Animating the individual CAPTCHA letters, as well as adding confusing backgrounds can be easily defeated, the researcher said. "On the other hand, it seems possible to make the isolation of the correct moving object very difficult."
Bursztein refers to this as "tracking resistance" and it involves adding decoy objects that have the same properties as the actual CAPTCHA string in order to confuse the tracking algorithm.
"When successfully implemented, tracking resistance makes video captcha secure against vision/machine learning attacks and more secure than standard text-based captchas," Bursztein said.
The NuCaptcha creators were notified about Bursztein's findings in November 2011. According to the researcher, the company said that its systems serve video CAPTCHA tests of different complexity based on the risk associated with every user.
This means that requests coming from IP addresses that are, for example, associated with botnet activity, would result in more complex CAPTCHAs than those originating from average users.
These high-risk CAPTCHA tests differ in font face, size, thickness and warp levels from those analyzed by Bursztein, the company said.
"While we believe we got the version that a standard attacker might get (which is already harder than the version displayed on site), we have not evaluated the hard version referenced in their response," Bursztein said. However, the researcher doesn't believe that heavier distortions or more crowded letters represent an efficient defense.
The company is also preparing a fix that relies on distorting the shape of the individual CAPTCHA characters as they rotate in order to make it harder for the optical flow analysis algorithm to identify them. "I won't be able to characterize the effectiveness of this technique until they roll out their changes and I can test it," Bursztein said.
Sign up for Computerworld eNewsletters.