A CAPTCHA-Solving Service

Via Symantec Security Response Weblog -

A “CAPTCHA” (completely automated public Turing test to tell computers and humans apart) is one of those puzzles you are sometimes asked to solve when signing up for a free email account or similar services. These puzzles involve distorted images that are sometimes enough to thwart an automated computer program that is trying to sign up for free email accounts, giving it the impression that it is dealing with a human. Well, an "enterprising" human found a clever way to cheaply solve a lot of CAPTCHAs.

His idea was to post a project ad on the site www.getafreelancer.com, to see how much it would cost him to hire someone to solve CAPTCHAs for a 50-hour week. Within a week, he received 58 bids, ranging from $30 to $100 (with the average bid being $57) before the site administrator cancelled the ad. Assuming (very conservatively) that it would take someone 30 seconds, on average, to solve a single CAPTCHA, anyone completing the job would have solved about 6000 CAPTCHAs in a 50-hour week. So, it would have cost our poster about a half a cent per CAPTCHA, for the lowest bidder, and about one and two-thirds cents per CAPTCHA for the highest bidder.

CAPTCHAs have a number of interesting security applications. One of the most well known is in trying to deter spam, by requiring anyone who signs up for a free email account to solve a CAPTCHA. This step prevents automated programs from signing up for an account. Similarly, one might try to use CAPTCHAs in conjunction with email itself, where the recipient might require the sender to solve a CAPTCHA before accepting the email. This idea also applies to other forms of spam, such as trackback or comment spam on blogs. For legitimate, low-volume email senders, this cost is pretty small; but, it might shift the economic threshold for spammers so that their practices are less profitable.

Another interesting application of CAPTCHAs is in making dictionary attacks for guessing passwords harder to accomplish. The idea here is to require someone to solve a CAPTCHA in conjunction with a password guess. This measure would increase the time for password guesses considerably (assuming, of course, that human intervention is necessary in each password guess and that this intervention is actually expensive).