Captcha systems to stop automated posting have been “completely broken” by spammers, experts say. So what’s the alternative?
Nuffnang Innit users, how many times have you typed the captcha wrongly before?
“Captcha is the bane of the internet,” says Matt Mullenweg, who runs the massively popular blogging site Wordpress.com. “I can’t figure them out myself half the time!”
He is referring to those squiggly, distorted images commonly seen when registering for internet services such as free email accounts or blogging sites. The user has to type the letters in the image before proceeding. Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart. The idea is that humans can read the letters, but computers cannot, thus preventing automated scripts from registering.
Websites use Captchas in an attempt to disrupt the spam and malware economy - but they are not working. “Spammers and malware authors are able to break Captcha process,” says Carl Leonard, a threat research manager at Websense Security Labs. “As a result, we’ve seen an increase in the amount of mail sent out from reputable mail services such as Gmail, Hotmail and Windows Live Mail, and an increase in the number of blogs that host malicious content, or content that the spammers wish to advertise.” Email accounts on such services are particularly valuable because spam filters cannot block them without also blocking genuine mail.
Techniques to break Captcha are nothing new. First, if a human can read an image then the chances are that software can do the same thing. In 2005, a software developer, Casey Chesnut, wrote a Captcha-breaking algorithm and demonstrated it by posting automated comments to nearly 100 blogs to demonstrate their vulnerability. In response to this kind of attack, Captcha authors have devised tests that are harder to solve. Images may be more squiggly than they used to be, making them harder to break but also more troublesome for legitimate users. Other ideas include 3D Captcha, relying on object recognition rather than character recognition; or framing questions that are trivial for humans to answer but hard for software to parse. Some approaches work better than others, but there are a number of inherent problems. One is that many Captchas are inaccessible to the visually impaired, and will fall foul of accessibility legislation unless there is an alternative. Another snag is that spammers may play their trump card, using humans.
Human resources
“Many attackers have found creative ways to entice humans to unknowingly solve the Captchas for them,” says Jamie de Guerre, chief technology officer at Cloudmark. “This relay attack involves copying the image served in a Captcha to a user somewhere else, having them solve the Captcha, and then copying their response back to the original website.”
Another option is to pay. Spammers have employed large teams of temporary staff to solve Captchas, effectively “rooms of people”, usually in a third world country, sitting at a computer and solving Captchas.
“Most Captchas have been completely broken” says Leonard, adding that the problem is getting worse. “We’re seeing more Captchas targeted, more Captchas broken. I don’t see how the targeting by the malicious authors right now is going to go away. It’s still in their interests to get hold of these valued accounts.”
Despite these issues, heavily attacked companies such as Microsoft are not abandoning the system. “We are updating our Captcha system to be both more readable for customers but more difficult to break through,” a spokesman said. “Improvements include new image distortion logic, overlapping characters and dynamic monitoring capabilities to observe attacks in real time and make necessary adjustments to mitigate them. In addition, we continue to make advances to better prevent spammers from using Hotmail accounts, once created, to successfully send spam.”
What can replace Captcha? “There’s probably going to have to be some kind of layered security,” says Leonard, “It’s up to the industry sectors which and how many layers of security they wish to employ, dependent on what sort of site they have.”
Layered security means adding human or third-party checks to actions like registration, and then monitoring content later to check for malicious use. The trade-off is that as security increases, usability decreases. Heavy-handed security can easily kill the conversation on social networking sites which depend on making it easy for new users to engage with the community.
Safety net
In the end, it is just another angle on the woeful security that characterises today’s internet. New authentication schemes such as OpenID, or Microsoft’s CardSpace, may help as adoption increases. These systems make it possible to register for one site using credentials verified by another. Instead of having many sites with poor verification procedures, the internet could have a few sites with strong verification procedures, that are then used by others. The advantage for the user is that they no longer have to jump through multiple hoops for each new site they encounter. Such a system depends on receiving sites being selective about which third parties they trust to verify a user’s identity. That said, the internet is a long way from adopting this level of security, and there is always a danger that whatever steps the industry takes to improve authentication, the scammers will keep up with innovations of their own.
“Ultimately Captchas are useless for spam because they’re designed to tell you if someone is ‘human’ or not, but not whether something is spam or not. Just because something came from a real human being doesn’t mean it isn’t spam, which is why content-based solutions like Akismet are the only long-term solution to the spam problem.”
[from The Guardian]
Captcha is not a problem to small users, because spammers normally like to spend more resources to spam websites that have much more viewers. As said, if a spammer wants to break the captcha of a site, he needs to hire a “spam farm” or create a trojan or something to get captcha from other users.
That said, captcha systems are getting increasingly complex and many a times, i myself has entered the wrong captcha.
There’s a form on captcha called REcaptcha. I think it’s one of the many innovative form of captcha. It actually allow you to contribute to the world while increasing the security of a site.
reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA. This is possible because most OCR programs alert you when a word cannot be read correctly.
But if a computer can’t read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here’s how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.
Currently, we are helping to digitize books from the Internet Archive and old editions of the New York Times.
But then again some words are so blur and difficult that i can never make out what it is.
2 Comments
Check this article on /.
http://it.slashdot.org/it/08/08/30/1219235.shtml
It’s even more broken now
haha cool, it’s meant to differentiate humans and bots, but apparently, or paradoxically, humans are used to break it.