If CAPTCHAs are decommissioned what comes next?
Summary: CAPTCHAs sound like a great idea. Give humans a little test to verify they aren't machines, verify an account and thwart hackers.
CAPTCHAs sound like a great idea. Give humans a little test to verify they aren't machines, verify an account and thwart hackers. But CAPTCHAs no longer offer a good defense to thwart malicious hackers. So what's next?
Last week, Websense noted that Google's Gmail CAPTCHA was busted. A few weeks before that incident Microsoft Windows Live Mail's CAPTCHA defense fell to spam bots. Meanwhile, some humans can't get through the CAPTCHA system. Add it up and you get the worst of both worlds: CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) doesn't keep hackers out, but does hamper real live humans.
Gunter Ollmann, a researcher at IBM's ISS unit, tackles the CAPTCHA issue. He points out that CAPTCHA's used to be a good defense against automated attacks, but don't stand a chance against today's malware. Ollmann writes:
CAPTCHA's were a good idea, but frankly, in today's profit-motivated attack environment they have largely become irrelevant as a protection technology. Yes, the CAPTCHA's can be made stronger, but they are already too advanced for a large percentage of Internet users. Personally, I don't think it's really worth strengthening the algorithms used to create more complex CAPTCHA's - instead, just deploy them as a small "speed-bump" to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA's aren't the right tool for stopping today's commercially minded attackers.
Ollmann argues that CAPTCHAs can't compete anymore in the hacker algorithm arms race, but skips past the biggest question. If we decommission CAPTCHAs what do we replace it with?
I'm not going to proclaim that I have an answer--I'm rarely the smartest guy in the room unless I'm alone in a Manhattan studio--but it's a question worth asking. A few items to ponder for future discussion:
- Do we need a CAPTCHA 2.0 system?
- Is the minor defense that CAPTCHAs provide better than nothing?
- What should we do to prevent automated attacks?
Thoughts?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Well ...And im so going to anger the privacy advocates here...
the hitch? Actually signing up for this...perhaps a known and trusted company like verisign, offer up this USB token for a cost of eh $10 bucks..BUT to get it...you have to scan a copy of a federal/state issued ID plus the credit card address for the credit card that is used to purchase it would have to be the same as the shipping address. Cumbersome? Yes. Time consuming? maybe. but overall I think this could even evolve to where this could also be in tandem with online banking.
require additional pass code sent to user over separate channel
well yea you could do that..
There are less stringent variations that may work
For one thing, going to all of the trouble to ID a person may not be necessary: Just enforce a rule saying a token can only be used for one account - you can't have, say, multiple Hotmail accounts attached to a token. The fact that the token costs $10 means that the profit from this type of attack will be reduced drastically, since they have to re-buy a new token to get a new account - and they probably don't make that much from a single account. They count on making a little bit of money from lots of accounts.
In addition, just the fact that it's a hardware device that needs to be shipped means there's a real paper trail that authorities can follow. As we already know, all current postal systems can track everything that goes through them. Much easier to track than somebody hiding behind zombie computers.
By the way, PayPal and Verisign are already experimenting with a similar, with some success:
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside
Verisign is offering these tokens in three form factors:
-The "football" form factor, which is the PayPal security key (PayPal is actually using Verisign's tokens).
-A credit card form factor, which fits into a wallet.
-A USB stick form factor, as you have suggested.
The question is - will it catch on? Can these companies make it popular somehow?
I have the paypal token..
And yes you are right since this would cause a paper trail -- spammers and stuff could be easier to halt/find. Only downside to this is would be a total redesign of the backend authentication/verification systems.
To USA Centric
What about those in Europe?
How about Canada?
South and Central America?
If there is a verification system that can work for email, then the same one could work to verify where the visitor is coming from, and then capture the IP addresses, and ban the F*ckers who are spamming through captcha forms.
As the services get more and more useless due to their IP's being banned due to these malevolent miscreats, they will only be able to attack themselves, or come up with a way to regulate their users.
We had big problems and fell victim to a Russian spam gang constantly filling in our form mail. So we collected and banned the IP ranges of the worst offenders -- 99% were from Russia and Ukraine. Then implemented a captcha and a customized form mail form and one other piece of the puzzle and no more form mail spam.
It really is a shame we had to go to such huge lengths. From now on, every web site we set up along with all our existing ones are banning every IP range that originates in Russia and the Ukraine. They can all go to hell as far as I'm concerned.
Simple Solution
Instead of showing a random number of characters, show an object that can't be easily identified.
Basically a 3 row database
Field one, a picture of the object
Field two, a question "What is the object?"
Field three, acceptable answers.
Or if we want to really throw things for a loop
Give a picture and then list a question about the picture that doesn't have to be specific to the entire picture.
"What is the color of the man's hat in the picture?"
How difficult could that be? If you could build a software engine to recognize these items, you should consider doing government work for AI research.
You would be back at square one very shortly
Yes, but...
No sign up, no customers. Not a very good business model.
Agreed
This is true but...
How are they thwarted again?
that would be interesting to find out..
This would require more CPU power
They can build up a database of text images and respond accordingly, or they can build image recognition to do the work for them. Odds are these goof balls are just slumming around using tricks that are a bit more clever such as reading file names and building the database that way. Image recognition could quickly become burdensome on a computer if they are trying to plow through as quickly as they want.
The tokens can be made virtually impossible
Even if Moore's law holds (and it seems to be a bit shaky lately), it's estimated it will be well over 100 years before computers have enough power to brute force attack a 256 bit key - and that's being extremely optimistic.
Not to mention they won't have that long to crack a key - in most token systems, the token is set to expire after a certain time and new ones are created continuously.
If implemented properly, a token system can actually be made very strong.
So let me get this right...
Would this be a different token for every website?
Or do we want to give power to a certificate entity like RSA or Verisign?
Then, do we really want people to have to wait to get this token?
Obviously if we make this a software token, it can be hacked, and if we make this a hardware token, it can be emulated.
Next?
CAPTCHA Subcription
well, there have long been personal digital signatures
Worth your editorializing taking the discussion further?
Regards
This ahould be about discrimination
Test cognitive abilities that are unique to man -- ideas?
As in my suggestion