Building a better spam-blocking CAPTCHA
New approaches may give the CAPTCHA antispam technology a second chance
Computerworld - How do you let people create user accounts or post comments on your Web site without letting spam bots in? Simple -- make your users prove they're human. Many Web sites use CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) technology to try to tell the bots from the people.
CAPTCHA's idea is simple enough. It presents users with an image showing an obfuscated string of letters that they must type in to get an e-mail or social networking account, for instance, or to enter a comment on an online forum. The theory is that only humans can decipher the letters hidden in the image and type in the correct code, and for a time it was an effective tool to keep the bots out.
But while no one has yet come up with a computer that can fool people into thinking it's another person, computers are great at fooling other computers. These days, malware makers and spammers regularly trick the CAPTCHA systems at big-name Web sites such as Yahoo Mail, Gmail and Craigslist, and use these sites to automate their attacks.
So what can we do? Can CAPTCHA be saved?
The rise and fall of CAPTCHA
CAPTCHA was created in 2000 by researchers at Carnegie Mellon University, and by 2007, the technology was being used almost everywhere on the Web. For example, if you try to leave a comment on this story, you'll need to jump through a CAPTCHA hoop before you can leave a message.
Then, adding insult to injury, the crackers started releasing their work in the form of do-it-yourself CAPTCHA cracking software that anyone could use. For example, a program called CL Auto Posting Tool attempts to post bogus ads to Craigslist while automatically overcoming Craigslist's antispam protections.
These programs work by using OCR (optical character recognition) software to try to make sense of CAPTCHA's disguised text. If they fail, they try again. They take advantage of the fact that some CAPTCHA systems don't automatically give users a new CAPTCHA image to puzzle out. Instead, they'll let you, or a cracker program, keep working at the hidden text until it's solved.
Get one of these programs, aim it at the site you want to have bogus accounts on, and you can start spreading spam, anonymously flaming people you don't like, and sending thousands of people links to your malware-infested site.
It's not that the OCR-based cracker programs are that good. They're not. As CAPTCHA expert Sumeet Prasad from security firm Websense explained in a blog posting, while only 10% to 15% of the attempts on Hotmail are successful, a CAPTCHA cracker program needs only six seconds per attack. If a site allows an unlimited number of chances to crack a single image, that means it will take, on average, less than a minute to break in.
Because they are clearly insecure, CAPTCHA systems that allow unlimited or multiple attempts are becoming uncommon. Still, today's automated bots are capable of breaking even those systems that make users respond to a new CAPTCHA image after the first or second unsuccessful attempt. (On average, of course, the bots' efforts are less likely to work at one-try CAPTCHA systems.) That said, simple CAPTCHA systems, such as the ones that use random, non-malformed letters against a simple background, are still in common use and are easily breakable.
Another way to crack a badly designed CAPTCHA program is to reuse the session identification URL of a solved CAPTCHA image. In this case, either the cracker, or more likely a cracking program, first gets the right answer to a CAPTCHA. It then reconnects to the Web site with a URL containing the solved session identification information with a new username. Presto! You have an automated site cracker with a 100% success rate until the session ID eventually expires.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!