Tuesday, February 26, 2008

A new security arms race

According the The Register (UK), Spammers have developed an "mailbot" that can break through Google's CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) system. That's Google's version of the thing that makes you read distorted characters to sign up for email and other online services, including some online banking services.

It won't be long before a robot will be able defeat any current Captcha system, so those with such systems deployed should make sure they A) are using multi-factor schemes for securely adding and identifying their users and B) have the latest versions of the Captcha program installed.

Since the robots are currently successful against Google only 20% of the time, there is still some time for software developers and users to stay ahead by improving Captcha and combining it with other techniques for telling humans from programs. For instance, several Captcha images could be displayed, and the user asked to identify which of them are alike, or which of them match a given pattern (also displayed via Captcha).