Wednesday, November 21, 2007

Reinventing wheels, poorly

Not all CAPTCHAs are equally good at determining human/not human. It's affecting Hannah Montana concert tickets, where scalpers are defeating the CAPTCHAs to get more tickets than they should. [Link]

It seems an awful lot of programmers subscribe to the "add some crazy patterns and/or colors to the text and pray for the best" school of CAPTCHA design. That's not only sloppy, it just doesn't work. The top of this chart is littered with their failed attempts. On some sites, this is OK. They don't need the same world-class level of protection from bots and scripts that Ticketmaster does-- there's tremendous financial incentive for scalpers to break their system.

This particular hacker estimates a 50% success rate against the Ticketmaster captcha, long before the above article was published. No wonder those parents weren't able to buy their kids Hannah Montana tickets-- it's not because of failings in CAPTCHA protection, it's because the ticketmaster programmers failed to implement CAPTCHA correctly.

Instead of hacking together their own partially effective (and often not even human solvable) CAPTCHA, what Ticketmaster's programmers should have done is studied prior art-- in particular, by outright copying the high-volume, extensively researched Yahoo, Google, and Hotmail CAPTCHAs. I'm awfully fond of Google's CAPTCHA technique; in my professional opinion, it is simultaneously the most readable and the most hellishly difficult to OCR correctly. If you need industrial strength protection from bots and scripts, that's where you want to start.

No comments:

Post a Comment