The Decline of the CAPTCHA

Opinion: The concept of using CAPTCHA tests to defeat automated attacks is reaching the end of its useful life.

This is what we get for taking Alan Turing's name in vain. The 'T' in CAPTCHA is for Turing and his famous proposition that a machine could be said to be called "sentient" when a person out of view talking to it could not tell if it were human or machine.

The goal of a CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is to present a challenge that only a human can answer properly. It took a few years, but it looks like computers are getting to the point of defeating CAPTCHAs often enough to make the tests a failure.

For years I had been hearing from researchers about how they could beat these things, and I think they were partly exaggerating, but I've seen enough stories now that I have to figure the CAPTCHA's days are over.

The one that really drove it home for me was the story of Ticketmaster vs. RMG Technologies. RMG had developed software for ticket brokers to use to automate the process of buying tickets on the Ticketmaster Web site. Brokers used the software to buy up tickets as soon as they went on sale and then sell them at a huge markup on StubHub and other such places. Parents found themselves paying $200 for tickets for their kids to see Hannah Montana.

There are a lot of lessons to learn from this, like perhaps if there is a thriving scalper market then the tickets were underpriced to begin with. But the more relevant point is that part of the automation including getting through the CAPTCHA on the Ticketmaster site. It sounds like RMG was particularly successful at it.

I've seen successful efforts at that before. I once got a lot of comment spam on a blog that had a CAPTCHA for commenters. The volume of comment spam was small enough that it could just have been humans filling out the form. However, the admin tried different CAPTCHA software and the problem stopped, which told me at the time that some of these tests were better than others.

78978.jpg

And now it seems someone has found a way to automate the process of having real humans fill out the CAPTCHA form. As reported here by McAfee, what you do is set up a second Web site to turn users into unwitting CAPTCHA-filling drones. You present content to them that requires them to fill out a CAPTCHA. The CAPTCHA you present to them is in fact the one presented by the site that you want to break into, and you pass the response on to it in order to break in. Your Web site is a CAPTCHA proxy.

28571.gif

To read about how hackers got Web surfers to crack CAPTCHAs with an online striptease game, click here.

I doubt that RMG Technologies was using this method, because of the first of several problems with the CAPTCHA proxy scenario: You can't operate at high speed, only the speed at which your users log into your system. The second problem, something of a corollary of the first, is that you need a large number of users in order to commit a large number of attacks.

65146.jpg

Perhaps the hardest part of it all, though, is that you need to have content that other people will want to read. Of course, since we've already established that you're dishonest, all you need to do is steal pornography from other sites and give it away free and people will fill out your CAPTCHAs for you.

And in the end, if you have a large number of CAPTCHAs and the text that answers them, you have a database to draw on to learn how to automate passing CAPTCHAs the right way.

I fear the only way CAPTCHAs will get more resilient against attack is to be more resilient against humans answering them, which is hardly the point. Turing wouldn't have been impressed.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larry.seltzer@ziffdavisenterprise.com.

Click here for an archive of Larry Seltzer's columns.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.