The Captcha Challenge

Many websites utilize a challenge-response mechanism know as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to protect against automating the creation of user accounts, content, or otherwise abusing services they provide.

Most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer OCR (optical character recognition) or other image recognition systems.

Enter Social Engineering. Although CAPTCHA may be fairly effective at verifying a reply is from a human and not a computer they do not guarantee that it is from the human for which the challenge is intended.

Example”¦

1. Website A hosts a service protected by CAPTCHA verification.
2. Website B is set up by a party desiring to automate usage of the services of Website A.
3. Website B offers users free access to content, but requires they defeat a CAPTCHA challenge.
4. Website B copies a CAPTCHA image from Website A that it needs defeated and presents it to a user visiting Website B.
5. The user provides the CAPTCHA response.
6. Website B provides the offered content to the user, and then uses their response to defeat the CAPTCHA test on Website A.

In this way automation residing on Website B can distribute the work of defeating CAPTCHA challenges to many people that are unknowingly providing responses to challenges from Website A. In some ways it is similar to a distributed computing model. Instead of distributing tasks out to computers however, the idea here is to distribute the CAPTCHA tasks out to humans.

This method was used by spammers 1994 to defeat a turing text-based spam protection mechanism in Microsoft’s Hotmail service. The spammers promoted a Web site containing pornography and required visitors to enter a CAPTCHA before they are were granted access. The CAPTCHA that were used to access the porn site were originally generated by the Hotmail service. The CAPTCHA solutions entered by the visitors to the porn site were then used by the spammers to solve the CAPTCHA challenges in Hotmail, allowing them to automate the creation of new accounts for sending spam.

More recently, trojans such as Captchar have been utilizing this method as well.

Although it is possible to identify the difference between a computer and a human there may yet be a challenge in verifying that a given human response is from the intended human.