Spammers defeat Captchas
Found on CNet News on Monday, 09 July 2007
According to security vendor BitDefender, spammers have defeated a system designed to differentiate humans from machines when registering new accounts online. Known as Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart), the system won't allow users to advance until distorted characters in a box are correctly entered. BitDefender says a new threat, Trojan.Spammer.HotLan.A, is using more than 15,000 automatically generated bogus Microsoft Hotmail accounts to spread, and is registering 500 new accounts per hour, suggesting the Captcha system has been defeated.
This isn't really really something that should be filed under "breaking news". Captcha-security has been breached quite some time ago, as most PHPBB admins might know. A quick search for PWNtcha brings up lots of results dealing with defeating captchas. Fixing broken captachs is just a temporary improvement, not a solution (in case of PHPBB, it helps a lot if you adjust the grayscale values to reduce the difference between background and text). Perhaps it's about time to replace the current approach of identifying text. For humans, it's easy to answer questions about a picture, like "how many people do you see?" or "what color has the car?". Of course the visitor has to be able to understand the language. This should be a minor point; not too many would sign up with a site they can't read.