were affected.
Hackers use script robots to register a large number of accounts, and carry out
behaviors that affect the operation of Internet companies, such as comment injection, scalping tickets, and credentialing database scanning.
Nowadays, "the world has suffered from verification codes for a long time", and twenty years ago, it was "the world has suffered from script robots for a long time".
Later, Yahoo found Louis von Ahn (the father of verification code) and others at Carnegie Mellon University to cooperate with them.
*Louis von Ahn (Father of Captcha)
Using the human-computer verification mechanism at that time, they designed a set of defense robot programs for Yahoo, and proposed the concept of "verification code" for the first time.
Captcha, the more professional name is "Fully Automatic
Turing Test to Distinguish Computers and Humans", or CAPTCHA for short.
Captchas are used to allow computers to distinguish humans from computers. The well-known Turing test is to make people distinguish between humans and computers, which is just the opposite of the verification code.
Therefore, some people also call the verification code "reverse Turing test".
text verification code
However, everything is not so easy.
Early verification codes were very simple, just a combination of ordinary letters, with little interference information, and the application of character recognition technology (OCR) was even 30 years earlier than verification codes.
It didn't take long for the hacker to successfully crack the verification code using OCR.
So computer scientists continued to search for better defense mechanisms.
They add more interference factors to the characters of the captcha, change the connection, deformation, and hollow of the characters into dynamics, and add more complex backgrounds.
In short, everything is to reduce the recognition success rate of script robots.
However, the effect of reducing the correct recognition rate of robots is temporary, while reducing the recognition success rate of users is permanent.
I often get unrecognized verification codes that either need to be refreshed or entered incorrectly.
At this time, the computer judged me: You are not a person!
Does this sentence sound like a curse?
In 2008, two computer researchers at Newcastle University in the UK published a paper.
In the paper, they use a new character segmentation method to recognize Microsoft, Yahoo and Google captcha.
The verification code recognition rate of Microsoft and Yahoo is more than 60%, and the verification code recognition rate of Google is lower, which is 8.7%.
While Google's numbers look better than Yahoo's and Microsoft's, script bots can launch massive attacks, with 87,000 captchas cracked in 1 million attempts.
Therefore, this result is still unsatisfactory.
In the paper, the researchers also listed several captchas that users would confuse:
for example:
Does it start with the letter "d" or "cl"?
Which characters are these?
Don't ask me the answer, I don't know either.
Although deformed and distorted characters can improve the efficiency of intercepting script robots, it is also difficult for real users to distinguish verification codes, and they are also blocked.
There are even studies that show that through the convolutional neural network model (CNN), the correct rate of machine recognition of distorted fonts is higher than that of humans.
The verification code kills one thousand enemies, and self-damages ten thousand.
Verification codes for simple text content can no longer meet the needs, so verification codes for answering questions have appeared.
The verification code has become an examination question, and the user must enter the correct answer to pass the verification. Although this form of verification code can temporarily effectively block script robots, it is not user-friendly and has been criticized by many.
Therefore, answer verification codes are not common.
After all, when you encounter a verification code like the one at the beginning of the article, you may not be willing to calculate the answer, but just close the page.
Faced with the attack of script robots, the text-type verification code gradually became unable to withstand the attack. The researchers decided to reverse the direction and develop a verification code that uses image selection.
Image selection class verification code
Compared with text type verification codes, image selection type verification codes are much more user-friendly. Just click on the image, no longer rely on keyboard input, and image verification codes are more interesting.
For example, according to the requirements of the topic, you can find the photos that meet the requirements among several photos. The experience is like playing Lianliankan.
In 2007, researchers proposed the image selection class captcha, which was quickly welcomed by researchers and users.
After all, who would love an exam but not a game?
In March 2015, 12306 introduced a picture verification code to prevent scalpers from grabbing tickets, which caused heated discussions.
Friends who have snatched train tickets must be familiar with this. In order not to be stumped by the verification code of 12306, they had to set the alarm clock and log in to 12306 in advance.
At the beginning, the image selection type verification code can also play a good protective effect.
However, with the development of image recognition technology, especially the advancement of AI technology, people can train machine learning to classify pictures and decipher images.
For example, foreign researchers have used methods such as SVM classifiers and convolutional neural network models to crack partial image selection verification codes.
A team from Carnegie Mellon University published a paper in 2017 saying:
By collecting 2.6 million captchas and phrases, as well as 21 million pictures, after training the convolutional neural network, they can finally make the machine pass 12306 captchas with a 77% correct rate within 2 seconds.
