TechCrunch Disrupt Europe 2014: Photos, commentary and the Startup Battlefield LIVE

Feedback

Are you a human? CAPTCHA and the future

SecurityAnalysis
by Neil J. Rubenking, 15 Feb 2013Analysis
Are you a human? CAPTCHA and the future

Just about any time you sign up for an online account, you have to prove that you're a human by reading and entering some messed-up text that supposedly couldn't be decoded by a computer. Why? Well, suppose a conman could use a script to instantly create a million Facebook accounts. He could cause a lot of trouble with those before Facebook shut him down. With a million fake email accounts he could send tons of spam. Using a million fake Amazon accounts he could falsely send any product to the apex of popularity or sink it to the "worst ever" category. Clearly it makes sense to limit these accounts to actual humans.

Researchers at Carnegie Mellon University coined the term CAPTCHA to describe techniques for ensuring that online responses come from human beings, not scripts. It stands, sort of, for "Completely Automated Public Turing test to tell Computers and Humans Apart." (Okay, I'll grant that the historical Turing test requires a computer to respond so you can't tell it from a human, but the connection is there).

The most common CAPTCHA systems present text that's obfuscated in some way. The characters may be distorted, rotated, displayed against a confusing background, or muddled in some other way. Humans can still read them, albeit sometimes with difficulty. Scripts and bots can't read them. Or can they?

Plenty of problems

The problem is that there are plenty of ways for scammers to get around this type of CAPTCHA. Optical Character Recognition just keeps getting better. Pre-processing can filter out the "noisy" backgrounds found in standard CAPTCHA images. Advanced algorithms can deal with distortions. Perhaps a scammer's automated system can only solve one CAPTCHA in four? He can still create a million fake accounts by trying four million times.

Alternatively, scammers can rely on human ingenuity. CAPTCHA farms in poor nations pay humans a pittance to solve thousands of CAPTCHAs per hour. Sure, a script that has to wait for human intervention can't run as blindingly fast as a purely code-based script, but it gets the job done.

You may have been enlisted as a grunt in the CAPTCHA-solving army entirely without your knowledge, especially if you enjoy naughty pictures. A tricky system seen several years ago revealed progressively racier striptease images but required the viewer to solve a CAPTCHA for each new, more scantily-clad view.

Worst of all, humans don't always interpret the CAPTCHA text correctly. If a site rejects your entry, do you try again or just go elsewhere? How about on the second rejection, or the third? Sometimes these things can be a real pain.

Alternatives galore

If members of the Fast IDentity Online (FIDO) Alliance succeed in their quest, eventually we won't need any kind of cobbled-together authentication systems like passwords or CAPTCHAs. They aim for an all-inclusive web of authentication with standardised global compatibility. With membership including such heavy hitters as PayPal and Lenovo, this is a serious group. Alas, the alliance is just forming; they don't have any results for us yet.

"Would you like to play a game?" A computer once asked that in the movies, but in real life it's tough for a bot to get playful. The PlayThru authentication module from Are You A Human displays a very, very simple game, which is different each time. For example, it might display a number of floating objects and ask you to put only the tools in the toolbox, or put toppings on a pizza. Win the game and you've authenticated yourself as human. Check out a demo here.

Minteye's offering combines a CAPTCHA replacement with built-in advertising. It displays an image that's been distorted by swirling it around the centre, along with a slider that adjusts the degree of swirl. When you click the button with the slider at the zero-spot where the distortion is gone, you've solved it – and the non-distorted image is revealed as an advertisement. Alas, Google results for this one are dominated by reports on how easily it can be hacked.

Deciphering and entering the grubby text from a standard CAPTCHA can be a tough task on your desktop, but it's twice as bad on a mobile device. First you zoom in far enough to read the darn thing, then you finger-type it as best you can. It's just plain awkward. Confident Technologies offers an image-based CAPTCHA system that's designed specifically for mobile devices (but works fine on desktops). It displays a grid of images along with a series of commands. A bot might be able to read "Click the beverage", but it'd be hard-pressed to decide which picture represents something drinkable.

These three are among the more prominent alternatives, but many other developers are working to solve the problem of separating humans from bots without annoying the humans.

Look to the Future

In a perfect world, we'd each boast a unique electronic identity that would be impossible to forge and accepted by every app, website, and coffee shop. Who knows, maybe the FIDO Alliance will bring about that dream. For now, we identify ourselves with passwords (strong ones, of course) and prove we're not robots by solving CAPTCHAs or equivalents. I'm really looking forward to the day we can forget all about them.

Topics
blog comments powered by Disqus