New study finds CAPTCHAs easy to defeat

Tools

A new report from security firm Imperva once again confirms what many already know: The use of CAPTCHAs is no longer an effective way to deter spammers. Invented to stymie spammers by forcing them to identify letters in an image and spell them out, CAPTCHAs are designed on the assumption that humans would have an easier time recognizing textual content in a "noisy" image than a computer.

The June issue of Imperva's Hacker Intelligence Initiative report (.pdf), however, shoots down that notion. The comprehensive 12-page report explores a number of CAPTCHA-solving products that offer 27 percent to 100 percent success rates--and work across CAPTCHA implementations from dozens of vendors. This is done using a mixture of optical character recognition and machine learning technologies. Another popular method to defeat CAPTCHAs involves outsourcing them to real human beings. Indeed, such services are often advertised online at attractive rates.

As noted by the report, this often becomes an arms race where CAPTCHAs keep getting tougher--which could result in them becoming too difficult for humans. Ultimately, it is evident that CAPTCHA is not a silver bullet against automation. As such, Imperva recommends that businesses "minimize the number of CAPTCHA challenges that legitimate users encounter." This can be done by presenting a CAPTCHA only when they exhibit "suspicious behavior" as detected by the use of automation detection mechanisms.

For more:
- download the study, "A CAPTCHA in the Rye" (.pdf)

Related Articles:
Users will sign into Windows 8 with a picture password
Disconnect between security pros and developers
Annoying Captcha security tests not even that effective

Filed Under