[WEB SECURITY] Fake Captcha Protection

Jeremiah Grossman jeremiah at whitehatsec.com
Wed Apr 30 12:14:10 EDT 2008

On Apr 29, 2008, at 7:50 PM, Bil Corry wrote:

> Bryan Sullivan wrote on 4/29/2008 7:21 PM:
>> I like Jeremiah’s CAPTCHA effectiveness criteria – is this what  
>> you were trying to find?
>> http://jeremiahgrossman.blogspot.com/2006/09/captcha-effectiveness- 
>> test.html
> Should Jeremiah's CAPTCHA ever be invented, it will simply drive  
> more business to India:
> -----
> Cyber criminals are employing sweatshops in India for as little as  
> $4 a day to defeat anti-spam security checks, according to a recent  
> analysis by net security firm Trend Micro. It reckons miscreants  
> prefer to hire cheap labour rather than using automated techniques  
> to defeat CAPTCHAs - that are only effective 30-35 per cent of the  
> time - or malware-based approaches.
> <http://www.theregister.co.uk/2008/04/10/web_mail_throttled/>
> -----
> Google has a couple of interesting patents that can infer a user's  
> "ethnicity, reading level, age, sex and income":
> <http://yro.slashdot.org/article.pl?sid=08/03/22/1314253>
> I wonder if the technology can be extended to infer if the user is  
> a bot or from a sweatshop in India?

That's funny, I never thought of it that way. The test was not meant  
as a pass/fail for CAPTHA systems, but as the name in implies a way  
to measure their effectiveness at detecting humans from bots. No  
CAPTCHA system I've seen hits every mark perfectly, but that's OK.  
Should a really good CAPTCHA system force attackers to leverage  
humans to defeat it (as opposes to technology) then its done its job,  
only that the problem has now moved to something else.

For high value targets, we might consider something out of band like  
SMS, email, or some other creative ideas to drive up the $4 cost you  



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list