In order to prevent script robot attacks, maintenance personnel have to create more new verification code pictures, and use the new verification code pictures that have not been learned by the machine to reduce the recognition accuracy of the machine.
So more strange captchas were made.
However, we ordinary users have become the biggest victims. All kinds of weird picture verification codes are difficult to distinguish, and even logging in to our own accounts has become a difficult task.
However, some research statistics show that in terms of the correct rate of picture verification codes, machines have already surpassed humans in some aspects of image perception.
Since the image selection verification code can't do the machine, the researchers once again resorted to a trick: turn the direction!
Behavior track verification code
Both text and images are used to verify humans and script robots in the form of question and answer, and script robots are more stable than humans through learning.
Therefore, the researchers invented the verification code of the behavior trajectory class, and its principle is to use human beings to be less stable than machines in the behavior trajectory.
Take our familiar sliding verification code as an example:
When we drag the slider on the left to the right, the background server not only verifies whether the user can fill in the vacancy correctly, but also records the user's mouse position, the movement track of the slider and other information.
Generally speaking, compared to scripted robots, human sliding trajectories are non-uniform and inaccurate.
Especially for someone with limited limbs like me, the closer you get to the vacant position, the slower the speed until you close the slider.
There are many unstable factors in this process. It is through the unstable trajectory that the background server will recognize that the operation comes from a human rather than a stable script program.
Although the sliding verification code is an improvement compared to the previous verification code, the way to crack the verification code is also improving.
In 2010, researchers at Kyoto University in Japan announced the sliding verification code to the outside world, and it was put into commercial use in 2012.
In 2014, researchers at the Complutense University of Madrid announced that they had cracked swipe authentication.
Nowadays, intelligent script robots that have added a learning model can also imitate humans by learning the sliding trajectory of people, and by making behavioral trajectories such as changing speed, turning back, and shaking, and fooling the server.
There is also a simpler and more insensitive way for behavior track verification codes. Click the verification button and click the button directly. The server will collect and detect the user's environmental information to determine whether it is a real person or a script robot.
This is undoubtedly the best user experience among all verification codes at present, but it is not absolutely safe, and there is a risk of user privacy leakage.
SMS verification and face scanning authentication
Now, SMS verification has become one of the most common verification methods.
Among the text messages on my mobile phone, the two types of text messages are the most.
One is the verification code text message, and the other is the spam marketing text message that needs to be sent "TD" to unsubscribe, but you can still receive a new text message after unsubscribing, and the most practical express sign-in text message can only be ranked third.
SMS verification confirms whether the user is the person by binding the mobile phone number, jumping out of the dimension of the network, calling external devices, and the security level is improved compared with the above verification codes.
But the verification code SMS has just become the weak link of this verification method.
Criminals can set up fake base stations, intercept user SMS verification codes, and obtain login and even transaction permissions.
Or, obtain the user's verification code through fraud.
On the other hand, the SMS verification code is one of the most unfriendly verification methods, especially when the mobile phone is away, you have to find the mobile phone, unlock it, remember the verification code, and then enter the verification code. This is what I hate the most. time.
Nowadays, some verification channels with high security requirements have been turned to face-scanning verification. You need to move back and forth against the phone, adjust the angle, and blink your eyes to log in.
However, this seemingly safe method is not absolutely safe. Baidu search can find a lot of information that the face scanning authentication has been cracked.
Another Enemy of Captcha
At this time, the editor couldn't help thinking: Why is it so troublesome for us ordinary users to log in to an account.
In essence, the captcha war is a competition between website maintainers and hackers.
Both parties are chasing after each other, and the verification code technology has been iterated many times in the past 20 years.
From the simplest input of letters to the need to mobilize the user's camera for face verification, the cracking technology has also developed from OCR to today's AI.
However, it is us ordinary users who are hurt the most. The verification methods are becoming more and more complicated, which means that we have to spend more time and more methods on verification codes.
The enemies of verification codes are not only script robots or top-level hackers, but also unskilled humans.
Some lawbreakers have established a verification code cracking platform, packaged and sent the verification code to the platform, and hired a group of people at a very low price.
Manually input the correct answer to the verification code and build a database to crack the verification code. This method is simple and crude but effective.
AI has also learned this way.
According to media reports, an agency testing AI found that OpenAI's GPT4 would pretend to be a visually impaired person and ask humans to help him enter the verification code.
Yes, AI has even learned to trick humans into doing it for free.
In the face of AI that is getting closer to humans, it will become more and more difficult to distinguish humans from robots, and the verification code will only become more complicated and cumbersome.
As an ordinary Internet user, I only hope that the way to enter the verification code can be simpler.