

Why you should never use a CAPTCHA - joshfraser
http://www.onlineaspect.com/2010/07/02/why-you-should-never-use-a-captcha/

======
edanm
My local theater's site allows you to purchase tickets online. However, in the
final ordering form, in which you enter your credit card details, there's a
CAPTCHA.

What are they protecting against? Automated bots sending them more and more
money?

~~~
ktsmith
The price of a single ticket is probably relatively small and so they may be
protecting themselves from chargebacks. It is extremely common for those with
stolen credit cards to test them using small value purchases. If you can find
a site that doesn't rate limit your purchases in any way you can test a lot of
cards at once, determine which cards are valid/active, and saddle the merchant
account holder with tons of chargebacks and their associated fees.

~~~
edanm
I'd be very surprised to learn it was this complicated, but this is a very
interesting take on it.

Do people tend to have such a bulk of credit cards/credit card numbers that
they'd test them in such a fashion? And also, wouldn't it be very risky
(detection/police wise)?

~~~
ktsmith
I can't speak to anything but my own experience. Having helped on a few
ecommerce sites for very small merchants, the amount of fraudulent purchases
that came through was staggering. One of those companies has been open for
about six months now and is only breaking even in large part due to the
expense of dealing with chargebacks. What they have observed is that a
significant number of cards were tested through what appears to have been a
rented botnet. Those went away with the addition of a captcha. The remaining
fraud that looks like card testing (only purchases of low value items, with
IP's far away from the billing address and similar peculiarities) are often
done from Tor exit nodes.

Small merchants have very little support in this area. Local authorities often
don't care or have the man power to deal with these types of issues. The banks
and visa/mastercard also don't care since they just force the merchant to eat
the costs and still collect all their fees. It would be very difficult to tie
these transactions back to any one person in most cases as the tester is going
to be using a valid card, valid billing/shipping address. Once they know the
card works they can just have a mule go get a cash advance from an ATM or
start having big ticket items shipped to various places for pickup. Or they
just resell the card info as verified which increases the value significantly.

------
Jun8
What he doesn't get is this: Yes, they are easy to crack, especially using
crowdsourcing, against which there's no defense. However, that still is a
threshold against automated attacks, however small.

The argument is the same as a free product vs. one that costs 2 cents, having
a price, however small, changes the category. Or, you can think of it this
way: Most simple home locks can be picked in less than 30 seconds, but you
still lock your door, although it's a nuisance (find your keyes, etc.),
knowing full well that this won't stop a determined attacker.

~~~
joshfraser
great point

------
nollidge
Site's down for me. Here's the text-only Google cache:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://www.onlineaspect.com/2010/07/02/why-
you-should-never-use-a-captcha/&hl=en&strip=1)

~~~
joshfraser
sorry, my server is having memory issues. i'm looking into it now.

------
waivej
OK, I like the idea to use a "hidden" captcha to block automated spam bots.
However, I don't think a hidden blank field is enough.

Maybe you could use javascript to set a value in that hidden field. Or make
sure the client loaded the empty form page first?

Anyone have better tests?

~~~
pavel_lishin
For any programmatic way of checking to see if the user is a human, without
them interacting with the system, there's a programmatic way of faking it.

~~~
dennisgorelik
If you not only block problematic comment, but also block abusing IP address
from for next couple of months -- it would be pretty hard to figure out what
exactly your anti-abuse system checks for. Especially if your system check for
several red flags.

------
Jach
I've used something like: _Please join these two "words" together (without
spaces): hitgzwhv and iprmagfg_ A little copy pasting required, but I
discovered an older simple math one was vulnerable. Also changing the comment
submission link seemed to have helped on its own.

What I don't believe in is a captcha after the registration process. But in
any case, wouldn't the idealized solution be a Bayesian spam filter? Is there
an open source well-trained one out there that's easy to bolt onto anything?

~~~
vicaya
The strength of Bayesian filters is that they tailor to individuals, i.e.,
everyone can have a different model. An open source "well-trained" one is
trivial to subvert.

------
sliverstorm
They are like 5 seconds of annoyance. I fill them out all the time, and I
still don't particularly care. (perhaps because when it's a recaptcha, I am
too busy gleefully wondering which word is the test and which is the text)

If I wrote this article, it would go...

Why you should never use CPATCHA:

Because reCAPTCHA exists. You should be using that instead.

~~~
dennisgorelik
Why use reCAPTCHA if there are plenty of less obtrusive alternatives?
[http://postjobfree.blogspot.com/2009/06/postjobfree-
automode...](http://postjobfree.blogspot.com/2009/06/postjobfree-
automoderator.html)

~~~
pavel_lishin
I like how that post had absolutely no relevant information, except for some
vague description of an apparently in house alternative.

------
jamesshamenski
It is funny that we are still using these old systems in CAPTCHA and
reCAPTCHA.

This week, NuCaptcha launched a video captcha offering. They have solved the
readability and sweat labor issues that have come about. It's a true security
offering that also improves input accuracy to 99%.

<http://Nucaptcha.com>

Disclosure: I've advised with NuCaptcha on a pro bono basis.

~~~
Groxx
That's an interesting technique, but it seems like the human-detection is
based more around it being a flash-based solution than any sort of
obfuscation. e.g., if the text is always red, and always the same font
(judging from the examples only), a screen capture of this would be _far_
easier to decode than a regular captcha™. A flash-running bot should have a
pretty easy time breaking it.

Granted, the current state of the captchas™ is kinda bad.

~~~
snissn
sigh.

you don't even appear to need flash, the swf apparently just downloads an mp4
that's actually just a concatination of flash params exposed in the initial
page request. from there one would be able to crack the captcha even easier by
using the fact that the captcha persists across many frames of the video in
various orientations/perturbations (the first character is touching the second
character on top for half the video and then on the bottom for the other half,
or so for example)

gasp there's in addition to the mp4 and a completely different gif served with
each request (To offer support for those without flash installed, of course!)
that would provide even more data for figuring out the three red letters that
persist across most frames of both animations...... :(

edit--the three combinations of letters(captcha solution) across the mp4
version, the gif and the mp3 appeared to all be different

voice recognition against the mp3 would be fun

------
pavel_lishin
That sliding solution is great if you don't care about accessibility, but then
I suppose visual-only captchas don't really work very well for the blind,
either.

Wonder how it works if you have javascript disabled, or are using a text-only
browser, or have NoScript installed.

------
cliffchang
Why not use both anti-spam technology and CAPTCHAs?

~~~
sstrudeau
To quote the article:

"We live in a world where spammers are a real problem and must be addressed,
but CAPTCHAs are not the answer. You simply can not afford the friction. By
using a CAPTCHA you are making the internet a whole lot less fun for all of
us."

