Skip to navigation
Real World Computing
CAPTCHA

Time to kill off CAPTCHA

Posted on 16 Oct 2012 at 09:44

Davey Winder on the anti-spam system that has long since ceased to be effective

CAPTCHA, supposedly short for Completely Automated Public Turing test to tell Computers and Humans Apart, originally annoyed me because it was perhaps the worst example of a forced acronym in the history of computing.

However, more recently my annoyance has shifted to those sites and services that implement CAPTCHA without providing an audio alternative – which means that I am, more often than not, unable to gain access even by using my best screen magnification software.

The brutal truth is that CAPTCHA has long since ceased to be anything more than a minor annoyance to the determined criminal fraternity

The brutal truth is that CAPTCHA has long since ceased to be anything more than a minor annoyance to the determined criminal fraternity, who appear to be able to bypass it with relative ease. I’m a
co-administrator of an online IT support community with a global membership of almost one million people. Those numbers jumped up last year when it became very obvious that the CAPTCHA system employed to protect one part of its new-member application process against spamming had been well and truly cracked.

How can I be so sure? Well, it’s mainly due to the number of new accounts being created from the same IP addresses, and which started posting spam far faster than any human being. The spamming process was being automated, and if spambots were involved then the system was seriously broken.

Once we moved away from using CAPTCHA the problem stopped. Not that I should be surprised about this – after all, in 2009, I was reporting that researchers were claiming that Microsoft’s then Windows Live Hotmail service CAPTCHA was being cracked with a 20% success rate within 20 seconds from start to finish. Last year, a Stanford University research team created the DECAPTCHA tool, which could crack up to 73% of CAPTCHAs, depending on specific site implementations.

Other tools such as PWNtcha and Captcha Sniper have success rates up to 100%, and can crack CAPTCHAs from multiple vendors with the same ease.

Security vendor Imperva has been looking at the state of CAPTCHA security, and has come to the conclusion that it's an ongoing battle of innovation between hackers and security professionals. The report A CAPTCHA in the rye found that the bad guys were implementing computer-assisted tools that use optical character recognition and machine learning techniques to overcome the CAPTCHA codes, plus a method of crowdsourcing to third parties who use cheap labour to do the code-solving by hand.

Foiling the bots

The easiest way to foil such bots is to make CAPTCHA more difficult, by incorporating extra tricks such as contextual semantic questions that automated tools can’t cope with – for example, "what colour is the white square?" – into the process.

Another solution is to make the distortions of the characters and backgrounds more extreme, but this then leaves droves of genuine users unable to post to forums, create webmail accounts or verify membership. The main problem is that with crowdsourcing now so cheap, criminals are moving away from using software and employing humans to do the job. Some CAPTCHA-cracking crowdsourcers don’t even pay in cash, but instead rely on workers who are happy to exchange successful forum registrations and email accounts for porn site access credits.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site

1 2
Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Similar Article

I already wrote an article about CAPTCHA a few months ago. It's funny that I needed to use it, in order to register for this website:
http://gadgetgem.com/index.php/the-annoyances-of-c
aptcha/

By gadgetgem on 16 Oct 2012

Alternatives

Although I do agree with a number of points in both the above article and gadgetgem's article, does anyone have a suggestion of any possible alternatives - I use this on several medium sites and without CAPTCHA running the levels of spam are unmanageable.

By Gareth1107 on 17 Oct 2012

I agree with Gareth1107

What are the alternatives?

When I recently removed a Captcha from a competition page I was inundated with entries, all valid and all unique, but from the same IP address, browser and obviously made up (very odd names, for instance). 2 entries were being added per minute and it appeared to be manual rather than automated. Only adding a Captcha stopped them.

I quite like the knowledge-based ones ("what colour is the sky") - is anybody aware of a script that does this?

David.

By artiss on 17 Oct 2012

Webvisum

I happened to hear the end of In Touch on Radio 4 last night. They suggested a FireFox addon called Webvisum which includes a CAPTCHA solving service.

By TBennett on 17 Oct 2012

Alternatives

Depends on your tech level. If you can do a bit of coding, have a look at services like
Akismet, Linksleeve and Project Honey Pot.

Alternatives for bot checking (all these and above can be used together) include mouse movement and keyboard usage checks, or whether a form field which was hidden by CSS was filled in.

By turt66 on 17 Oct 2012

Mobiles are a no no

Good article. I personally don't bother signing up for anything that uses Captcha, simply because I honestly can't read the words, and can't distinguish a 0 from a O or an I from an l.

I disagree with your idea of using two factor with mobiles. I would resist that. Whats more annoying? A website gets the spam, or I get the spam on my mobile? You can't honestly say that sites would keep our mobile numbers to themselves if the right amount of money was offered.

I don't think a one size fits all solution will ever work. It will take multiple technologies and ideas to be effective.

By metalmonkey on 17 Oct 2012

Alternatives

Depends on your tech level. If you can do a bit of coding, have a look at services like
Akismet, Linksleeve and Project Honey Pot.

Alternatives for bot checking (all these and above can be used together) include mouse movement and keyboard usage checks, or whether a form field which was hidden by CSS was filled in.

By turt66 on 17 Oct 2012

Leave a comment

You need to Login or Register to comment.

(optional)

Davey Winder

Davey Winder

Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.

Read more More by Davey Winder

advertisement

Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.