WebApp Sec mailing list archives

Re: Defeating CAPTCHA

From: victor <victor () outblaze com>
Date: Mon, 29 Aug 2005 18:53:43 +0800

I was struck by the CAPTCHA issue a while back too, it happens to methat CAPTCHA reminded me of all these anti-piracy technique that havebeen developed over the past 2 decades. Put this special data intothat sector of the disc so pc-tools can't copy it or install thisspecial cd checker to make sure the cd is not pirated. We all know theresult, finding a crack to all these protection is only a question of when.

I would say CAPTCHA is too a case of trying to fight intelligent withmore intelligent. which is an endless loop with no true winner. And soI wonder maybe a true solution to this abuser protection issue liessomewhere else.

I myself look at the setup this way, all these tool hacker uses dependson one thing to function, the question being presented as part of thesignup/login procedure, because we must make the question presentableonline and friendly enough for humand to process, it is bound to bepossible to come up with some porgram to come up/brute force the answer.

So in another word, the existence of the question itself has made itpossible for hacker to come up with software to defeat the protection.In a way, the solution has itself become the problem, so I am thinkingmaybe instead of trying to improve it. We should look into eliminating it.

I can see some good example out there that is going into thatdirection. Many online banking service are taking advantage of SMS,sending user a passkey where they have to use to login to the service.Or this implementation pay pal has implemented, that debit user'scredit card and ask user to use that sum as some form of passkey as oneof the gentlemen here has pointed out.

These solution are very expensive compare to CAPTCHA but the directionseems to be more reliable and hack-profe. If a better solution toCAPTCHA should be found, this maybe one direction you fellow might wantto consider.


Tor.



robert () webappsec org wrote:

This was linked off of slashdot (http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95)and explains some of the ways people are breaking CAPTCHA (http://en.wikipedia.org/wiki/Captcha) based systems.
http://sam.zoy.org/pwntcha/

- Robert
robert_at_webappsec.org
http://www.cgisecurity.com



--
<!---------------------------------------------
                          Victor
                          Development Engineer
                          Outblaze Ltd
---------------------------------------------->

Current thread:

Re: Defeating CAPTCHA, (continued)
- - Re: Defeating CAPTCHA Mark Burnett (Aug 25)
    - Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
    - Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
    - Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
  - Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
    - RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
    - Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- Re: Defeating CAPTCHA Subs (Aug 26)
  - Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- Re: Defeating CAPTCHA Paul M. (Aug 26)
- Re: Defeating CAPTCHA victor (Aug 29)
  - RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
  - Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA Derick Anderson (Aug 29)
  - RE: Defeating CAPTCHA wilsonc (Aug 29)
  - Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)
- RE: Defeating CAPTCHA Derick Anderson (Sep 06)