RIP CAPTCHA

by billso on Friday, 18 July 2008

Long-time read­ers of billso.com may remem­ber that I used reCAPTCHA to val­i­date com­ments about my arti­cles. reCAPC­THA is a web ser­vice that shows users pic­tures of two words. The ser­vice knows one of the words. The sec­ond word was pro­vided by an elec­tronic book scan­ning project that needs help with its qual­ity con­trol.  reCAPTCHA send the results back to the scan­ning project, to help them fix their documents.

This is not a working CAPTCHA. It's a Flickr image courtesy of Mess of Pottage.CAPTCHA (Com­pletely Auto­mated Pub­lic Tur­ing Test to Tell Com­put­ers and Humans Apart) sys­tem is a sim­ple test that deter­mines if a com­puter user is a machine or a human. CAPTCHAs are small puz­zles that peo­ple can solve quickly, while being too expen­sive for a com­puter sys­tem to solve.

I dropped the reCAPTCHA fea­ture in May 2008, because the sys­tem was not stop­ping com­ment spam from appear­ing on my blog. “Com­ment spam” is just mes­sages that have lit­tle or no rel­e­vance to an arti­cle or page.

In the past, peo­ple who wanted to crack a CAPTCHA sys­tem might pay users to stay at home and deci­pher dozens of captchas, in return for free con­tent or Inter­net access. But peo­ple are slower and less reli­able than com­put­ers. Pro­cess­ing power con­tin­ues to improve, while CPU costs get lower.

Pay­ing the price

Stephan Chenette, the man­ager of secu­rity research at Web­sense Secu­rity Labs, notes that CAPTCHA tech­nol­ogy had made incre­men­tal improve­ments since 2000, while CAPTCHA crack­ers bought faster hard­ware and invested more in their efforts:

CAPTCHA has been bro­ken for the last year and a half. The tech­nol­ogy has really not pro­gressed. They’ve got a lit­tle bit harder but the hack­ers have made pro­grams that can eas­ily break them. This works both with print and audio CAPTCHA. All of these have been bro­ken in one way or the other.”

In the last few months, the CAPTCHA sys­tems of sev­eral major web sites have been cracked by auto­mated systems:

  • Jan­u­ary 2008: Yahoo Mail
  • April 2008: Gmail and Hotmail
  • May 2008: Craigslist

This has resulted in a flood of spam, scams, and fake post­ings on ser­vices around the world. It’s become quite easy to cre­ate a fake Web site that can fool many users. Social net­works like MySpace and Face­book offer many more oppor­tu­ni­ties to trick users into reveal­ing their cre­den­tials and per­sonal information.

In the last few years, finan­cial ser­vice com­pa­nies and banks have adopted mul­ti­fac­tor authen­ti­ca­tion sys­tems that ask users for more than a pass­word or a CAPTCHA solu­tion. Now orga­ni­za­tions in other indus­tries are look­ing at sim­i­lar solu­tions, because it has become much less expen­sive for scam­mers and crack­ers to break these com­pa­nies’ sys­tems. Sev­eral OpenID providers have added mul­ti­fac­tor fea­tures to their authen­ti­ca­tion sys­tems, too.

This arti­cle called How CAPTCHA got trashed has more details.

Image cour­tesy of Mess of Pot­tage through a Cre­ative Com­mons license.

Related posts and pages on billso.com

RIP CAPTCHA">Share

Comments on this entry are closed.

Previous post:

Next post: