Webnetics UK Ltd. - Forums
Next-gen CAPTCHAs - Printable Version

+- Webnetics UK Ltd. - Forums (http://www.webneticsuk.com/forum)
+-- Forum: News & Announcements (http://www.webneticsuk.com/forum/forumdisplay.php?fid=2)
+--- Forum: VWDesigns Blog (http://www.webneticsuk.com/forum/forumdisplay.php?fid=12)
+---- Forum: Programming (http://www.webneticsuk.com/forum/forumdisplay.php?fid=17)
+---- Thread: Next-gen CAPTCHAs (/showthread.php?tid=116)



Next-gen CAPTCHAs - webnetics - 02-08-08

It seemed like such a straightforward idea: create a simple test that would baffle computers, but humans could solve easily. And for a few years the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has done its job, successfully protecting forums, wilds, web mail services and other online resources from being exploited by bots. But concerns are increasingly being raised about the technology, and even the best CAPTCHA systems are now beginning to appear vulnerable.

It all started as guesswork, when eBay bots were discovered back in 2006. Had someone discovered a way for malware to break the registration system? Possibly, but there wasn't enough information to definitively say that eBay's CAPTCHA had been broken.

The doubts disappeared in 2007, though, when the eBayCaptcha Populator was released as a Firefox add-on. The tool promised to detect and enter the eBay CAPTCHA code automatically, saving you the trouble. Soon afterwards a number of web- based CAPTCHA-cracking services appeared, and now even Gmail has been broken. The Jiffy Gmail Creator promises to "create unlimited Gmail accounts in seconds flat without breaking a sweat", and is being sold for $77 a copy.

As CAPTCHA begins to fail, so the consequences can be seen elsewhere. Earlier this year, sparn sent from Gmail doubled in a month, for instance, while the zombie accounts have reportedly been used to attack services including the likes of Craigslist.

The traditional response has been to try to make the CAPTCHA more difficult. Add extra colours and noise to an image, say. Distort and rotate letters, perhaps add some images too. But you can't do this forever. RapidShare's notorious 'kitten' CAPTCHA is so tricky even humans have problems using it, yet apparently hackers have broken the system already.

It's plain that we need a different approach, and image-based CAPTCHA could be it. Implement KittenAuth and you'll see a grid of cute animal photos while being asked to 'select all the dolphins' (or hedgehogs, rabbits, or whatever else is chosen). Sounds good, but even here there are weaknesses. The small database only contains a few images by default, which leaves it vulnerable to attack.

Unusually, our best hope for security could come from a Microsoft project, Asirra. It's even simpler than KittenAuth — you just have to recognise cats and dogs — but is backed by a database of over three million images. The system is in beta right now.