Stanford Study Reveals Captchas Don’t Work

  • November 1, 2011
  • Tech
  • Comments Off on Stanford Study Reveals Captchas Don’t Work

Stanford Study Reveals Captchas Don’t Work

Captchas are those little images that contain scrambled text and numbers, usually found when registering for web based services. You have to fill in the text into a box, assuming you’re able to decipher it, with the purpose being that only humans could do it, and that proves you’re not a spam bot. Of course, the problem is that they fundamentally don’t work. There’s many ways that bad guys have found to get around a lot of these captchas, and a recent study even puts numbers on those results.

The point behind the concept of a captcha is that since the text is shown in an image, a spam bot that is simply accessing the registration form, trying to sign up for thousands of accounts in order to send spam, would not be able to know what the image contains, and thus can’t register. Of course, the problem comes from the fact that image recognition software is fairly advanced. In fact, if those captcha images only showed text without any trick to them, they would be trivial for a program to decode. That’s why the text is shown all weird, there’s lines and shapes in them, and letters are distorted. These are all attempts to block image recognition, and to force only real people to answer the question. The fundamental flaw comes from the fact that to add all of these elements to the picture, a computer program has to be created to accomplish these tasks. Of course, if a program can make the image, then a program can decode it as well.

The recent study, conducted by Stanford researchers, created such a program, and broke through 35% to 98% of all captcha systems they found, except for Google. They were unable to break the ReCaptcha branded system that Google uses, although it’s still possible that these could be cracked as well. Of course, there are other solutions that spammers use as well. For example, a few years back, there was a case where people who wanted large amount of email accounts for spamming purposes would simply setup their own website containing material a lot of people would want to see, such as sexy images, then they would ask users to register for an account at their site. As part of the registration process, their own web page would fetch the captcha from a legitimate email provider, and show it to the user trying to register. The captcha would get solved, and the software program would then relay the response from the user to the email provider, bypassing the whole process, in a sort of human-based captcha solving scam. It’s very ingenious, and only one example of the many things done to bypass captchas.

This isn’t to say that captchas are completely worthless. Of course, a system that uses a good captcha system like ReCaptcha is going to be a major barrier of entry for any spammer, and is a good thing to have. However, it’s good to remember that these aren’t fool-proof, and will likely never be.

Comments are closed.






We respect your email privacy


Recent Post