If CAPTCHAs are decommissioned what comes next?

If CAPTCHAs are decommissioned what comes next?

Summary: CAPTCHAs sound like a great idea. Give humans a little test to verify they aren't machines, verify an account and thwart hackers.

TOPICS: Security

CAPTCHAs sound like a great idea. Give humans a little test to verify they aren't machines, verify an account and thwart hackers. But CAPTCHAs no longer offer a good defense to thwart malicious hackers. So what's next?

Last week, Websense noted that Google's Gmail CAPTCHA was busted. A few weeks before that incident Microsoft Windows Live Mail's CAPTCHA defense fell to spam bots. Meanwhile, some humans can't get through the CAPTCHA system. Add it up and you get the worst of both worlds: CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) doesn't keep hackers out, but does hamper real live humans.

Gunter Ollmann, a researcher at IBM's ISS unit, tackles the CAPTCHA issue. He points out that CAPTCHA's used to be a good defense against automated attacks, but don't stand a chance against today's malware. Ollmann writes:

CAPTCHA's were a good idea, but frankly, in today's profit-motivated attack environment they have largely become irrelevant as a protection technology. Yes, the CAPTCHA's can be made stronger, but they are already too advanced for a large percentage of Internet users. Personally, I don't think it's really worth strengthening the algorithms used to create more complex CAPTCHA's - instead, just deploy them as a small "speed-bump" to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA's aren't the right tool for stopping today's commercially minded attackers.

Ollmann argues that CAPTCHAs can't compete anymore in the hacker algorithm arms race, but skips past the biggest question. If we decommission CAPTCHAs what do we replace it with?

I'm not going to proclaim that I have an answer--I'm rarely the smartest guy in the room unless I'm alone in a Manhattan studio--but it's a question worth asking. A few items to ponder for future discussion:

  • Do we need a CAPTCHA 2.0 system?
  • Is the minor defense that CAPTCHAs provide better than nothing?
  • What should we do to prevent automated attacks?


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well ...And im so going to anger the privacy advocates here...

    Maybe we can create a token system. I want to sign up for a service at say, ZDNet, WELL I proceed with my sign up...however, I also have to insert a token into my computer (that through a special ACTIVX, java, or some other plugin looks at) and verifies my identity. No token..no verificaiton..no sign up.

    the hitch? Actually signing up for this...perhaps a known and trusted company like verisign, offer up this USB token for a cost of eh $10 bucks..BUT to get it...you have to scan a copy of a federal/state issued ID plus the credit card address for the credit card that is used to purchase it would have to be the same as the shipping address. Cumbersome? Yes. Time consuming? maybe. but overall I think this could even evolve to where this could also be in tandem with online banking.
    • require additional pass code sent to user over separate channel

      Some banks now will text to your cell phone a temporary (expires in a few minutes), one-time-use pass code that you must enter into their website. This is similar to how users of many secure systems are issued key-code fobs. User enters some ID into the fob, fob generates a special, one-time code, user enters that code as password for the website. I have used such fobs since 1992 (brands like RSA SecureID, ActivCard).
      • well yea you could do that..

        Logmein.com does that too if you enable extra security. Upon logon it sends me a text code to my phone and i enter it to verify identity...which actually maybe a better solution because everyone is getting cell phones and at least a small pool of texting. But i dont think it will really take off until unlimited texting is the norm.
    • There are less stringent variations that may work

      Well, that's a good idea, but as you've said, it can be quite a hassle.

      For one thing, going to all of the trouble to ID a person may not be necessary: Just enforce a rule saying a token can only be used for one account - you can't have, say, multiple Hotmail accounts attached to a token. The fact that the token costs $10 means that the profit from this type of attack will be reduced drastically, since they have to re-buy a new token to get a new account - and they probably don't make that much from a single account. They count on making a little bit of money from lots of accounts.

      In addition, just the fact that it's a hardware device that needs to be shipped means there's a real paper trail that authorities can follow. As we already know, all current postal systems can track everything that goes through them. Much easier to track than somebody hiding behind zombie computers.

      By the way, PayPal and Verisign are already experimenting with a similar, with some success:

      Verisign is offering these tokens in three form factors:
      -The "football" form factor, which is the PayPal security key (PayPal is actually using Verisign's tokens).
      -A credit card form factor, which fits into a wallet.
      -A USB stick form factor, as you have suggested.

      The question is - will it catch on? Can these companies make it popular somehow?
      • I have the paypal token..

        Along with a seperate token for my E*Trade accounts when they implemented them several years back. Another general idea with my token was to establish that for multiple services...otherwise it would get cumbersome REAL quick to carry around multiple tokens. Think of this as more of an ID check to see if you are a person than physically tying the device to ONE specific account. Maybe have it "register" the token with that account..but use a universal system so I could use it at Ebay, paypal, yahoo, hotmail, AND my financial institutions.

