Fixing the CAPTCHA: turning jumbled words into a game

Captcha game CAPTCHAs, or those jumbled words you have to enter to prove you’re a human on websites, suck. They detract from a website’s flow, and as security researchers at Imperva have found, they’re actually easily overcome by spammers. But some CAPTCHA creators are coming up with ways to make it harder for spammers, and more fun for the regular humans out there.

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHAs are often used on websites that are attractive to spammers, such as forums, social networks, and commenting mechanisms. They do this by providing a word that is purposefully difficult to read, served on a noisy background. Because they are difficult, however, many website owners see them as a disruption to the flow of their user experience. However, they are often necessary to protecting the site from spam messages, which often do more damage.

Imperva points out in its recent study on CAPTCHAs [PDF] that there are a couple of different ways cyber criminals can beat the system. First off, they can write “pattern recognition algorithms” that can break CAPTCHAs without the aid of humans. “PWNtcha” and “CAPTCHA Sniper” are two of these programs that together can break over 60 different CAPTCHA programs. But spammers are also using humans to solve individual CAPTCHAs for them. Indeed, entire businesses are now being run as CAPTCHA solving services. These “employees” of the hackers are paid based on their speed and accuracy in figuring out CAPTCHAs.

But if a hacker doesn’t want to pay, they can use a pornographic CAPTCHA solver, where people are shown a nude image per every CAPTCHA they get correct.

Captcha game “Human-based CAPTCHA solving services pose a serious threat to Web security and challenge the whole concept of CAPTCHAs. They were originally intended to distinguish humans from computers, but now automated software is using actual humans to cheat the test and pass as humans. This challenges even the most innovative efforts,” said Imperva in its study.

But there are some innovative efforts. Imperva says that CAPTCHAs, in order to be more user-friendly, but equally as complex for a computer to unlock, should be delivered in the form of games. One company is creating CAPTCHAs that ask you to move various facial features (such as eyes, noses, and ears) to the right places on a face (see: above, right). Another prompts you with images that are each assigned a letter (see: left). This CAPTCHA requests that you enter the correct letter for the given images in a certain order.

Imperva also suggests we start only serving CAPTCHAs if a user’s behavior is abnormal. Identifying humans based on their activity, and serving the CAPTCHA as a just-in-case could also be an effective, and less disruptive way to prove you are a human.

Inevitably, however, there will still be those humans who will happily fill out CAPTCHA prompts for a glimpse at some boobs — a problem that is bound to plague CAPTCHA users forever.

CAPTCHA game images via Imperva

blog comments powered by Disqus