Unlocking the CAPTCHA code
Most of you reading this will have come across the so-called CAPTCHA code, those hideously ugly graphics of words or numbers that you have to type into a box when filling in a feedback form or registering for a web service. They are designed to defeat the automated tools used by spammers, but do they work? Not according to researchers from Stanford University who say that the vast majority of text-based anti-spam measures are easily defeated.
The contrived term CAPTCHA was coined back in the year 2000 to mean "Completely Automated Public Test to tell Humans and Computers Apart". It was a response to a growing web problem. Sites encouraged people to post comments to news stories, take part in discussion forums, or sign up for webmail accounts, but the spammers saw this as an opportunity to write programs which would perform these actions automatically. This meant that spammers could post their spamvertizing messages to thousands of web boards per hour, and automatically sign up for hundreds of free webmail accounts which could be used to send spam at someone else's expense. That problem today is worse than ever. Captchas were designed to be obstacles to this, to present problems which humans could solve easily but which were very difficult, if not impossible, for computers to solve.
Sadly, the form of captcha which has proved most popular is the distorted graphic which is intended to be readable by the human brain but to be just a jumble of noise to character recognition software. However, if your eye-sight is poor, trying to work out the letters and numbers hidden in the graphic can be near impossible. In a token gesture to accessibility, some but not all sites using captchas offer an audio alternative where the code is spoken by a distorted mechanical voice mixed in with background noise and bleeps, but even with my excellent headphones I have never yet been able to understand the audio captcha used on some websites like Hotmail. I am not alone in that observation. The Blind Bargains website has conducted tests with 63 of its blind users and found that 46 of them (73%) were unable to understand Google's audio captchas.
Nevertheless, captcha proves popular with many website operators because of a popular perception that it is a magic bullet that stops spam. This month, researchers at Stanford University tested that claim. Using the captchas from 15 popular websites, the research team subjected them to automated analysis and concluded that 13 of the 15 schemes they tested were easily defeated. For example, the scheme used by Visa could be defeated 66% of the time, whilst the registration scheme used at Ebay fared a little better, only being guessed correctly 43% of the time. You may feel those figures are better than nothing, but when you can conduct thousands of automated attempts per hour, being wrong half the time is not going to be a big obstacle to a spamming campaign.
Footnote: SKILLZONE websites do not use captchas but we do use other forms of blocking technology which are less intrusive on the experience of the human website user. On one of our customer's websites we have blocked around 6,000 attempts at automated registration this month, without resorting to captcha.
29th November 2011
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.