« You don’t get more straightforward than that
Hackers: the China Syndrome or misinformation? »

Is CAPTCHA useless?

April 28th, 2009

I read an interesing post from Mikko Hypponen @F-Secure, called CAPTCHA me if you can. If you’re not familiar with CAPTCHA there’s a good article here.

It lists a few ways to defeat it:

  • exploiting bugs in the implementation that allow the attacker to completely bypass the CAPTCHA,
  • improving character recognition software, or
  • using cheap human labor to process the tests.
  • brute-force – multiple sequential attacks instead of Recognition Software

I don’t know about you but I find that some captchas are very hard to read. Sure enough you’ll bypass Character recognition software, but you’re going to have a lot of people frustrated trying to type the right captcha.

Some captchas use skill tests… but then again, do you want to make it hard enough and yet simple enough so that the average Joe can guess it?

The example Mikko is talking about, using human labor, shows you that no matter how difficult the CAPTCHA is, it is easily breakable. Sure, there is a cost involved (a bunch of people sitting at computer workstations being paid peanuts), but if your profit is worth it, then there are many places where you can find that labour.

Out of curiosity I was thinking of other ways to have unique identification. I remember my recent trip to Seattle where they took my full biometrics (because I’m a French citizen). Not a pleasant experience, but I had no choice if I wanted to proceed past the gate.
I believe there are some serious issues with biometrics involving privacy and much more. It is a scary thought to know that we are listed and being followed. But part of me thinks it’s going to happen no matter what… It’s just a matter of time. Our use of computers is totally part of our lives, and all these gadgets we have can be used to track us down.

Anyway, back to the CAPTCHA thing, is it possible that one day to login into your email you will use your fingerprint? I don’t see why not? Would it make it safer? It would certainly open up a door for more security breaches…

People say to use a good password. Good piece of advice… but a keylogger doesn’t care whether it is not a dictionary word, if its got numbers, if its more than 12 characters long etc…

So, what are we supposed to do? First step is to admit that there is no such thing as 100% safe.

Jerome

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 

© 2009 ParetoLogic Inc.