CAPTCHA, the technology that prevents/limits spammers from growing their network of free throw-away Spam accounts, known as “Completely Automated Public Turing test to tell Computers and Humans Apart”, has been successfully cracked against Google’s Gmail registration system. CAPTCHAs have been known to be near impossible to crack against due to the varying characteristics in the images displayed, yet this now makes the second compromise in the technology in about one month.
[UPDATE: THREE CRACKED CAPTCHAS, ONE MONTH: It was also discovered that Yahoo’s CAPTCHA was cracked, too around the same time as Microsoft’s by Russian Hackers. Read more @ 0x0. ]
Last month, Microsoft’s Live (“Hotmail”) CAPTCHA service was effectively cracked with a 33% success ratio (1/3). While 33% doesn’t sound like much, but when a spammer can generate hundreds or even thousands of accounts, it can be quite lucrative and beneficial for them. Websense disclosed the details of this compromise with live (but censored) examples to show there’s potentially a big problem, yet to be resolved.
Allegedly, the same group that cracked the Microsoft CAPTCHA, has cracked Gmail’s, too with a similar success rate (20%). This should come as no surprise, since the technology is usually discussed in broad examples, and very rarely any best practices are shared among providers since it’s their algorithms — an Internet secret sauce, these days.
This raises a larger challenge for networks to address: How to effectively prevent automated registrations from Spam bots?
That’s not a question I can faithfully answer; however, I’d like to share a few suggestions:
- CAPTCHAs should only be seen as one obstacle, not a complete solution against abuse.
One misconception — for the past several years — is that there can be an all in one solution to address abuse. This isn’t the ’90s, spammers and botnet owners have become more sophisticated in their attacks. There should be one of several obstacles in registration to prevent spammers from registering, while providing value for legitimate subscribers.
- Account-based Heuristics should be done to identify fraudulent accounts and restrict their usage.
In the same fashion modern anti-virus software observes software’s behaviors, the same should be done to monitor, aggregate and train an account heuristics anti-fraud program on the server. This should be more than just watching how many e-mails they send, or how many friends they add — instead compare the behavior of a new account (e.g. < 90 days) to the average user behavior in logging into the service, rate between actions, failed password attempts, etc.
- All newly created accounts on a service should have limited access and as they gradually “behave” like normal accounts, they should be granted higher rate limits.
There is no legitimate need for a newer account to mass-mail a large group of people. There is also not a legitimate reason for adding hundreds of friends with one another right after registration. These just aren’t realistic, and this type of activity should sound a large pulse on the anti-fraud radar.
- Heavy-handed enforcement for Spam.
Stop playing games! Defend your network, even if it means some casualties along the way. Blacklist IPs, block proxies, perform RDNS verification on all connection attempts, rate limit the outgoing activity as if you were charged by the byte. Terminate accounts, willfully. For the sake of customer service, provide methods for a person to appeal their termination that can’t be truly automated (calling a phone number that documents ANIs or Postal Mail, for example).
What do you think about this?
What’s the best solution to preventing cracked CAPTCHAs? Sound off in the comments below!