Risk
2/1/2013
01:08 PM
Connect Directly
RSS
E-Mail
50%
50%

The Dreaded Captcha: Beginning Of The End?

Ticketmaster dumps reviled security technology that forces users to decipher distorted words. Will it spark a trend?

If those all-but-impossible-to-read Captchas disappeared tomorrow, would anyone lament their demise?

Ticketmaster is betting not. The company recently announced that it plans to dump its current challenge-and-response verification mechanism in favor of a system that asks users to type clearly legible phrases or answer multiple choice questions. The company's goal is to get event-goers to buy more tickets, while blocking automated software -- bots -- from buying up large quantities of tickets on behalf of resellers.

"We relentlessly pursue ways to make ticket buying more fan-friendly," said Nathan Hubbard, CEO of Ticketmaster. "While an important step in blocking bots, we know the current Captcha solution has been a frustrating part of buying tickets for fans."

Based on the word "capture," Captcha is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. First developed at Carnegie Mellon University in 2000, Captchas are designed to allow a computer to tell if it's interacting with a real person or another computer.

[ What's the best way to tackle social spam? See Don't Let Spam Sabotage Your Social Brand. ]

Why bother? As any fan of the cult film "Blade Runner" knows, when psychotic human-lookalike androids come calling, you'll need to know who's human and who's a machine.

Outside the dystopian science fiction realm, websites want to differentiate between real users and bots that have been programmed for malevolent purposes such as adding advertising spam to comment boards, registering for free email services and using them to send spam, spidering all usernames on a site, or, in the case of Ticketmaster, buying large quantities of tickets for the purpose of reselling them for a profit.

As security checks go, current Captchas count few -- and possibly zero -- supporters. That's largely because the typical Captcha, which requires a user to type in what they see on screen, displays phrases that look like they've been generated by a drunk Dadaist wielding a copy of Microsoft WordArt. Illegibility is just the start.

History is also littered with failed Captcha improvement efforts. For example, when changes to word-and-letter Captchas made them difficult for automated software to decode, enterprising attackers outsourced the job. Their ploy: websites that offered free porn after users navigated past a Captcha -- pulled, naturally, from the site attackers wanted to exploit. With a library of Captcha images and their real-world equivalents, attackers could bypass their target site's security defenses with aplomb.

Another attempted revamp has been audio Captchas. On the upside, these make websites with challenge-response systems accessible to people with visual impairments -- a legal requirement in some countries. But like their visual counterparts, many audio challenge-and-response systems can also be reliably circumvented by using software that converts spoken words to text.

So will Ticketmaster's Captcha revamp succeed? Ticketmaster said that its mobile apps will now include a push-notification feature that shares a user's Ticketmaster credentials with the company's site, thus allowing mobile users to bypass Captcha-type security checks. But the website security check strategy now being pursued by Ticketmaster involves a "Type-In," which -- wait for it -- is technically another type of Captcha, albeit one that uses clear, legible text. Developed by Solve Media, the approach substitutes squiggly letters with phrases or multiple-choice questions served up in a variety of different image and multimedia formats.

Ticketmaster has already been running trials with the Type-In system. "We're starting to see an uptick in fan satisfaction," Kip Levin, Ticketmaster's executive vice president of ecommerce, told the BBC. "We're happy with what we've seen from a security standpoint as well." He said that while the previous, squiggly Captcha took users an average of 14 seconds to successfully complete, the new system required only seven seconds.

Risk management is all the rage for handling security today, but it's a practice fraught with misconceptions and challenges. In the special Avoid Risky Business By Getting A Grip On Your Real Threats retrospective, Dark Reading takes a look at best practices, new technologies, common missteps -- and the added risks associated with the cloud and mobile devices coming in and out of the enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Lee009
50%
50%
Lee009,
User Rank: Apprentice
2/1/2013 | 10:19:06 PM
re: The Dreaded Captcha: Beginning Of The End?
The trend IGÇÖm noticing is that CAPTCHAs are moving away from requiring any sort of type-in at all. More and more, I'm seeing CAPTCHA approaches that involve clicking on certain pictures, playing a game, drawing a shape, etc. Since people are increasingly using smartphones and tablets rather than PCs to visit websites, CAPTCHA methods that allow you to swipe, draw or tap some pictures make more sense than ones that require you to fumble with the keypad to type in something.
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
2/3/2013 | 10:46:06 AM
re: The Dreaded Captcha: Beginning Of The End?
Is that an "r' or a "v" One space? 6 spaces? or none? I wonder how many sales, how munch activity is lost to captcha phrases that can't be deciphered by any one or any thing? I know I've given up in disgust after 3 tries at 3 different phrases.
Buzz2020
50%
50%
Buzz2020,
User Rank: Apprentice
2/3/2013 | 7:22:30 PM
re: The Dreaded Captcha: Beginning Of The End?
At Last! I would prefer pop-up porn spam to having to decipher yet another obfuscated Captcha Gotcha puzzle...
macker490
50%
50%
macker490,
User Rank: Ninja
2/4/2013 | 11:46:05 AM
re: The Dreaded Captcha: Beginning Of The End?
I refuse to answer captchas period.
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
2/4/2013 | 3:59:13 PM
re: The Dreaded Captcha: Beginning Of The End?
I haven't run into any of these "puzzle"-type approaches yet, but they would certainly be a welcome change. Regardless of their great utility in thwarting bots over the years, I don't think anyone will mourn the end of CAPTCHAs.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
2/4/2013 | 8:59:17 PM
re: The Dreaded Captcha: Beginning Of The End?
I've seen some that I would swear are configured improperly. For instance, put in a wrong answer (swap a couple of letters) and it accepts it anyway.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Apprentice
2/4/2013 | 10:06:31 PM
re: The Dreaded Captcha: Beginning Of The End?
The end of captchas? Some of the best news I've heard all day. I think audio captchas can gain ground in years to come. Everyone expects voice to play a bigger role with mobile devices and Siri is just the beginning. Wouldn't surprise me if voice authentications become commonplace in the years to come.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/6/2013 | 9:40:11 PM
re: The Dreaded Captcha: Beginning Of The End?
I actually like the math CAPTCHAs, where you have to type the sum of two single digit integers. Not only does it provide the satisfaction of knowing I have mastered kindergarten-level math, but it fills me with confidence that no computer could ever tackle such a complex equation.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.