Verification code for automatic alarm

Verification code for automatic alarm

Preface

Recently, 12306 changed a new verification code, which once again caused spof.

Although there are still a lot of disputes over the image combination method, it is commendable to try to break through the tradition in any way.

After all, traditional verification codes have been criticized. In order to combat a few malicious users, the user experience of most normal people is reduced.

Every time you get bored, you may think about various verification code solutions. Today we share an interesting one.

Password for automatic alert

There have been rumors that an automatic alarm will be triggered when the password on the ATM is lost. Whether it is true or not, this idea is a bit interesting.

First, it is also the most important thing. If you enter this password, you can still get the money. This satisfies the purpose of the robbers. But at the same time, the alarm has been quietly reported, and it must have been unable to escape.

Second, there is no need to introduce an additional alarm password. An extra one will increase the complexity and increase the possibility of mistaken errors.

Finally, even if an error is entered, the probability of entering the alarm code is very low. (For the moment, 12321 is not considered for this type of reply)

Therefore, the password can be used for verification, and a rule can be established between the real and false passwords to conceal additional information.

Can this feature be used for verification codes.

Verification code for automatic alarm

We have to design a trap so that normal users will almost never fall into, and the dummy will fall into this trap accidentally.

Generally, the program that crack the Verification Code directly captures the pixels in the image and analyzes them. What the user sees is the final content displayed on the screen.

In most cases, the two are the same. But we can also make it different and make it a little difficult.

For example, a verification code with the content of d6xm:


This is a common verification code, and there is almost no pressure to crack it. However, this is no longer an algorithm confrontation.

We secretly insert a CSS rule somewhere on the page:

Default.captcha {transform: rotate(180deg);}

Rotate the image at 180 °. At this time, what is displayed in front of the user is such a thing:



The content is changed to wx9p!

Which of the following is the correct answer. Now that we are looking at users, it is of course an eye to see!

However, the dummy identified by capturing images still seems to be the original pixel, and does not know that there is such a trick in the page, so he accidentally won't be involved.

Even if the user occasionally fails, it would be a coincidence that wx9p can be combined into d6xm. It is probably more likely to be opened.

We try to keep this trap low-key. Even if the user submitted the d6xm, it was passed, but the background would quietly record all this.

When a user reaches a certain level of suspicion, it can take corresponding measures. Delay the interception processing to avoid premature confrontation.

Question Bank Template

Of course, the above is just a simple example. Rules such as rotation have too many limitations. Not all characters have corresponding characters after rotation, and return strings cannot appear.

In fact, you can try a more general method.

As mentioned above, it is good to set an alarm password for ATM withdrawal. You only need to remember one more. However, in the verification code, the user is completely transparent, and the complexity is automatically handled by the browser.

We try to write two strings in the image. One is very obvious, and the other is dimmed like a watermark.



Under normal circumstances, it is difficult to find the latter without careful observation. However, using filters on the page will make the two opposite:



Therefore, in the eyes of the end user, we see the watermark version.

In addition to these, there are actually countless changes. For example, the image is distorted in advance, and then restored during rendering.

Of course, the essence is the same. Compared with the traditional single image output, there is now another variable parameter, which is located on a page outside the image. The two must be combined to render the final image.

For common silly cracking programs, this threshold can be exposed. In order to obtain the final applied image style, the plug-in has to use the browser kernel to render the page, replacing the traditional method of directly capturing the interface.

As a result, it entered the frontend script confrontation stage.

Confrontation

There is no standard answer to confrontation. If there is to be, it is the lowest cost, so that we can stick to it for a longer time.

Traditional verification codes have been used for more than a decade and have accumulated a large amount of experience in cracking. existing tools and algorithms are available everywhere. Image Recognition has entered a low-cost scale. In this situation, it is difficult to greatly improve the image.

However, when a new rendering variable is added, the situation becomes better. We can use the front-end encryption obfuscation technology and various black magic techniques to fight.

A plug-in may be very powerful in the field of graphic recognition, but it does not have a deep understanding of page scripts. As a result, we can use another field that we are familiar with to confront the traditional one.

Of course, the most perfect verification code is that there is no verification code, so that the page script can be self-tested. For details, refer to: defending against counterfeits-WAF combining front and back ends. In the past when front-end technology was not yet developed, this system can withstand the vast majority of malicious submission and cc attacks without verification code. Today, it is a more clever solution.

In any case, there can always be a low-cost integrated solution to solve the actual problem, rather than hanging on a tree.

Penalty

Plug-ins will never disappear and will only become more advanced. We cannot stop weapon manufacturers, but can punish those who abuse them.

Any solution will be cracked and cannot be defended for a long time. However, you can pull out users as much as possible within the validity period and make punishments. Especially for real-name accounts, only one account is missing.

This solution is not enabled every time, but spot checks from time to time, so that users are afraid of using plug-ins, is the ultimate goal.