RIP CAPTCHA

all

Posted Friday, 18 July 2008, 02:54 HST @454

Long-time readers of billso.com may remember that I used reCAPTCHA to validate comments about my articles. reCAPCTHA is a web service that shows users pictures of two words. The service knows one of the words. The second word was provided by an electronic book scanning project that needs help with its quality control. reCAPTCHA send the results back to the scanning project, to help them fix their documents.

A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) system is a simple test that determines if a computer user is a machine or a human. CAPTCHAs are small puzzles that people can solve quickly, while being too expensive for a computer system to solve.

I dropped the reCAPTCHA feature in May 2008, because the system was not stopping comment spam from appearing on my blog. “Comment spam” is just messages that have little or no relevance to an article or page.

In the past, people who wanted to crack a CAPTCHA system might pay users to stay at home and decipher dozens of captchas, in return for free content or Internet access. But people are slower and less reliable than computers. Processing power continues to improve, while CPU costs get lower.

Paying the price

Stephan Chenette, the manager of security research at Websense Security Labs, notes that CAPTCHA technology had made incremental improvements since 2000, while CAPTCHA crackers bought faster hardware and invested more in their efforts:

“CAPTCHA has been broken for the last year and a half. The technology has really not progressed. They’ve got a little bit harder but the hackers have made programs that can easily break them. This works both with print and audio CAPTCHA. All of these have been broken in one way or the other.”

In the last few months, the CAPTCHA systems of several major web sites have been cracked by automated systems:

January 2008: Yahoo Mail
April 2008: Gmail and Hotmail
May 2008: Craigslist

This has resulted in a flood of spam, scams, and fake postings on services around the world. It’s become quite easy to create a fake Web site that can fool many users. Social networks like MySpace and Facebook offer many more opportunities to trick users into revealing their credentials and personal information.

In the last few years, financial service companies and banks have adopted multifactor authentication systems that ask users for more than a password or a CAPTCHA solution. Now organizations in other industries are looking at similar solutions, because it has become much less expensive for scammers and crackers to break these companies’ systems. Several OpenID providers have added multifactor features to their authentication systems, too.

This article called How CAPTCHA got trashed has more details.

Image courtesy of Mess of Pottage through a Creative Commons license.