Google's CAPTCHA experiment and the human factor

Google's CAPTCHA experiment and the human factor

Summary: Any research is prone to irrelevance if it starts with the wrong research questions, takes the wrong perspective, or in this case, attempts to fight the wrong enemy - automated bots attempting to recognize CAPTCHAs.Researchers at Google recently released a paper detailing a new CAPTCHA system consisting of correct image rotation (Socially Adjusted CAPTCHAs) whose main purpose is to make it easier for humans, and much harder for bots to recognize them.

TOPICS: Google, Security

Any research is prone to irrelevance if it starts with the wrong research questions, takes the wrong perspective, or in this case, attempts to fight the wrong enemy - automated bots attempting to recognize CAPTCHAs.

Researchers at Google recently released a paper detailing a new CAPTCHA system consisting of correct image rotation (Socially Adjusted CAPTCHAs) whose main purpose is to make it easier for humans, and much harder for bots to recognize them. But with the emphasis of this and many other research papers on  "bots vs CAPTCHAs", the research excludes a growing trend to which the new approach -- if implemented -- would actually make the new CAPTCHA much more efficiently abused than the previous one.

How come? Despite the persistent attempts by malware infected hosts to recognize CAPTCHAs, at the end of the day, a data entry team capable of solving 200,000 CAPTCHAs and charging $2 per 1000 entries ultimately drives the CAPTCHA solving economy.

A lot has changed since the factual research detailing "Inside India's CAPTCHA solving economy" was published last year.

Following their improved recognition rates -- in case you remember you have to pass a CAPTCHA solving speed test in order to become a qualified CAPTCHA solver -- the vendors of these services consisting primarily of boutique shops and a few consolidated ones, have gone mainstream to the point where Russian based CAPTCHA solving services are outsourcing the process to Indian workers and charge their customers more than the pay to their Indian colleagues.

In February this year, a novel approach was introduced by a Russian boutique vendor of CAPTCHA solving services - a community-driven revenue sharing scheme for CAPTCHA breaking. The concept is mimicking reCAPTCHAs ease of implementation and ubiquity, but with a mean perspective in mind. It allows webmasters to not only implement CAPTCHA solving forms at their registration pages, but is offering idle forum/community members the opportunity to solve CAPTCHA and earn revenue in the process, with the successfully solved CAPTCHAs fed into their system fulfilling yet another bulk request for bogus account registration.

Perhaps even more disturbing is the fact that these vendors are naturally Web 2.0 aware, and are clearly working with some of the most popular vendors of blackhat search engine optimization and automatic account registration/spamming tools by offering them the capability to empower their customers with CAPTCHA solving capabilities through API keys.

A practical example of how these human networks efficiently exploit CAPTCHA systems originally designed to fight bots, and facilitate cybercrime in the process, is the social networking worm Koobface (Koobface Facebook worm still spreading; Dissecting the Latest Koobface Facebook Campaign; Dissecting the Koobface Worm's December Campaign; The Koobface Gang Mixing Social Engineering Vectors).

Koobface is eating every social network's internal CAPTCHA barrier for breakfast not because the Koobface gang is taking advantage of CAPTCHA recognition algorithm, but because it's relying on CAPTCHA solving services.

"In the real test, asked the Koobface to resolve the CAPTCHA image that reads "suffer accorn" - this image was pretty noisy for image recognition algorithms to resolve it successfully. But Koobface does not attempt to resolve it by itself. It submits this image to its C&C server. The server replies correct answer in about 34 seconds. Once the answer is received, Koobface submits the message via Facebook's compromised account including correct CAPTCHA answer."

With human networks and bots clearly converging (see graph), Sergei also discussed a very pragmatic solution on defeating Koobface back then - injecting a large number of successfully accepted CAPTCHA images to Koobface's command and control server, have them resolved by the CAPTCHA solving vendor, and the bill sent to the Koobface gang :

"Detailed analysis of traffic between Koobface and its command-and-control server allowed tapping into its communication channel and injecting various CAPTCHA images in it to assess response time and accuracy. The results are astonishing – the remote site resolved them all.

