CAPTCHAs sound like a great idea. Give humans a little test to verify they aren't machines, verify an account and thwart hackers. But CAPTCHAs no longer offer a good defense to thwart malicious hackers. So what's next?
Last week, Websense noted that Google's Gmail CAPTCHA was busted. A few weeks before that incident Microsoft Windows Live Mail's CAPTCHA defense fell to spam bots. Meanwhile, some humans can't get through the CAPTCHA system. Add it up and you get the worst of both worlds: CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) doesn't keep hackers out, but does hamper real live humans.
Gunter Ollmann, a researcher at IBM's ISS unit, tackles the CAPTCHA issue. He points out that CAPTCHA's used to be a good defense against automated attacks, but don't stand a chance against today's malware. Ollmann writes:
CAPTCHA's were a good idea, but frankly, in today's profit-motivated attack environment they have largely become irrelevant as a protection technology. Yes, the CAPTCHA's can be made stronger, but they are already too advanced for a large percentage of Internet users. Personally, I don't think it's really worth strengthening the algorithms used to create more complex CAPTCHA's - instead, just deploy them as a small "speed-bump" to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA's aren't the right tool for stopping today's commercially minded attackers.
Ollmann argues that CAPTCHAs can't compete anymore in the hacker algorithm arms race, but skips past the biggest question. If we decommission CAPTCHAs what do we replace it with?
I'm not going to proclaim that I have an answer--I'm rarely the smartest guy in the room unless I'm alone in a Manhattan studio--but it's a question worth asking. A few items to ponder for future discussion:
- Do we need a CAPTCHA 2.0 system?
- Is the minor defense that CAPTCHAs provide better than nothing?
- What should we do to prevent automated attacks?