A CAPTCHA is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. Wikipedia.org
Jeff Atwood wrote a good post in which he analyzes the issue that happened with Ticketmaster (online ticket seller). The problem that Ticketmaster experienced is that ticket brokers, that strive to gain access to large number of seats, have overcome Ticketmaster's protection. A CAPTCHA has been used to protect Ticketmaster's online form from automatic submissions.
Jeff concludes that the problem was not in that CAPTCHA was broken on that site, but that software developers failed to code strength enough CAPTCHA. I would agree that there should be more secure implementation used and that the problem not in CAPTCHA itself.
Although I agree with Jeff on the main stem of the post, I would like to amplify it with some of my thoughts. Here are main points I'm going to give here:
- Every CAPTCHA that is readable can be broken
- There is no uniform security algorithm for everyone
Every CAPTCHA that is readable can be broken
There are many ways to make CAPTCHA, and a security level varies among them. Chinese hacker provides a table with the comparison of strength of different algorithms. And they offer decoding software for the most of them, which price is ranges from $500 to $6000. Although there is no decoding algorithm for most strengthen ones, hackers note that they are also breakable.
Ok. Let's assume that there is true reverse turing test algorithm exists. So, human is required to repeat what computer asks for. If so, why that cannot be done by other human? There is technique that was already used by evil hackers to spoof CAPTCHA-equipped online forms. A picture with a puzzle is being put to another site with a high traffic. Visitors of that site enter correct answer to access some free resource. And that correct answer is transferred to the victim's site.
The only way to protect from this kind of attack is to associate your CAPTCHA with your site somehow. One of the solutions is to add your site address to your CAPTCHA. Make sure it appears in a random place and obscured by the same algorithm as the main word.
There is no uniform security algorithm for everyone
The main argument Jeff provides when he says that CAPTCHA is unbreakable is that it is still used by someone else.
If CAPTCHAs were well and truly broken, Google, Yahoo, and Hotmail would stop using them.
Yes, it may prove that for some applications and I agree that it will work for majority of them. But generally it is not a good idea to prove something using someone else experience, because you may be in different environment. That is, it is not right to conclude that solution, that was successful for someone else 5 years ago, is still successful for you. For the same reasons, it is not right to conclude that solution, that works for someone else well, is suitable for you just because it was not broken when they used it. They might require another security level than you do.
The fact that Google, Yahoo, and Hotmail are still using CAPTCHA does not prove that CAPTCHA is unbreakable. It proves that protection level this solution provides is enough for them.
When selecting security algorithm to use you should not consider only the fact that they were successfully used by others, because there is one more aspect you should take into consideration – what level of security your solution requires. It may be much different for the one that have successfully employed security solution you also going to use.
CAPTCHA is not a cure; it just stops some kind of hackers. And you cannot rely on it completely.