Thursday, October 09, 2008

Is CAPTCHA still effective as a security test?

CAPTCHA is a security provision designed to confirm that an online user is actually human by asking them to complete a simple test which is difficult for computers to interpret.

Often appearing as wavy or handwritten words and numbers, CAPTCHA (standing for Completely Automated Public Turing test to tell Computers and Humans Apart) has been widely implemented as an online security confirmation system within email systems, blogs, ebusiness and egovernment sites. In fact you'll see it in use when commenting on this blog.

Example of a modern CAPTCHA image (source: Wikipedia)

However CAPTCHA is increasingly under threat due to the multiple ways of circumventing this security and organisations need to consider whether it is still worth implementing CAPTCHA or more advanced security systems.

How effective is CAPTCHA?
As was recently reported in AllSpammedUp, Spammers are once again attacking Microsoft's CAPTCHA, used in their Hotmail email system to distinguish between legitimate human customers and automated spam systems.

While 10-15% doesn't sound that significant, given that spammers are able to use automated systems to create hundreds of email addresses a minute - then use the successful ones to distribute spam email - that level of success is quite high.

Hackers are also able to use cheap eyeballs from third world countries to break CAPTCHA - with Indian crackers paid $2 for every 1,000 CAPTCHAs solved.

Other techniques also exist to break CAPTCHA, such as advertising a porn site, embedding CAPTCHA codes from legitimate sites and asking people to solve these codes in order to access the adult content for free.

Given all these different ways to defeat CAPTCHA tests, and the barriers for those with vision impairments (who often unable to complete visual tests where an audio equivalent is not provided), let alone the difficulties real humans have in interpreting CAPTCHA tests correctly, this approach to security is seriously under threat.

However effective alternatives to validating that humans are really humans are not yet available for use.

Where next for CAPTCHA?
Microsoft and other large providers of online systems remain dedicated to strengthening CAPTCHA technology, even where the line of what is actually readable by the average human begins to blur.

They have limited alternatives as to effective tests of whether a user is human or computer to help minimise the success of automated hacking attempts.

Some mechanisms already coming into use are to ask questions via CAPTCHA text which is based on trivia more difficult for a machine to guess, or to have multiple CAPTCHA images which must be reinterpreted based on additional text - also stored as a CAPTCHA image.

All of these remain vulnerable to cheaply paid third-world CAPTCHA breaking groups, albeit increase the difficulty for machines.

Where should organisations use CAPTCHA?
Given the lack of alternatives, organisations need to continue using CAPTCHA, but selectively apply other methods of detecting machine-based attacks (such as rapid or logically sequenced attempts at creating accounts or logging in).

Where possible CAPTCHA should be used only to validate the 'humanness' of a user, rather than as an outright security measure, thereby limiting system vulnerability.

Finally organisations need to use the most current versions of CAPTCHA and update regularly to reduce the risk of intrusion to only the most sophisticated hackers.

No comments:

Post a Comment