CAPTCHA: Security Issues and the Internet
Published 06 Jan 2017
According to the article “CAPTCHA: Telling Humans and Computers Apart Automatically,” the term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford of Carnegie Mellon University.
It said that CAPTCHA is a “program that protects websites against electronic bots by generating and grading tests that humans can pass but current computer programs cannot.”
One common kind of CAPTCHA used on websites requires a visitor to type in the letters and numbers of a distorted image into a dialog box. This was formulated on the assumption that computer programs will find it harder to extract the texts from the image, unlike for humans.
These security measures are very common nowadays because of the many spammers who specifically create scripts and programs that automatically submit various forms. However, there have also been programmers who have created special algorithms to defeat the purpose of CAPTCHAs.
It was also in 2000 when the first of its kind was developed to be used by Yahoo.
Applications of CAPTCHAs
CAPTCHAs can prevent comment spam in blogs.
Many bloggers are faced with the “comment spam” explained as the problem of programs submitting unnecessary comments in order to raise the search engine ranks of some websites. By using CAPTCHA, users don’t have to bother signing up for an account just to be able to enter a comment.
CAPTCHAs can protect website registration and email addresses.
Since many software companies have been offering free email services through the years, many bots have also been developing and using these e-mail accounts to spam other users. With CAPTCHA, only real humans can obtain and maintain free email accounts, effectively preventing abuse by automated scripts.
And as spammers also search the web fro email addressees which may be seen in clear text, CAPTCHAs may be used to hide one’s email address from web scrapers. This is done by making the users decrypt the CAPTCHA before showing the email address.
CAPTCHAs can ensure the proper implementation of online polls.
Most online polls record the voters in order to prevent them from voting more than once. However, such polls are subject to bots voting in place of humans, making such polls not very reliable. If CAPTCHAs are placed on the voting site, it will be able to help prevent electronic bots from penetrating the polls.
CAPTCHAs can be used to prevent password decoding.
Many accounts are penetrated with the use of dictionary attacks, something which a CAPTCHA can prevent. Since dictionary attacks enter the maximum number of possible passwords that an account may have, it can be stopped by requiring a user to solve a CAPTCHA after a series of unsuccessful logins.
CAPTCHAs can search prevent engine bots from entering unindexed websites.
Although an html tag may be used to prevent search engine bots from finding a certain website, it is not impenetrable unlike the CAPTCHA. In addition, it can also be the solution against email worms and spam. However, CAPTCHAs do not make themselves effective, they need to be adjusted depending on what the user intends to use it for.
These security mechanisms must be made accessible. Most CAPTCHAs are based on reading texts or other visually-related tasks but CAPTCHAs should also be accessible to people with disabilities like the blind. Things like audio clips should be used as an option to the visual tests.
In terms of the impenetrability, CAPTCHAs should be created with image security in mind. I say this because even if texts or images are distorted randomly before being shown to users, these may still be subject to automated attacks if done amateurishly.
A false sense of security
According to the article “Inaccessibility of CAPTCHA,” this security system, just like everything else, may be defeated by those who will benefit from doing so.
Take for example pin guards, it uses a visual keypad to identify letters on the keyboard with that on the screen depending on the user’s passcode. However, users who cannot see the code or understand it will be unable to access their own account on the site.
And since CAPTCHA is frequently used in message boards of most blogs, many bloggers have claimed to be successful in fending off unwanted comments and spam. However, other methods of comment/spam control that are also accessible to disabled users can used in place of CAPTCHA.
The same article said that external projects like BREAKING, AICAPTCHA, and PWNTCHA have shown that many systems may be defeated by computers with an 88 percent to 100 percent accuracy using optical character recognition.
Thus, it said that it was a “logical fallacy” to hail CAPTCHA as a “spam-busting panacea.” Moreover, it was “faulty logic” to believe that since large sites adopted the use of CAPTCHAs, it is supreme in fighting spam.
How CAPTCHA was foiled
Even Matt Mullenweg, who runs the popular blogging site WordPress said that CAPTCHA is not all that people package it to be.
“CAPTCHA is the bane of the internet. I can’t figure them out myself half the time,” he said in Anderson’s article “How CAPTCHA was foiled: Are you a man or a mouse?”
Anderson (2008) said that websites use CAPTCHAs in an attempt to disrupt the spam and malware economy but are not working. And since “spammers and malware authors are able to break CAPTCHA, Carl Leonard, a threat research manager at Websense Security Labs, said in the article that there was an increase in the amount of mail sent out from reputable mail services and an increase in the number of blogs that host malicious content or content that spammers wish to advertise. These email accounts are particularly valuable because spam filters cannot block them without blocking genuine mail at the same time”.
Moreover, Anderson (2008) said that the techniques to break the contested security system are nothing new.
He said that first of all, “if a human can read an image then the chances are that software can do the same thing.” As an example, he said that a software developer, Casey Chesnut, wrote a Captcha-breaking algorithm in 2005. She proved the worth of her invention when it was able to post automated comments to nearly 100 blogs.
In response to these kinds of attack, the creators of CAPTCHA devised tests that were harder to solve.
Some of the images may have been made more distorted than the usual, although it made them more difficult for human users as well. 3D CAPTCHA was also introduced, it relied on object and not character recognition. Some questions were also added to confuse software code breakers.
Human resources also seem to be the weapon used by many CAPTCHA breakers. One method under this would be to entice unsuspecting humans of solving CAPTCHAs for other users.
Anderson (2008) also said that some spammers have employed teams of temporary staff, usually in third world countries, sitting at their computer terminals and solving CAPTCHAs.
“Most CAPTCHAs have been completely broken. We’re seeing more CAPTCHAs targeted. I don’t see how the targeting by the malicious authors right now is going to go away. It’s still in their interests to get hold of these valued accounts,” said Carl Leonard, a threat research manager at Websense Security Labs, in Anderson’s article.
However, software companies like Microsoft have not given up on the system just yet.
“We are updating our CAPTCHA system to be both more readable for customers but more difficult to break through. Improvements include new image distortion logic, overlapping characters and dynamic monitoring capabilities to observe attacks in real time and make necessary adjustments to mitigate them. In addition, we continue to make advances to better prevent spammers from using Hotmail accounts, once created, to successfully send spam,” said Microsoft in the same article.
Inpidual net users should also pay more attention to the issue at hand because CAPTCHAs being broken do not only affect big software or computer companies but every internet user as well.
So what can replace CAPTCHA?
Leonard suggested that CAPTCHA be replaced with some kind of layered security. This entails adding human or third-party checks when monitoring content for malicious use. However, the trade-off is that as security increases, usability decreases.
There are also new authentication schemes like the OpenID or Microsoft CardSpace which may be adopted for use. These two schemes make it possible to register for one site using credentials verified by another.
However, Anderson (2008) said that “the internet is a long way from adopting this level of security, and there is always a danger that whatever steps the industry takes to improve authentication, the scammers will keep up with innovations of their own.”
Just like what they have done with CAPTCHA
- Anderson, T. “How Captcha was foiled: Are you a man or a mouse?” The Guardian. 2008. 16 November 2008 <http://www.guardian.co.uk/technology/2008/aug/28/internet.captcha>
- “Captcha Creator – PHP Script Package.” Captcha Creator. 2007. 16 November 2008
- “CAPTCHA: Telling Humans and Computers Apart Automatically.” Carnegie Mellon University. 16 November 2008
- “Inaccessibility of CAPTCHA.” W3C Working Group Note. 2005. 16 November 2008 < http://www.w3.org/TR/turingtest/>