Are you sure you're not a robot?
Captchas, those fun little letter-guessing mini-games that have become ubiquitous throughout the anti-robot web, are not as robot-proof as you might think. A team of Stanford researchers created a tool called DeCaptcha that uses algorithms to reconstruct the letters and numbers in a Captcha into a computer readable form. While ranges of success vary from implementation to implementation (25% for Wikipedia, 70% for Visa), Elie Bursztein, a researcher on the team, claims that if even 1% of the Captchas are breakable, the whole system needs to be thrown out.
According to Bursztein, Captchas (which stands for "Completely Automated Public Turing Test to tell Computers and Humans Apart") aren't nearly as secure as the computing public thinks they are. "Most Captchas are designed without proper testing and no usability testing. We hope our work will push people to be more rigorous in their approach in Captcha design."
Blizzard, when approached on the subject, countered that Captchas were never meant to be the ultimate security tool against bots. While the vulnerabilities exposed by the Stanford team are serious and will hopefully be investigated in due course, there is no one security barrier that will protect from every threat. Captchas, along with complex password rules, email verification and a slurry of other known and unknown security processes running in the background, create a flexible and layered security system that is able to mitigate as many threats as possible. Captcha is only one tool in many websites' security arsenals, so don't stop using Visa or Blizzard because Captcha isn't perfect.
38 Comments - Add comment