FraudJournal Blog

July 27, 2010

Is CAPTCHA Dead?

Filed under: Fraud Schemes,Fraud Trends — fraudjournal @ 2:26 PM
Tags: , , ,

One of the discussions running around the fraud blogs and LinkedIn groups is about how fraudsters have been able to get past CAPTCHA. So is it dead? That question was asked in a 2007 article when Google filed for a patent that would allow computers to read images that contained a graphic of morphed characters. (http://www.blahblahtech.com/2008/01/google-patent-captcha-killer.html)

And if you ask the internet about CAPTCHA, you will find various requests to locate a program that would essentially ‘kill’ the CAPTCHA program temporarily when dealing with other languages. So is it dead? Not yet. Businesses and websites still are using this program as a security measure. So what is the fuss?

Most of you have already experienced CAPTCHA without knowing it. This is when you are required to type in what you see on the screen (usually a set of twisted or distorted letters, numbers or combo of both) when you purchase or create an account with an online storefront or organization. If you don’t, here is a link to Wikipedia to learn (http://en.wikipedia.org/wiki/CAPTCHA).

Recently in New York, scammers created another work around by setting up a network of users to purchase tickets online from Ticketmaster. The company under indictment ‘Wiseguys.com’, purchased the maximum of number of tickets to big name concerts and events by employing a vast network of purchasers who could type in the semi-obscured graphic used as a security measure to stop scammers from purchasing more than the allowed number of tickets. These tickets were then scalped online for prices far above the normal retail value. So, now you know why some of those concerts were sold out so fast and so many tickets were for sale online.  You can read the article here: http://www.nbcnewyork.com/news/local-beat/Ticket-Scalpers-Defeat-Latest-Cyber-Security-85808497.html .

So how does this effect the fight against fraud? It means that fraud has truly become a global concern. While it creates jobs in India and China, it also allows fraud rings to branch out and work towards becoming an even bigger menace than before. If the sources of scamming is off-shore, then the process to shut them down becomes much more complicated and deals with multiple jurisdictions. Plus their costs are minimal, they have a dedicated work effort can be a 24/7, and you and I can’t see them at work. It allows them to blend in or hide in plain sight.

The economy is already creating budget havoc for everyone. Law enforcement is already overwhelmed with fraud on the grand scale, which means it is up to you and I to stay aware of what we see on the Internet and around us today. Help your local and regional fraud teams by reporting fraud when you see it. And don’t buy scalped tickets – most often they are not your everyday you and me that ended up with spare tickets. It’s guys just like the scammers ‘wiseguys.com’ that stole your right to purchase them at the retail price in the first place.

Advertisements

1 Comment »

  1. Excellent article. CAPTCHA is a security tool that many people get irritated by when they encounter it on the Web. However, it can be effective in helping fight fraud. Not only are CAPTCHAs used to stop scalpers from scooping up bulk quantities of tickets that they later resell at exorbitant prices, but they are also used to stop fraud in other ways. CAPTCHAs are used to prevent spam bots from opening thousands of free webmail accounts, which they then use to send phishing emails that trick unsuspecting people into revealing bank account information or other personal data. CAPTCHAs are also used by some websites to limit the number of times a bot can attempt to login to an online account. This stops bots from being able to run through lists of the most common username and password combinations in an attempt to steal peoples’ login credentials to banking websites, Paypal, etc.

    As you pointed out, the method of displaying warped and distorted text in a CAPTCHA is both irritating for people and has also been broken by bots which are able to decipher the letters and characters. A better method (both more secure against bots and also easier for most people) is to ask the user to identify pictures. You can see an example of this type of CAPTCHA here: http://www.confidenttechnologies.com/products/confident-captcha and a demo of it here: http://demo.confidenttechnologies.com/captcha/. In this way, CAPTCHA can help websites increase security and improve the user experience.

    Comment by Sarah — July 28, 2010 @ 9:00 AM | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: