WebApp Sec mailing list archives
RE: Defeating CAPTCHA
From: "wilsonc" <wilsonc () mantech-wva com>
Date: Mon, 29 Aug 2005 15:47:35 -0400
I for one, would love it if spammers were forced into using stolen credit card numbers. First off, there would be no way spammers operating like that could claim to be a 'legitimate' business. As a consequence, same spammers were now committing fraud, they'd likely be targeted a lot more. And companies would be more reluctant to do business with a spammer, if say, for the purpose of a fraud investigation, their website is taken down for a week. Second, if credit card theft increased, we'd see more security measures. My bank offers a service called "verified by visa". When I log into my bank, I have the option of reviewing the purchases on my card and approving them or rejecting them. For internet purchases, such as off Amazon, the purchase isn't actually completed until I verify that purchase. Now I realize the security of one of these systems is only as secure as the verification system (if someone had my bank account username and password and credit card they could go shopping, but without all three they're out of luck), but so far, for me, its worked out pretty well. Mass credit card fraud would force credit card companies to be more secure and eliminate spam, both things I could live with. -----Original Message----- From: Derick Anderson [mailto:danderson () vikus com] Sent: Monday, August 29, 2005 8:03 AM To: webappsec () securityfocus com Subject: RE: Defeating CAPTCHA I'm sure there is a significant number of valid credit card numbers floating around in the open, but it is not without bound. An open, free system (which I am not against, by the way) allows spammers to create as many accounts as they wish. Once they have to pay for it, even with stolen credit cards, the availability of accounts drops into a much smaller finite number. Besides, if I have your credit card number, why bother using it to create a spamming account? I've already got free money. =) Derick Anderson
-----Original Message----- From: Devdas Bhagat [mailto:devdas () dvb homelinux org] Sent: Sunday, August 28, 2005 2:35 AM To: webappsec () securityfocus com Subject: Re: Defeating CAPTCHA On 26/08/05 12:45 -0400, Derick Anderson wrote: <snip>1. Charge money. Spammers aren't going to shell out cash en masse.But they are perfectly willing to use _your_ credit card for that. There are a lot of phishing attacks and broken CC# storage and transport systems that some spammers will have access to that data. Devdas Bhagat
Current thread:
- RE: Defeating CAPTCHA, (continued)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- Re: Defeating CAPTCHA Subs (Aug 26)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- Re: Defeating CAPTCHA Paul M. (Aug 26)
- Re: Defeating CAPTCHA victor (Aug 29)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA Derick Anderson (Aug 29)
- RE: Defeating CAPTCHA wilsonc (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)
- RE: Defeating CAPTCHA Derick Anderson (Sep 06)