        And yes you are right since this would cause a paper trail -- spammers and stuff could be easier to halt/find. Only downside to this is would be a total redesign of the backend authentication/verification systems.
    • To USA Centric

      And what do you do for people who live in Asia?
      What about those in Europe?
      How about Canada?
      South and Central America?

      If there is a verification system that can work for email, then the same one could work to verify where the visitor is coming from, and then capture the IP addresses, and ban the F*ckers who are spamming through captcha forms.

      As the services get more and more useless due to their IP's being banned due to these malevolent miscreats, they will only be able to attack themselves, or come up with a way to regulate their users.

      We had big problems and fell victim to a Russian spam gang constantly filling in our form mail. So we collected and banned the IP ranges of the worst offenders -- 99% were from Russia and Ukraine. Then implemented a captcha and a customized form mail form and one other piece of the puzzle and no more form mail spam.

      It really is a shame we had to go to such huge lengths. From now on, every web site we set up along with all our existing ones are banning every IP range that originates in Russia and the Ukraine. They can all go to hell as far as I'm concerned.
  • Simple Solution

    This could be overcome with a simple solution that isn't based off of text to text.

    Instead of showing a random number of characters, show an object that can't be easily identified.

    Basically a 3 row database

    Field one, a picture of the object
    Field two, a question "What is the object?"
    Field three, acceptable answers.
    Or if we want to really throw things for a loop

    Give a picture and then list a question about the picture that doesn't have to be specific to the entire picture.

    "What is the color of the man's hat in the picture?"

    How difficult could that be? If you could build a software engine to recognize these items, you should consider doing government work for AI research.
    • You would be back at square one very shortly

      The only problem with that is that the SPAMbots and stuff could be easily engineered to circumvent them similar to the same way the current captchas get circumvented. In the talkback above i was actually certifing the from with the users ID based on a token, which is irrefutable (virtually).
      • Yes, but...

        [i]No token..no verificaiton..no sign up.[/i]

        No sign up, no customers. Not a very good business model.
        • Agreed

          By creating a more difficult sign-up, you alienate your customers.
        • This is true but...

          It would have to be implemented as a turnkey solution like the current captchas. I dont know of a way to stop machines from being able to adapt other than using true two-factor methods. The code, which is auto sent to a mobile or email, doesnt sound like a HUGE idea...it still verifies ownership and that you are a person, but I would imagine that still could be scripted by a bot.
      • How are they thwarted again?

        I am curious as to the nature of the beast and how quickly it adapts.
        • that would be interesting to find out..

          I would imagine it would only take as long for the current hardcore bots to dissassemble the CAPTCHA 2.0 and be able to decipher the image, read the question, then formulate a probable answer. It would take a while sure, but as with anything...its gonna be broken.
          • This would require more CPU power

            They can thart this one of two ways.

            They can build up a database of text images and respond accordingly, or they can build image recognition to do the work for them. Odds are these goof balls are just slumming around using tricks that are a bit more clever such as reading file names and building the database that way. Image recognition could quickly become burdensome on a computer if they are trying to plow through as quickly as they want.
        • The tokens can be made virtually impossible

          Given a large enough key, a token can be make virtually impossible to crack. It's entirely possible to have a USB token generate a 256 bit key, which is 3.4x10^38 times harder to crack than a 128 bit key - and 128 bit keys haven't been cracked yet.

          Even if Moore's law holds (and it seems to be a bit shaky lately), it's estimated it will be well over 100 years before computers have enough power to brute force attack a 256 bit key - and that's being extremely optimistic.

          Not to mention they won't have that long to crack a key - in most token systems, the token is set to expire after a certain time and new ones are created continuously.

          If implemented properly, a token system can actually be made very strong.
          • So let me get this right...

            To sign up for my forums so that you can participate in the discussion, you have to go and buy a token.

            Would this be a different token for every website?

            Or do we want to give power to a certificate entity like RSA or Verisign?

            Then, do we really want people to have to wait to get this token?

            Obviously if we make this a software token, it can be hacked, and if we make this a hardware token, it can be emulated.

  • CAPTCHA Subcription

    They should have a CAPTCHA subscription to create an ever changing list.
  • well, there have long been personal digital signatures

    Maybe this is the time they become essential.

    Worth your editorializing taking the discussion further?

    Narr vi
    • This ahould be about discrimination

      of man vs machine, [b]not[/b] about identification. Secure identification can be done like addressed in veveral of the previous posts.
      Test cognitive abilities that are unique to man -- ideas?
      • As in my suggestion

        This should be a different style CAPTCHA. Something that can't be associated with a picture. Something that takes a bit more horse power to calculate or identify.