CAPTCHA and Modern Attacking Ways

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart", which is a widely used technology in popular(high traffic) online web services(for example, webmail, ebusiness order confirmation etc) to prevent automatic and abusive client access.

But recently, there are many reports that said CAPTCHA systems of those Internet service providers were cracked and abused by spammers to send huge amount of advertisement junks. So what's the problem of today's CAPTCHA systems?

Traditional CAPTCHA cracking uses OCR techniques to automatically recognize those wired char/text in photos. But the most successful cases use alternative ways that may not be so core-tech related. Security experts call them as Social Engineering, in which people are engaged to do those things that are hard for computer algorithms/softwares.

Under the concept of Social Engineering, there are two concrete methods:
1. Leverage unaware users' efforts of 3rd part service
2. Delegate to people with awareness, the "Mechanical Turk" way

The basic idea of the first method is to redirect CAPTCHA challenges to users of another web service, and use the response results to serve the original web site's CAPTCHA system. Detailed process is described in this article in detail.

The article summarized this method as:
Although it is possible to identify the difference between a computer and a human, there may yet be a challenge in verifying that a given human response is from the intended human.

(from McAfee)

Other case studies of this kind of cracking can be found here and here.

The other social engineering cracking method is reported in this article. It says that:
Spammers are using a variety of techniques to accomplish this. Some of their success is due to their use of "mechanical turks", people who either directly or indirectly create accounts traded online.

Mechanical Turks is an interesting concept which uses manpower to drive some mechanic/automatic services behind the scene. Amazon push this concept into Internet as one of their web services - Amazon MTurk.

This concept is enlarged and advocated as CrowdSourcing by Jeff Howe in the June, 2006 Issue of Wired magazine. The advocators described it as a great way to divide and dispatch tasks to large amount of individual workers to achieve great results in end user's perspective - very similar to what we had done in distributed computing domain.

Turn back to our topic. Due to those fatal defects that exist in today's CAPTCHA systems, some people begin to think CAPTCHA may be not so useful and trustworthy. But CAPTCHA researchers continue their efforts in this field and here is a recent report on this. But in this article, I didn't see how they were going to solve the social engineering problems we described above.

Since manpower is invovled in social engineering, the cost(money) is much higher than compuer software. So the state of today's CAPTCHA system is that, cracking is possible in technical perspective, but it may not be feasible in practice due to huge cost.

No comments: