CAPTCHA's and Mechanical Turks

Posted by Gunter Ollmann on April 14, 2008 at 4:52 PM EDT.

Last month I introduced the topic of “security ergonomics” and mentioned that I’d try to cover some of the presentation topics from the IBM internal conference a little later. Well, I guess it’s a little later, and the topic for today is CAPTCHA.

Back in February I pointed out some of the problems with CAPTCHA’s, namely the fact that they had become so difficult (in an effort to combat automated OCR tools) that they were defeating the very customers they were designed to protect. In essence, the “Tell Computers and Humans Apart” had failed, and that computers were appearing more human than the human customers.

As a security technology goes, I think CAPTCHA’s are a prime example of an industries failure to understand its customers and embrace a semblance of security ergonomics.

What irks me the most is the assumption that the end-user is at fault for poorly considered Web application security and that it's their liability. I guess, to my mind, CAPTCHA’s remind me of compulsory drug testing in professional sports:

  1. It has nothing to do with what you’re there for (e.g. You’re there to run a race, not pee in a bottle)
  2. Everyone is assumed to be guilty (i.e. you fail the test if you refuse to take it)
  3. It punishes the minor infraction (e.g. you’ve just come back from a weekend in Amsterdam)
  4. The professionals already know how to bypass the tests (e.g. they have the money to buy the “undetectable” drugs)

Perhaps the fourth point above is the most pertinent.  The professionals already have the capabilities by bypass today's CAPTCHA “security” features.

Last year we observed the downloadable “Melissa Strip” tool that provided a new pornographic picture for each CAPTCHA solved and throughout the first parts of this year we’ve seen each major free-email (e.g. Hotmail, Yahoo Mail, Gmail) CAPTCHA system fall to automated OCR solvers.

Irrespective of these automated tools; let’s not forget that the professionals have been employing flesh-and-blood humans for several years to break CAPTCHA’s online via Web sites (e.g. hacking sites offering free porn for each CAPTCHA solved).

As amusingly as it may seem, but you can even make a fair bit of money breaking CAPTCHA’s on behalf of the professionals.

Using a “crowdsourcing” business model closely resembling Amazon’s Mechanical Turk,  the professionals now pay recruits to break pages of CAPTCHA’s for money – where the rate per page/CAPTCHA is negotiated up front by the “employee”.

(a typical “page” of CAPTCHA’s)

For example, a recruit that can answer 10 CAPTCHA’s per minute can earn $3 per hour.

Note that item (2) above says the following (according to Google's translating service):

"Your new job is to reprint the text with images in English. Examples of such images: primer1, example2, primer3. There is a need knowledge of English letters and a British possession layouts at the secondary level. For each correct input text with images, you may receive up to 1 cent, depending on where you choose to "bid". You are limited only by their speed text input from the keyboard, that is, in a minute you can handle an average of 10 pictures. Thus, at an average price of 0.5 cents per correctly entered the text of your earnings will be 3 dollars per hour."

While some other sites offer a fixed rate of $1 per 1,000 CAPTCHA’s.

In general, becoming an “employee” is no more sophisticated than entering your details in their registration page and selecting how you want to be paid (e.g. Z-purse, Webmoney, Rupay and e-gold).


Now, while this may not sound like a lot of money to you and I, it is important to remember that there’s a lot of people in developing countries only too willing to earn a few extra dollars per day online (after all, thousands are employed in China selling gold earned in the MMORPG "World of Warcraft").

The last few times I've presented on this subject, people have asked me whether it's all illegal. While I’m certainly no legal expert, I doubt that the “employees” are doing anything wrong or could be successfully prosecuted. I suspect that the professionals are probably abusing the terms & conditions of the sites that are deploying the CAPTCHA’s as a security device but, frankly, it’s not like they’re going to care.  The CAPTCHA’s are just a minor hurdle in the creation of user accounts that can be used to propagate spam and other nefarious attacks – so breaking a few T&C’s is hardly something they’re going to lose sleep over.

So, with all that in mind, why do commercial Web sites still persist in using CAPTCHA’s? It’s not as if they are stopping the professionals (or anything above script-kiddie level). In fact, the techniques needed to stop the folks that use these CAPTCHA-breaking schemes are the very same techniques that should have been implemented in the first place – rather than impose a weak and distracting “security” system on the end-user.

    Copyright 2001-2008 © Gunter Ollmann