But here is a twist: uploading a large number of random CAPTCHA images into its communication channel will load its processing capacity, potentially up to a denial-of-service point. Well, if not that far, then at least it could potentially harm its business model, considering that the cost of resolving all those injected images would eventually be paid by the Koobface gang."

The ongoing arms race is not between bots vs CAPTCHAs, its between human networks efficiently exploiting networks aimed to originally distinguish between humans and bots. No CAPTCHA can survive a human, since it was originally meant to be recognized by one, and therefore making it easier to be recognized by humans like in Google's recent experiment, ultimately makes it easier for the CAPTCHA solving economy to scale.

CAPTCHA is in pain, humans are slowly killing it not bots. What do you think?

Topics: Google, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sadly, CAPTCHA is too limited for the objective.

    Although CAPTCHA is good enough at what the programmers intended (stopping 'bots) it is no longer useful for the business's root intent: stopping spammers.

    Unfortunately, it has become an annoyance to honest users and doesn't even slow the criminals down. Frankly, though, this development was obvious.

    When I explained to my elderly mother how to complete a CAPTCHA for her Hotmail account she remarked, "Won't the bad guys just switch from programs and have some people do it instead?".

    It turns out the answer is "yes."

    This particular arms race was foredoomed, as there are plenty of bad guys willing to solve CAPTCHAs for a price (and probably some otherwise good folks too, who just need enough money to feed their family for another day and solving does that for them).

    The real solution to both spam and online-cons is traceable e-mail and routers programmed to drop packets which don't have a verifiable source.

    This, combined with effective law enforcement (Yes, this is a HUGE challenge across national boundaries) is the only long-term solution to the problem of cyber-crime.

  • Put CAPTCHA to deafblind to the test, and you'll get no response.

    Because there will be blind/deaf user who cannot hear and has no sight, they will have to use a Braille display in order to complete the task, like checking for e-mail, buying some things, do word processing, etc.

    Here's information about a braille display.

    If screen readers cannot read CAPTCHA and deafblind users cannot hear audio (due to deafness), then a Braille display is useless for CAPTCHA.

    I'm sorry, but that's just the way things are and I came from a deaf-blind perspective, even though I'm visual and hearing impaired. Although I have pretty good vision on my right eye (blind on my left eye), I can use image-based CAPTCHA. However, I'm hearing impaired and I do have zero chance of understanding the spoken letters and words in audio-based CAPTCHA.

    When I'll see this kind of article in ZDNet in the future, I will say this again. I think I've mentioned this -- probably once -- in previous article and I think it's dated maybe last year (?)... I'll do a Google search for it and bring up a link in here. The reason why I'm doing this is to [i]emphasize[/i] my point about CAPTCHA from a deaf-blind perspective.

    Update: A quick search in Google came up and here's the URL:
    Grayson Peddie
  • The best defense: e-mail verification along with Captcha

    And that is what many internet forums are going to! No more captcha alone and you can instantly post or submit something.... you actually have to CONFIRM what you post or submit by e-mail or confirm your account first by e-mail.
    • CAPTCHA is no good for the deafblind.

      E-Mail verification is a better idea.
      Grayson Peddie
  • IP block? ID card? Payments?

    So block the IP address block of the humans.

    . . . if it gets too bad, though, we may be forced to
    start tying accounts to something like ID cards.

    . . . or even start rationing accounts out instead of
    handing them out freely. Something like Google's early
    invite system.

    . . . or even simply start making the services paid
    services instead of free services. Paying about $1 or
    so every year is no big deal for most people, but
    would be a killer for a service that creates thousands
    of accounts every day.
  • RE: Google's CAPTCHA experiment and the human factor

    Try changing the world economy unbalance and you have your problem solved.
    • Of course!

      It's so simple - just give all the money from the rich, productive, innovating economies to the people who steal.

      Why didn't we think of this before?
  • Let's check that solution

    How can CAPTCHA ever be secure if incorrect solutions be accepted? Who verified 'accorn' when a closer examination would reveal 'accom-'as at least possible within the context of english?
  • RE: Google's CAPTCHA experiment and the human factor

    Well done! Thank you very much for professional templates and community edition
    <a href="">seslisohbet</a> <a href="">seslichat</a>