The End Of CAPTCHAs As A Security Mechanism?

Next Story

Plus ça change

There was a good post on ZDNet recently talking about how a market has developed for the bulk-purchasing of Gmail, Hotmail and Yahoo email accounts (amongst others). The market rate seems to be around $10 for every thousand accounts, with discounts applied with larger orders of 100,000 accounts or more.

The most popular security mechanism for protecting against accounts being automatically created is a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), where the user is presented a challenge image with a number of letters or words that they must fill out. To deter automated attacks against CAPTCHA protection, the letters and numbers used are often distorted so that image recognition algorithms would not be able to easily decipher it, but while a human reasonably could. The weakness in CAPTCHA is that with each letter or character, the correct response is one of ten numbers or 25 letters – so even with distortions applied and various different colors or additional lines the latest attacks can achieve success rates of between 60-99% (depending on the CAPTCHA style used).

Because the account creation process is automated, with even a success rate as low as 10% hundreds of accounts can be created per minute. The reason why Gmail, Yahoo Mail and Hotmail email accounts are a popular target is because there is an implicit trust of emails being sent from those domains in many spam filtering solutions. That implicit trust is based on the service’s ability to filter out fake or spam users, which relies mostly on the CAPTCHA. So without the CAPTCHA security, the trust mechanism is broken to the detriment of all users of those systems as well as external email systems that trust email from those domains in some way more than others.

The second common method for breaking CAPTCHAs is for the attacker to take the challenge image and present it to an unaware user on an unrelated site that the attacker controls. For instance, the attacker may control a large network of pornography or other video related websites where the visitor would be prompted with a challenge CAPTCHA to view a video or to access content. The user is not aware that the challenge they are responding to is actually assisting the attacker in registering a new account at another service – and that the image is simply being proxied through to them. Once the user enters their response, the attacking service would then relay the request along with the account registration details back to the original service. With large-scale web traffic to such sites, and with users being challenged with an image on each video or content view, the attacker can rapidly register a large number of accounts depending on traffic levels.

The techniques for breaking CAPTCHAs have advanced to the point of being able to create thousands of accounts automatically and rapidly, and an entire market for the sale of these email accounts has been created. The knowledge on breaking CAPTCHAs need not be distributed broadly – but only needs to lie with those with the incentive to break and sell accounts. With the system broken once, the flood gates are open while CAPTCHAs reach a limit in terms of how far they can be obfuscated because real humans would then have problems deciphering them. The CAPTCHA solutions currently seen on these popular email services is probably as far as you could blend or distort the image without creating accessibility issues that outweigh the security gains (and those gains are quickly approaching zero).

CAPTCHAs as a human filter have always been controversial, as they are not accessible to the blind and create a friction point in new user registration (I have given up on a registration process many times because I simply couldn’t get the CAPTCHA response right). With the large-scale cracking of accounts that rely on CAPTCHAs, a healthy market for cheap accounts as well as the complexity of CAPTCHAs now reaching their limits of usability, it might finally almost be time to bid farewell to a security solution that has never been popular and was only effective for a very short period of time.

  • http://www.techcrunch.com michael arrington

    There are literally captcha’s that take me 3-4 tries to get. ridiculous. they’re human-proof.

  • http://www.youbundle.com Neyma Jahansooz

    As comment #1 states- some CAPTCHA’s are just damn near impossible for humans (and actually probably easier for bots)

    though it still remains to be proven in scaled implementation – we have found that the best way to beat bots is to introduce random checks. Meaning that sometimes the CAPTCHA appears, some times it does not. Sometimes a security check question ie….. what is 2+2 – sometimes it does not.
    and these will appear in seemingly random places in the forms.

    But of course these can be broken because the nature of bots is that they can detect patterns. Then of course what we have found works is to have a ‘wizard behind the glass’ meaning a semi-dedicated geek who spends part of his day manually adjusting and monitoring the registration and alogorhytheim.

    This is of course not financially practical for small scale operations, but for the larger then it is an invaluable way to save reputation and bandwidth.

  • David

    My Mom called me the other day because she could not get past the captcha to sign up for a Google account. So I created one for her, and it took me 4 or 5 tires. The hackers have done us a favor by obsoleting this absurd and insane system and forcing companies to come up with a better solution.

  • http://www.con-trust.com Shai wolkomir

    Talk about bad user experience …
    It’s indeed a problem that would be solved sooner than later.
    It is evident that email is no longer the key drive for Bots
    UGC has grown mature enough to take on the new battle of the internet – web spam

  • rons dixon

    oh the game of cop and robber. I think no matter what system we come up with, as long as there are “marketers” and i use that term loosely, system such as these will be broken. What we are working on right now for our startup is weighing a couple of things. 1 frequency of signup from a single ip, 2, randomized capcha use of words, puzlles, and trivia questions. 3, email account domain (gmail, hotmail, aol or yahoo). In essence, we are dividing the signup process in two, where we ask for email address first then apply rules based on the above listed.

  • http://www.techcrunchit.com/ Nik Cubrilovic

    I cant wait till they go away..

  • http://www.puremango.co.uk u24

    another reason that captcha is broken: http://www.puremango.co.uk/cm_breaking_captcha_115.php

  • http://benrr101.890m.com Omega

    Ever seen one of rapidshare’s old captchas? Not only are the letters distorted, half of them have a dog outline on them and the other half have cats on them. You can only enter the four that have a cat on them. Impossible! At least they’ve become more lax on them now…

  • http://www.acomputerportal.com/advertising_methods/captchas.html Captchas: Crazy Example links
  • http://www.oragle.net/gmail-now-a-major-spam-hub/ Gmail Now A Major Spam Hub | Oragle

    […] pronounced that CAPTCHA’s were dead some weeks ago, as there are now hundreds of thousands of ready-to-go accounts for Gmail, Hotmail […]

  • http://www.disturbed1.com/users/loantilpayday til payday no loan

    til loan cash payday payday loan cash til

  • http://onlygizmos.com/what-is-captcha-that-irritating-image-verification/2008/07/ What is CAPTCHA? That irritating image verification! | OnlyGizmos

    […] Source ShareTweet […]

blog comments powered by Disqus