WebApp Sec mailing list archives

RE: Defeating CAPTCHA

From: "Derick Anderson" <danderson () vikus com>
Date: Tue, 6 Sep 2005 09:18:40 -0400

-----Original Message-----
From: Devdas Bhagat [mailto:devdas () dvb homelinux org] 
Sent: Monday, September 05, 2005 3:11 AM
To: webappsec () securityfocus com
Subject: Re: Defeating CAPTCHA

On 29/08/05 08:03 -0400, Derick Anderson wrote:

I'm sure there is a significant number of valid credit card numbers 
floating around in the open, but it is not without bound. An open, 
free system (which I am not against, by the way) allows spammers to 
create as many accounts as they wish. Once they have to pay for it, 
even with stolen credit cards, the availability of accounts

drops into

a much smaller finite number. Besides, if I have your credit card 
number, why bother using it to create a spamming account?

I've already

got free money. =)


Think 419 scammer. I buy a domain, host it and spam using that domain.
It appears legitimate, and will not be immediately kicked off a host. 
Freemail accounts are terminated fast (not fast enough, but fast).

Think of a scammer using confirm-paypal.com instead of 
http://some.free.host.example.com/user/confirm-paypal.html

The problem for us is that a smaller, finite number is still 
bigger than we can easily and economically handle.

Devdas Bhagat


I'm missing what this has to do with my point, which is requiring credit
cards for validation making CAPTCHA unnecessary. If I already have a
credit card number, I don't care about accessing your site. I have FREE
MONEY. I don't need your forum/blog/software repository/whatever. I can
buy stuff for free for three days until the real owner reports me to
their credit bank, at which point the bank refunds the owner and cancels
the card (while not bothering with an even more expensive investigation
into hunting me down).

The point of this topic is the ability to detect a legitimate human user
on the other end of an online form. I believe this is the wrong approach
- it's just a race that leaves the legitimate user in the dust trying to
solve riddles or complete quizzes or picking out rotten strawberries in
a 12x12 matrix or typing in text from a continuously morphing animated
GIF. Real users will give up long before the bots do.

I say that we should look at this from an economic standpoint rather
than a technological one, and verify users with credit card information.
Is it perfect? Of course not. But it's leaps and bounds better than
getting into the CAPTCHA race.

Derick Anderson

Current thread:

Re: Defeating CAPTCHA, (continued)
- Re: Defeating CAPTCHA Subs (Aug 26)
  - Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- Re: Defeating CAPTCHA Paul M. (Aug 26)
- Re: Defeating CAPTCHA victor (Aug 29)
  - RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
  - Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA Derick Anderson (Aug 29)
  - RE: Defeating CAPTCHA wilsonc (Aug 29)
  - Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)
- RE: Defeating CAPTCHA Derick Anderson (Sep 06)