Wednesday, October 03, 2007

DIY CAPTCHA Breaking Service

Given that spammers and phishers are already breaking, bypassing our outsourcing their CAPTCHA breaking needs, the introduction of a DIY (do-it-yourself) model provided confidence in the recognition process is over 80%, was inevitable. The CAPTCHA Bot is a good example of a recently released DIY CAPTCHA breaking service where the users feed their accounts with credits, sets URLs and CAPTCHA's to get recognized. If it were pitched at vendors or anyone out there maintaining a CAPTCHA as a service it would have been a great idea, trouble is, it would be largely abused in its current form. Let's discuss the incentives model. Are developers of CAPTCHAs interested in improving the security of their CAPTCHAs in the form of contests with financial rewards or job propositions for those who dare to break them in a contest form? Not necessarily, and fixing vulnerabilities whenever such appear is done in an "on demand" fashion like we've seen with Vladuz's Ebay CAPTCHA populator. CAPTCHAs at the most popular web services are the gatekeepers of their online reputation, else, the flood of splogs and malware embedded blogs, as well as spam and phishing emails coming from free web based email providers may outpace the current model.