Google reCAPTCHA cracked

[Bob Hubbard]

Despite denials from Google, a security researcher continues to assert that the Search King’s reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers. Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.

Some simple math reveals just how alarming Wilkins’ findings are. The operator of even a modest botnet of 10,000 machines would be perfectly happy with a success rate of 0.01 percent. That would mean 10 new gmail accounts could be created every second or 864,000 new accounts a day from which spam could be launched.

http://www.allspammedup.com/2010/01/google-recaptcha-cracked/

Google can deny it all they want. It's true. We use Recaptcha to weed out bots, and the last few weeks have been pure hell. Finally got it under control but where we used to see maybe 1-2 a day, we're still deleting 50-75 a day. Half never make it past the initial reg phase as by the time they try to confirm their accounts Gmail (gee, another Google service) has shut them down. The other half get weeded out when we manually review the accounts for completion and certain red flags.

Still, I miss the days where the biggest registration head ache was someone getting pissed because we didn't know which of the 20+ London's he lived in was at.

 

[Rayban]

Gotta love hackers. Just more proof that nothing is perfect or impervious.

The only real way to ensure teams of hackers can't get into your online system is to have your own team of 'anti-hackers' countering.

This hacker war will be the bane of the internet forever. Nothing will stop it no matter how good security is.

I work in a secure location and we have our own offline server for everything we do. Physically isolating oneself is really the only eliminate the problem which is fin for specific work... but nothing else in this wired up world we live in now.

 

[Bob Hubbard]

Personally, I support public flogging followed by a short drop and sudden stop for spammers, botnet operators, and their ilk. But that's just me.

 

[Rayban]

That's pretty much what I mean. As long as whatever advantage each side gets doesn't last long and everything is on a equal footing... more or less.

 

[jim777]

This is great info, I will forward around to the mods of some other sites.