Time For A CAPTCHA Alternative
by Blight Fighter
Every time a better mousetrap appears on the market, somebody engineers a better mouse to defeat it. CAPTCHA (”Completely Automated Public Turing test to tell Computers and Humans Apart”) is a mousetrap designed eight years ago by researchers at Carnegie Mellon University to stop automated botware from creating accounts or logging in to websites. It catches the elusive spammer mouse by forcing users to solve a puzzle designed to be simple for people but impossible for a bot. Most Captchas show users a warped or distorted text and ask them to retype it.
Captcha serves as a crucial first line of defense in protecting users and site owners from the onslaught of computer generated messages. When Captcha appeared on the market, it was a simple, effective solution. Over the last eight years, spammers have learned to use image recognition and other schemes to defeat Captchas, and Captcha designers have responded with more difficult puzzles. This is the sort of cat-and-mouse game that security experts always play with hackers, but in this case, Captchas are on a roadmap to nowhere. Worse, they’ve reached the end of the road.
The problem is that making Captchas more difficult shuts out more and more legitimate users. For most commercial purposes, designers want to make their websites and services easily available. Difficult Captchas have become tollgates that slow down or turn away traffic. Today, 20% of state-of-the-art Captchas are not solved correctly on the first try (and often, there’s no second try). At the same time, bots have evolved to the point that commercially available software can successfully defeat the most difficult Captcha 10-15% of the time.
Attacks have taken on other forms than just image-deciphering software. The profit potential from by-passing Captcha security is high enough that it is cost effective for some hackers and spammers to use a “Mechanical Turk” approach and outsource solving Captcha to places like China, India, or Eastern Europe. It only costs pennies per successful entry; very cost-effective for their nefarious goals. Instead of outsourcing Captcha, creative hackers have turned to social engineering, getting other people to solve the problem for them. WashingtonPost.com reported on an insidious strategy by spammers that recruits unknowing human users (usually of porn sites) to solve Captchas and rewards them with increasingly salacious material (a female scantily-clad image removes more and more clothes as the user solves puzzles). Third-party humans work unawares that they are helping spammers gain access to new email accounts to assault their inbox.
Beyond the obvious security failures, Captcha has other problems. Visually impaired users find it impossible to use, running afoul of the Americans with Disabilities Act (which guarantees equal access to all people, no matter their disabilities). Audio versions of Captcha have emerged for the visually-impaired, but not all sites use the available audio version and problems remain among other segments of the disabled computer-using market. User dissatisfaction is high with Captcha as well and Captcha complaints abound on the web. The most vocal complaints come from users of time-sensitive websites, such as a ticket venders for sporting events or concerts. The time it takes a user to solve the puzzle can mean they lose out on successfully buying a ticket.
Captcha isn’t only annoying to users, it’s wasteful. Placing barrier to interaction is costing the American economy a lot of money, since by its very nature it slows down transactions. A human operator must take the time to solve the puzzle and enter the solution. 15-20 seconds of each user’s time may not sound like a lot, but it quickly adds up. One of the creators of Captcha (a professor at Carnegie Mellon University) estimated recently to Time magazine that 200 million Captchas are solved daily. Even at only 15 seconds each, that is over 800,000 user-hours consumed each and every day solving Captchas. This adds up to tens of millions of dollars in lost productivity.
Captcha, for all its benefits, has also left a large slice of the online market untapped. Any barrier to entry inherently reduces the percentage of users who elect to sign up for a service, leave a comment or otherwise participate. Other sites don’t want to slow down user access, such as MMORPG sites (Massively Multiplayer Online Role-Playing Games), so they don’t use Captcha. These categories of sites — and many others — would benefit enormously if there were another way to admit valid users while successfully denying service to hackers.
Ron Williams, General Manager of CDC Games, explains the problem. “We needed to find an alternative Captcha because it is not really a viable option in the free-to-play space. The key benefit of a free-to-play business model is to minimize barriers to participation. It is hard enough to get an email address during a signup. Anything that creates friction in signup or game play is detrimental to the user experience and dramatically reduces the number of players. Instituting Captcha would have a significant negative impact on our business model.”
“On the other hand, eliminating barriers opens yourself up to bots. Bots present real problems for the operators of online games. Even though Lunia, our first free to play game, only launched four months ago, bots are always trying to spam our chat rooms. We have to monitor them 24/7. Of course Captcha would be a huge barrier to participation in a chat room or social space like a forum. Spammers aside, the real issue is gold farming, which can destroy the economy of an online game and using Captcha in game to control bot activity would be a deal killer for players.”
“To date, we have found that 7.9% of all signups are bots and that they can consume almost 20% of our bandwidth and server resources. Even more troubling is that bots spawn lots of errors, so we are constantly diverting development time to address them.”
Captcha has served it purpose, but after eight years, we’ve reached the end of the era of using a puzzle as a gateway barrier. What is needed is a Turing test that relies on technology instead of difficult puzzles, or pictures of kittens or mathematical challenges (as is being developed for the next generation of Captchas). What is needed is a software solution that can provide iron-clad security against bots, but is invisible to the human user. A solution that safely, securely, and reliably verifies a human presence but is totally transparent and automatic. Short of changing web protocols themselves (which would be a monstrous effort), some sort of gatekeeper program is going to be increasingly necessary to keep the flow of commerce on the web moving, while keeping out malware bots.
One company stepping into this void is Pramana , a startup company with a mousetrap where the mouse doesn’t even know it has been trapped. Their product — HumanPresent — will perform such verification completely transparently to the user. Spammers can’t get around security they don’t even know exists. They just released their online demo, although they require you to apply for access.
HumanPresent could be the ideal solution to the problem that Captcha can no longer be relied upon to solve — keeping the bots out, while at the same time allowing human users in, without the users even being aware such verification is taking place. This brings up an added bonus when using such a system. CDC Games’ Williams explains: “After some research, we choose the HumanPresent solution from Pramana. The great thing about their approach is that it happens in the background, without users even knowing it’s there. Even the bot operators are unaware of it.”
