This blog is retired.

CAPTCHA: The Broken Token

CAPTCHA has been broken. Not just once, but over and over again. In fact, do a search for “CAPTCHA breaker” or “CAPTCHA hack” and you’ll find plenty of web sites that are all too happy to tell spammers how to get around the image tokens that CAPTCHA scripts use to try to keep unwanted people out.

And just in case a enterprising spammer can’t find a ready-to-go CAPTCHA hack that suits his purposes, he can throw a couple of bucks at some starving programmer on RentACoder or ScriptLance and walk away with his own custom-made spam passkey.

Of course, no one wants to advertise the fact that they are a spammer, so they look for clever ways to hire programmers without revealing their true motives. Some of the excuses you see for wanting a CAPTCHA breaker written are quite humorous. Here’s one of my favorites:

“We are developing a telemarketing application and we need to check data to prevent fraud. To do so we would like to check information on some CAPTCHA protected web sites. We are asking for a CAPTCHA breaker with complete source code - third party OCR Library, like LEADTOOLS or any other, can be used.”

How much does it cost to have a CAPTCHA hack custom developed? $10 to $20 ought to do the trick; certainly no more than $50.

But the cost isn’t the point. What’s more alarming is that thousands upon thousands of site owners are depending upon flawed technology to protect their sites from spam even though they know, or at least should know, that it’s only a matter of time until some spam robot shows up and starts hammering away at those worthless little images.

There’s a much more intelligent way to stop spammers dead in their tracks. Actually, “intelligence” is the key word here because the latest anti-spam tools like ATC work by posing questions that are simple enough for humans to answer but trip up robots who are incapable of reading questions and providing the correct answer.

So instead of locking the door to your comment form with a key that anyone with a few bucks can buy a copy of, get some real protection that will let you concentrate on operating your site and not repelling spammers.

4 Responses to “CAPTCHA: The Broken Token”

  1. Dancho Danchev - Mind Streams of Information Security Knowledge Says:

    Spammers and Phishers Breaking CAPTCHAs…

    Interesting reading on the big picture too - CAPTCHA - The Broken Token…

  2. Zap Branigan Says:

    It costs more than $50. To tailor a breaker to a particular captcha takes a bit of work. Depending on how much worth someone assigns their time it is far more than $50 of grunt work. Anyone doing it for $50 or less is scrambling at pennies and thus must not be from Europe or North America.

    Also there are free captcha OCR tools out there:

  3. Dan Says:

    Amir Harel wrote in his blog an interesting theory about the collective computation that zombies has to their disposal in order to break captchas. If thats true then its only a matter of time until the captcha will be useless.

  4. hüseyin Says:

    i am student of computer engeenering.this is my last.
    my graduated projec is analyse CAPTCHA.
    i am trying to do bot program that hack captcha.
    i need captcha documentetion.
    help me pls