WebApp Sec mailing list archives
Re: Defeating CAPTCHA
From: victor <victor () outblaze com>
Date: Mon, 29 Aug 2005 18:53:43 +0800
I was struck by the CAPTCHA issue a while back too, it happens to me that CAPTCHA reminded me of all these anti-piracy technique that have been developed over the past 2 decades. Put this special data into that sector of the disc so pc-tools can't copy it or install this special cd checker to make sure the cd is not pirated. We all know the result, finding a crack to all these protection is only a question of when.
I would say CAPTCHA is too a case of trying to fight intelligent with more intelligent. which is an endless loop with no true winner. And so I wonder maybe a true solution to this abuser protection issue lies somewhere else.
I myself look at the setup this way, all these tool hacker uses depends on one thing to function, the question being presented as part of the signup/login procedure, because we must make the question presentable online and friendly enough for humand to process, it is bound to be possible to come up with some porgram to come up/brute force the answer.
So in another word, the existence of the question itself has made it possible for hacker to come up with software to defeat the protection. In a way, the solution has itself become the problem, so I am thinking maybe instead of trying to improve it. We should look into eliminating it.
I can see some good example out there that is going into that direction. Many online banking service are taking advantage of SMS, sending user a passkey where they have to use to login to the service. Or this implementation pay pal has implemented, that debit user's credit card and ask user to use that sum as some form of passkey as one of the gentlemen here has pointed out.
These solution are very expensive compare to CAPTCHA but the direction seems to be more reliable and hack-profe. If a better solution to CAPTCHA should be found, this maybe one direction you fellow might want to consider.
Tor. robert () webappsec org wrote:
This was linked off of slashdot (http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95) and explains some of the ways people are breaking CAPTCHA (http://en.wikipedia.org/wiki/Captcha) based systems.http://sam.zoy.org/pwntcha/ - Robert robert_at_webappsec.org http://www.cgisecurity.com
-- <!--------------------------------------------- Victor Development Engineer Outblaze Ltd ---------------------------------------------->
Current thread:
- Re: Defeating CAPTCHA, (continued)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA wilsonc (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)