June 18, 2012

A CAPTCHA in the Rye


Today, we released our latest Hacker Intelligence Initiative report, A CAPTCHA in the Rye.  We detail how are CAPTCHAs broken by hackers and what should security teams do to make them stronger yet appealing to consumers who intensively hate them.

Why would hackers want to bypass CAPTCHAs? What is the motivation?
CAPTCHAs are put in place to protect sites from automation of actions.  There are many types of hacker activities that are used to break CAPTCHAs, such as:

  • Searching databases – a hacker may want to enable a user to search a database to see what you have and possibly download the contents.
  • Adding comments on sites – a hacker may want to automatically add SPAM comments to all the posts in your site with links to, for example, websites with malware.
  • Account creation – The site wants to prevent an automat from creating a lot of fake accounts to dupe legitimate users.


Is there specific website they target?
Hackers are often scraping websites that contain personal details. Some example that are presented in the report:

  • Collecting financial details from online tax payment
  • Collecting personal details from voting related sites, i.e., transactions or personal details etc…


What CAPTCHAs work?
Security teams should use novel CAPTCHA methods that make the CAPTCHA into something enjoyable, like a mini-game.  Also, we help identify how to present a CAPTCHA only when users exhibit suspicious behavior by implementing various automation detection mechanisms.

To download our report, click here (no reg required).


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.