WebApp Sec mailing list archives
RE: Defeating CAPTCHA
From: "Derick Anderson" <danderson () vikus com>
Date: Tue, 6 Sep 2005 09:18:40 -0400
-----Original Message----- From: Devdas Bhagat [mailto:devdas () dvb homelinux org] Sent: Monday, September 05, 2005 3:11 AM To: webappsec () securityfocus com Subject: Re: Defeating CAPTCHA On 29/08/05 08:03 -0400, Derick Anderson wrote:I'm sure there is a significant number of valid credit card numbers floating around in the open, but it is not without bound. An open, free system (which I am not against, by the way) allows spammers to create as many accounts as they wish. Once they have to pay for it, even with stolen credit cards, the availability of accountsdrops intoa much smaller finite number. Besides, if I have your credit card number, why bother using it to create a spamming account?I've alreadygot free money. =)Think 419 scammer. I buy a domain, host it and spam using that domain. It appears legitimate, and will not be immediately kicked off a host. Freemail accounts are terminated fast (not fast enough, but fast). Think of a scammer using confirm-paypal.com instead of http://some.free.host.example.com/user/confirm-paypal.html The problem for us is that a smaller, finite number is still bigger than we can easily and economically handle. Devdas Bhagat
I'm missing what this has to do with my point, which is requiring credit cards for validation making CAPTCHA unnecessary. If I already have a credit card number, I don't care about accessing your site. I have FREE MONEY. I don't need your forum/blog/software repository/whatever. I can buy stuff for free for three days until the real owner reports me to their credit bank, at which point the bank refunds the owner and cancels the card (while not bothering with an even more expensive investigation into hunting me down). The point of this topic is the ability to detect a legitimate human user on the other end of an online form. I believe this is the wrong approach - it's just a race that leaves the legitimate user in the dust trying to solve riddles or complete quizzes or picking out rotten strawberries in a 12x12 matrix or typing in text from a continuously morphing animated GIF. Real users will give up long before the bots do. I say that we should look at this from an economic standpoint rather than a technological one, and verify users with credit card information. Is it perfect? Of course not. But it's leaps and bounds better than getting into the CAPTCHA race. Derick Anderson
Current thread:
- Re: Defeating CAPTCHA, (continued)
- Re: Defeating CAPTCHA Subs (Aug 26)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- Re: Defeating CAPTCHA Paul M. (Aug 26)
- Re: Defeating CAPTCHA victor (Aug 29)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA Derick Anderson (Aug 29)
- RE: Defeating CAPTCHA wilsonc (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)
- RE: Defeating CAPTCHA Derick Anderson (Sep 06)
- Re: Defeating CAPTCHA Subs (Aug 26)