Mechanical Turk vs. CAPTCHA: An InfoSec Lesson


I’ve always hated the “THING is dead. Long live the THING” cliché, but I’m going to use it here for CAPTCHA.

CAPTCHA raises the cost of attacking something, which improves its security. It’s that simple. The question is simply how much you raised the cost vs. the dedication and resources of the attacker.

For a random, uninteresting blog, by using a good CAPTCHA you’ve probably raised the cost of attacking it beyond what most attackers will pay. For something valuable, however, like attacking a virtual economy, or gaining access to email accounts that can be used for spam, you probably haven’t.

Using services like Mechanical Turk, which pay people to solve CAPTCHAs, this line of defense is trivially broken.

It’s important to understand that this doesn’t mean that CAPTCHAs are “lame” or “good”. Those are objective terms being used in a subjective context, i.e. one in which we’re talking about how interested and resourced an attacker is vs. how valuable a target is.

Remember to evaluate all your security controls in this way.





Have an opinion on this? You can reply via Twitter, via email, discuss it here, or comment below.