Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

A CAPTCHA-Solving Service

Created: 28 Sep 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:56:28 GMT
Zulfikar Ramzan's picture
0 0 Votes
Login to vote

A “CAPTCHA” (completely automated publicTuring test to tell computers and humans apart) is one of those puzzlesyou are sometimes asked to solve when signing up for a free emailaccount or similar services. These puzzles involve distorted imagesthat are sometimes enough to thwart an automated computer program thatis trying to sign up for free email accounts, giving it the impressionthat it is dealing with a human. Well, an "enterprising" human found aclever way to cheaply solve a lot of CAPTCHAs.

His ideawas to post a project ad on the site www.getafreelancer.com, to see howmuch it would cost him to hire someone to solve CAPTCHAs for a 50-hourweek. Within a week, he received 58 bids, ranging from $30 to $100(with the average bid being $57) before the site administratorcancelled the ad. Assuming (very conservatively) that it would takesomeone 30 seconds, on average, to solve a single CAPTCHA, anyonecompleting the job would have solved about 6000 CAPTCHAs in a 50-hourweek. So, it would have cost our poster about a half a cent perCAPTCHA, for the lowest bidder, and about one and two-thirds cents perCAPTCHA for the highest bidder.

CAPTCHAs have a number of interesting security applications. One ofthe most well known is in trying to deter spam, by requiring anyone whosigns up for a free email account to solve a CAPTCHA. This stepprevents automated programs from signing up for an account. Similarly,one might try to use CAPTCHAs in conjunction with email itself, wherethe recipient might require the sender to solve a CAPTCHA beforeaccepting the email. This idea also applies to other forms of spam,such as trackback or comment spam on blogs. For legitimate, low-volumeemail senders, this cost is pretty small; but, it might shift theeconomic threshold for spammers so that their practices are lessprofitable.

Another interesting application of CAPTCHAs is in making dictionaryattacks for guessing passwords harder to accomplish. The idea here isto require someone to solve a CAPTCHA in conjunction with a passwordguess. This measure would increase the time for password guessesconsiderably (assuming, of course, that human intervention is necessaryin each password guess and that this intervention is actually expensive).

CAPTCHAs might also be used to add an element of security in onlinepolls. It’s not too much to ask a legitimate person to solve a CAPTCHAbefore he casts his vote. On the other hand, you raise the bar forsomeone writing an automated vote-casting script in an attempt to stuffthe virtual ballot box.

These and many other applications predicate their security on therequirement that CAPTCHAs are expensive to solve, in terms of "humantime". But, it’s clear that the economics have changed considerably. Itmight be too early to tell if mechanisms used to exploit cheap labor tosolve CAPTCHAs will amount to much, but it’s certainly an interestingtrend.

Further reading:

The CAPTCHA project home page: http://www.captcha.net/