bestkungfu weblog

CAPTCHA is dead

Filed in: accessibility, tech, Web, Sun, Nov 20 2005 21:05 PT

As if you needed more evidence from me that CAPTCHA is a bad idea, here’s some more: Amazon has just made automated Turing tests obsolete.

Witness Mechanical Turk, which creates an open market for humans to solve tasks which are “extraordinarily difficult for computers, but simple for humans to answer.” Sound familiar? It was already a known fact that spammers had used cash (not to mention porn) as an incentive to get people to solve CAPTCHAs. Mechanical Turk now disintermediates the spammer-to-solver equation.

I would say that this is a decent way for blind users to get someone to solve a CAPTCHA that is in their way. But I know how things are going to go: spammers will use Mechanical Turk in droves, flooding it with high-value Turing tests. They will load the system with tests, something which will be particularly easy for them to do since it has hooks to Amazon’s Web Services API. They will often masquerade as blind users to attract sympathetic solvers. And they’ll offer the vast majority of the tasks on the site, at low prices, which will threaten the community of solvers unless Amazon gets involved in a serious way to weed them out pre-emptively. In essence, Amazon will have to be able to disqualify CAPTCHA-collectors worldwide, and make it stick, in order to keep solvers coming back, and major Web companies from suing Amazon for contributing to their access-control problems.

In other words, this whole thing, cool as it seems, is doomed from the start. But it’s going to take visual Turing tests along with it. No matter how hard the tests are to solve, Mechanical Turk is a magic bullet for anyone who wants to pay to get past it. It’s not as threatening for bloggers (who shouldn’t be using CAPTCHA anyway, since Bayesian filtering is as effective and less obtrusive) as it is for the Hotmails, Googles and Yahoos of the world, whose resources are worth much more than a ten-cent investment in solving a Turing test. It’s just a much easier method for attacking a weak authentication scheme.

4 Responses to “CAPTCHA is dead”

  1. Chaals says:

    Impressive. Although when I looked the 3-cent rewards on offer didn’t seem likely to justify the effort of reading a task, let alone actually doing it.The service brokering business probably has a way to go before they manage to find tasks that are worth taking on. In another place, maybe the 3 cents is more valuable. But these required physical activity in California, and thus seemed a bit optimistic.

  2. Disintermediation is huge… if somebody finds a way to automatically grab CAPTCHAs and post them on Amazon I could see a fleet of bored schoolkids doing them in class for $0.05 each (or, better yet, people overseas). Sure, it’s just a nickel each, but they add up. The spammer (or whomever) gets completely automated solving of the CAPTCHA for a small price. Of course, the next trick would be to make the location of the CAPTCHA change so that part of the actual test is finding the test…

  3. mhe says:

    See captchasolver.com. It’s an automated captcha solving web service.

  4. Pierre C says:

    The CAPTCHA can remain relevant if it is combined with other hurdles that take TIME. The server should also become suspicious of 1000′s of requests that come from the same client…

Powered by WordPress (RSS 2.0, Atom)