On TechRepublic: Why Android beats iPhone
BNET Business Network:
BNET
TechRepublic
ZDNet

February 26th, 2008

If CAPTCHAs are decommissioned what comes next?

Posted by Larry Dignan @ 10:33 am

Categories: Exploit code, Hackers, Spam and Phishing, Vulnerability research

Tags: CAPTCHA, CAPACHA, Larry Dignan

CAPTCHAs sound like a great idea. Give humans a little test to verify they aren’t machines, verify an account and thwart hackers. But CAPTCHAs no longer offer a good defense to thwart malicious hackers. So what’s next?

Last week, Websense noted that Google’s Gmail CAPTCHA was busted. A few weeks before that incident Microsoft Windows Live Mail’s CAPTCHA defense fell to spam bots. Meanwhile, some humans can’t get through the CAPTCHA system. Add it up and you get the worst of both worlds: CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) doesn’t keep hackers out, but does hamper real live humans.

Gunter Ollmann, a researcher at IBM’s ISS unit, tackles the CAPTCHA issue. He points out that CAPTCHA’s used to be a good defense against automated attacks, but don’t stand a chance against today’s malware. Ollmann writes:

CAPTCHA’s were a good idea, but frankly, in today’s profit-motivated attack environment they have largely become irrelevant as a protection technology. Yes, the CAPTCHA’s can be made stronger, but they are already too advanced for a large percentage of Internet users. Personally, I don’t think it’s really worth strengthening the algorithms used to create more complex CAPTCHA’s - instead, just deploy them as a small “speed-bump” to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA’s aren’t the right tool for stopping today’s commercially minded attackers.

Ollmann argues that CAPTCHAs can’t compete anymore in the hacker algorithm arms race, but skips past the biggest question. If we decommission CAPTCHAs what do we replace it with?

I’m not going to proclaim that I have an answer–I’m rarely the smartest guy in the room unless I’m alone in a Manhattan studio–but it’s a question worth asking. A few items to ponder for future discussion:

  • Do we need a CAPTCHA 2.0 system?
  • Is the minor defense that CAPTCHAs provide better than nothing?
  • What should we do to prevent automated attacks?

Thoughts?

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 38 Talkback(s)
Circumventing manual CAPTCHA solvers
We must consider the Indian manual method of solving
captchas using thousands of paid workers. This
apparently is becoming the major problem.

I am afraid it cannot be solved without so... (Read the rest)
Posted by: estonijaan Posted on: 12/16/08 You are currently: a Guest | | Terms of Use
Well ...And im so going to anger the privacy advocates here...  JT82 | 02/26/08
require additional pass code sent to user over separate channel  killerbunny | 02/26/08
well yea you could do that..  JT82 | 02/26/08
There are less stringent variations that may work  CobraA1 | 02/26/08
I have the paypal token..  JT82 | 02/28/08
To USA Centric  Albee_Freeoneday | 02/27/08
Simple Solution  nucrash | 02/26/08
You would be back at square one very shortly  JT82 | 02/26/08
Yes, but...  MGP2 | 02/26/08
Agreed  nucrash | 02/26/08
This is true but...  JT82 | 02/26/08
How are they thwarted again?  nucrash | 02/26/08
that would be interesting to find out..  JT82 | 02/26/08
This would require more CPU power  nucrash | 02/26/08
The tokens can be made virtually impossible  CobraA1 | 02/26/08
So let me get this right...  nucrash | 02/27/08
CAPTCHA Subcription  nucrash | 02/26/08
well, there have long been personal digital signatures  Narr vi | 02/26/08
This ahould be about discrimination  rkrkr | 02/26/08
As in my suggestion  nucrash | 02/27/08
Big banks are doing this  puffaroo | 07/03/08
yes, I actually agree to this, as a possibly good principle,  Narr vi | 02/27/08
A rebus is a GREAT IDEA!  puffaroo | 07/03/08
It IS de facto discrimination  puffaroo | 07/03/08
When the reCAPTCHA gets broken, then it's dead.  CobraA1 | 02/26/08
CAPTCHAs have to change...  Eriamjh | 02/27/08
A couple more methods  mspeed@... | 02/27/08
RE: If CAPTCHAs are decommissioned what comes next?  james.faction | 02/27/08
Execute the spammers  Tony R. | 02/27/08
Its still around today  greywolf001au | 06/02/08
Hey, it's worth a shot  puffaroo | 07/03/08
How about music?  Joel R | 04/18/08
RE: If CAPTCHAs are decommissioned what comes next?  greywolf001au | 06/02/08
Colorblinds must be considered  estonijaan | 12/16/08
RE: If CAPTCHAs are decommissioned what comes next?  greywolf001au | 06/02/08
RE: If CAPTCHAs are decommissioned what comes next?  peterhawkins@... | 06/02/08
RE: If CAPTCHAs are decommissioned what comes next?  twaynesdomain | 09/02/08
Circumventing manual CAPTCHA solvers  estonijaan | 12/16/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More