I don’t understand, I fill in the information incorrectly, does the verification code want me to pass?

Audit expert: Zheng Yuanpan, professor at Zhengzhou University of Light Industry

When we surf the Internet, we often encounter human-machine verification processes similar to the one shown in the figure below, where we need to click a box to access the web page content.

reCHAPTCHA human-machine verification dialog box source丨wiki

The above operation process is a verification set up to protect the security of the website. After all, the website's registration, login, coupon collection, voting and other application scenarios are all at risk of being swiped by machines (program scripts) and causing various losses.

But can we know with just one click whether the "subject" visiting the website is a real person (human being)? Can such a sloppy verification method really distinguish between real people and machines?

1

How to click verification code

First, let's take a look at some of the website information in the Google Chrome developer tool window. Press the F12 function key on the keyboard to open the Network Panel of the developer tool window as shown below, click the human-machine authentication button, and you can see the network transmission data packets on the left.

Website Chrome Developer Tools Window Network Panel (Network Panel) Source: Google

Maybe you still don’t understand the meaning of these contents, but it doesn’t matter. Just think of them as some data sent by the local browser to the remote website server. This data is not for people to see, but for the server to see.

By analyzing the information in these "garbled codes", the server can determine whether it is data generated by a real person or a request data packet simply issued by an automated program code, and can then distinguish whether the operator is a human or a machine.

The source of the course grabbing script written in Python language丨Bilibili

You think you are just "jokingly" clicking on the small square in the screen window, and then "enter the web page behind", but in fact your operation will generate a data packet and be sent to the server.
For example, when a person clicks on a verification code, they are actually sending a large packet of encrypted data. The encrypted data may be of the following types:

1. User behavior data: page pause time, button clicks, mouse tracks, etc.;

2. Environmental variables: user device information, network information, operating system information, etc.;

3. Browser fingerprint: including request header information, IP address (network card logical address) information, MAC address (network card physical address) information, geographic location information, cookie information, etc.

Request header content

Although this improved verification method is more convenient for many users as it no longer requires users to painfully select the target object from a bunch of patterns like on the 12306 website, unfortunately, this verification method has not been greatly improved in terms of security compared to identification-type verification codes.

The encryption of these data is done by the front-end js code, which can be obtained by capturing packets through the browser's built-in developer tools. This means that in theory, these codes can be reversed and the encryption logic can be found, thereby forging request data. Although some js codes are obfuscated and difficult to read, various bigwigs have invented anti-obfuscation tools to restore js codes.

It can be said that this confrontation has never stopped since the emergence of verification codes.

2

The evolution of verification code

The origin of the verification code can be traced back to 1997, when programmers such as Lillybridge of Altavista first created the distorted letter verification code in order to prevent hackers from invading the backend.

Source: ifanr

Until now, this type of verification code is still the main verification method for some websites. The overly distorted letters often force people in front of the monitor to shake their heads and twist left and right to identify the target object.

The real name of the verification code was in 2003, when Luis von Ahn's team proposed the concept of "CAPTCHA" at Carnegie Mellon University. CAPTCHA is the abbreviation of "Completely Automated Public Turing Test to Tell Computers and Humans Apart", which means "Completely Automated Public Turing Test to Tell Computers and Humans Apart" in Chinese.

In a CAPTCHA test, the computer will automatically generate a question for the user to answer. Since machines cannot answer CAPTCHA questions, logically speaking, users who can answer the question can be considered human.

As the battle between security protection and cracking intrusion continues to escalate, the difficulty of recognizing verification codes is increasing, and the forms are also diversifying. From its birth to the present, there are mainly the following types of verification codes: SMS verification codes, voice verification codes, graphic verification codes, question verification codes, sliding and clicking verification codes, etc.

SMS verification code

People can use their mobile phones to check the verification code to log in, but it is more complicated for programs/robots to perform such automated operations.

Source: jhkjsms.com

Voice verification code

Humans can answer the phone and listen to the voice, and in order to prevent the voice recognition software from analyzing the voice, the voice content will be mixed with noise or the voice will be changed to a certain extent that it is still acceptable to humans.

Source: cloud.juphoon.com

Graphic verification code

Image verification will intentionally blur the center and use non-programmable text to prevent machine recognition; people with visual impairments can choose voice verification.

As shown in the figure, Image Turker and Audio Turker represent humans who recognize image and audio CAPTCHAs, respectively. The authorize.net image CAPTCHA is the easiest, while the google.com audio CAPTCHA is the most difficult.

Human recognition accuracy of image and voice verification codes Source: web.stanford.edu

Question verification code

On domestic websites, verification codes that require clicking on patterns are usually the most frustrating. Some “guess who you are” game-style verification methods often make people give up on moving on to the next step.

Source: www.12306.cn

Slide and click verification code

In 2014, Google launched a new verification code system NoCAPTCHA reCAPTCHA, which is the one we saw at the beginning. We don’t need to enter a verification code, just click it.

In 2018, Google upgraded reCAPTCHA. Users don’t even need to take any action. The system will analyze the way users browse the website in the background and perform risk scoring. If the user’s score is too low, the website will ask the user to take additional actions to prove that they are a legitimate user.

Source: Zhihu

3

Characteristics of domestic verification codes

The more common verification method in China is the knowledge-free verification code, which has three major advantages: good user experience, high risk identification rate, and strong risk interception capability.

Source: Screenshot from Station B

Source: Baidu Security Verification

Good user experience

Users don't need to think, and the experience is relatively smooth.

High risk identification rate

With the development of machine learning, machines have human knowledge, and simple graphic CAPTCHAs can also be cracked. However, knowledge-free CAPTCHAs comprehensively assess risks based on human behavioral characteristics and operating environment, and human behavior is difficult for attackers to imitate.

Strong risk interception capability

The evaluation logic executed in the background determines the user's risk index and can push verification codes of different difficulty levels based on different degrees of suspicious operations, or even directly block the operation to effectively intercept risks.

After reading this article, I believe you have learned something about verification codes, and understand why we always need to deal with those strange verification codes when visiting websites.