Time to kill off CAPTCHA

16 Oct 2012

Davey Winder on the anti-spam system that has long since ceased to be effective

CAPTCHA, supposedly short for Completely Automated Public Turing test to tell Computers and Humans Apart, originally annoyed me because it was perhaps the worst example of a forced acronym in the history of computing.

However, more recently my annoyance has shifted to those sites and services that implement CAPTCHA without providing an audio alternative – which means that I am, more often than not, unable to gain access even by using my best screen magnification software.

The brutal truth is that CAPTCHA has long since ceased to be anything more than a minor annoyance to the determined criminal fraternity

The brutal truth is that CAPTCHA has long since ceased to be anything more than a minor annoyance to the determined criminal fraternity, who appear to be able to bypass it with relative ease. I’m a
co-administrator of an online IT support community with a global membership of almost one million people. Those numbers jumped up last year when it became very obvious that the CAPTCHA system employed to protect one part of its new-member application process against spamming had been well and truly cracked.

How can I be so sure? Well, it’s mainly due to the number of new accounts being created from the same IP addresses, and which started posting spam far faster than any human being. The spamming process was being automated, and if spambots were involved then the system was seriously broken.

Once we moved away from using CAPTCHA the problem stopped. Not that I should be surprised about this – after all, in 2009, I was reporting that researchers were claiming that Microsoft’s then Windows Live Hotmail service CAPTCHA was being cracked with a 20% success rate within 20 seconds from start to finish. Last year, a Stanford University research team created the DECAPTCHA tool, which could crack up to 73% of CAPTCHAs, depending on specific site implementations.

Other tools such as PWNtcha and Captcha Sniper have success rates up to 100%, and can crack CAPTCHAs from multiple vendors with the same ease.

Security vendor Imperva has been looking at the state of CAPTCHA security, and has come to the conclusion that it's an ongoing battle of innovation between hackers and security professionals. The report A CAPTCHA in the rye found that the bad guys were implementing computer-assisted tools that use optical character recognition and machine learning techniques to overcome the CAPTCHA codes, plus a method of crowdsourcing to third parties who use cheap labour to do the code-solving by hand.

Foiling the bots

The easiest way to foil such bots is to make CAPTCHA more difficult, by incorporating extra tricks such as contextual semantic questions that automated tools can’t cope with – for example, "what colour is the white square?" – into the process.

Another solution is to make the distortions of the characters and backgrounds more extreme, but this then leaves droves of genuine users unable to post to forums, create webmail accounts or verify membership. The main problem is that with crowdsourcing now so cheap, criminals are moving away from using software and employing humans to do the job. Some CAPTCHA-cracking crowdsourcers don’t even pay in cash, but instead rely on workers who are happy to exchange successful forum registrations and email accounts for porn site access credits.