[cryptography] CAPTCHA as a Security System?

Jeffrey Walton noloader at gmail.com
Mon Jan 2 12:58:15 EST 2012

Hi All,

I was reading "CAPTCHA: Using Hard AI Problems For Security" by Ahn,
Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf).

I understand how recognition is easy for humans and hard for computer
programs. Where is the leap made that CAPTCHA is a [sufficient?]
security device to protect things like web accounts, email accounts,
and blog comments? It seems to me that a threat model in which bots
(ie, programs) are the only adversary is flawed.

Would a security system that does not model a human attacker really
qualify as a security system? Or is the system only adequate for low
value targets, such as email accounts and blog comments? I'm kind of
inclined to the latter.

The reason I ask is Wiseguy Tickets Inc and their gaming of
Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy
Tickets was indicted, and the indictment included a an assertion,
"[Wiseguy Tickets Inc] defeated online ticket vendors' security
mechanisms" [2]. I'm not convinced CAPTCHA is a security system, and I
definitely don't consider it a system to protect multi-million dollar


[1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
[2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf

More information about the cryptography mailing list