The Decline of the CAPTCHA

 
 
By Larry Seltzer  |  Posted 2007-11-03 Email Print this article Print
 
 
 
 
 
 
 

Opinion: The concept of using CAPTCHA tests to defeat automated attacks is reaching the end of its useful life.

This is what we get for taking Alan Turing's name in vain. The 'T' in CAPTCHA is for Turing and his famous proposition that a machine could be said to be called "sentient" when a person out of view talking to it could not tell if it were human or machine. The goal of a CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is to present a challenge that only a human can answer properly. It took a few years, but it looks like computers are getting to the point of defeating CAPTCHAs often enough to make the tests a failure. For years I had been hearing from researchers about how they could beat these things, and I think they were partly exaggerating, but I've seen enough stories now that I have to figure the CAPTCHA's days are over.
The one that really drove it home for me was the story of Ticketmaster vs. RMG Technologies. RMG had developed software for ticket brokers to use to automate the process of buying tickets on the Ticketmaster Web site. Brokers used the software to buy up tickets as soon as they went on sale and then sell them at a huge markup on StubHub and other such places. Parents found themselves paying $200 for tickets for their kids to see Hannah Montana.
There are a lot of lessons to learn from this, like perhaps if there is a thriving scalper market then the tickets were underpriced to begin with. But the more relevant point is that part of the automation including getting through the CAPTCHA on the Ticketmaster site. It sounds like RMG was particularly successful at it. I've seen successful efforts at that before. I once got a lot of comment spam on a blog that had a CAPTCHA for commenters. The volume of comment spam was small enough that it could just have been humans filling out the form. However, the admin tried different CAPTCHA software and the problem stopped, which told me at the time that some of these tests were better than others.
And now it seems someone has found a way to automate the process of having real humans fill out the CAPTCHA form. As reported here by McAfee, what you do is set up a second Web site to turn users into unwitting CAPTCHA-filling drones. You present content to them that requires them to fill out a CAPTCHA. The CAPTCHA you present to them is in fact the one presented by the site that you want to break into, and you pass the response on to it in order to break in. Your Web site is a CAPTCHA proxy. To read about how hackers got Web surfers to crack CAPTCHAs with an online striptease game, click here. I doubt that RMG Technologies was using this method, because of the first of several problems with the CAPTCHA proxy scenario: You can't operate at high speed, only the speed at which your users log into your system. The second problem, something of a corollary of the first, is that you need a large number of users in order to commit a large number of attacks. Perhaps the hardest part of it all, though, is that you need to have content that other people will want to read. Of course, since we've already established that you're dishonest, all you need to do is steal pornography from other sites and give it away free and people will fill out your CAPTCHAs for you. And in the end, if you have a large number of CAPTCHAs and the text that answers them, you have a database to draw on to learn how to automate passing CAPTCHAs the right way. I fear the only way CAPTCHAs will get more resilient against attack is to be more resilient against humans answering them, which is hardly the point. Turing wouldn't have been impressed. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larry.seltzer@ziffdavisenterprise.com. Click here for an archive of Larry Seltzer's columns. Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel