[bct] Re: Fw: CAPTCHA the Internet

  • From: "Brent Harding" <bharding@xxxxxxxxxx>
  • To: <blindcooltech@xxxxxxxxxxxxx>
  • Date: Mon, 27 Feb 2006 20:59:16 -0600

I haven't contacted the federal reserve or anything. I'm not sure who you 
contact for credit unions. I have contacted people their a couple weeks ago. 
They said they were going to have someone call me after they contacted their 
online vender to see what they may be able to do about it, but I haven't 
received a call back. I think I'll call them again to see what they found out. 
At least it sounds like they hopefully want to do something as the person I 
spoke with understands the issue that I use speech output that is unable to 
read the code. Their issue, according to what they say, is getting their vender 
to do something, whether it be a fixed code that I enter or if they can put 
audio in. I know godaddy's argument against audio that speech recognition can 
be trained to defeat it, but what they probably could do is switch to a 
username and longer password. I see that 7-digit account numbers and 4-digit 
pins are badly hackable without captcha, but it integrates with their phone 

  ----- Original Message ----- 
  From: Darrell Shandrow 
  To: blindcooltech@xxxxxxxxxxxxx 
  Sent: Monday, February 27, 2006 8:07 PM
  Subject: [bct] Re: Fw: CAPTCHA the Internet

  Hi Brent,

  Have you contacted someone at your bank and let them know that this means you 
are denied participation in online banking?  Not sure just changing to another 
bank, which might soon just do the same thing, is the way to handle it.  
Doesn't FDIC, FTC, Federal Reserve or anyone like that have anything to say 
about this?

  Darrell Shandrow - Shandrow Communications!
  Technology consultant/instructor, network/systems administrator!
  A+, CSSA, Network+!
  Visit http://www.petitiononline.com/captcha and sign the Google Word 
Verification Accessibility Petition today!
  Information should be accessible to us without need of translation by another 
  Blind Access Journal blog and podcast: http://www.blindaccessjournal.com
    ----- Original Message ----- 
    From: Brent Harding 
    To: blindcooltech@xxxxxxxxxxxxx 
    Sent: Monday, February 27, 2006 7:03 PM
    Subject: [bct] Re: Fw: CAPTCHA the Internet

    Yeah, it is really getting ridiculous. I'm going to have to get my money 
out of one of my bank accounts and find a credit card elsewhere some how. I 
just wonder who would give me one, had an advantage at the credit union of 
having money in the savings account. I'm just trying to find who to transfer it 
away to, since their captcha is on every login attempt and I heard this is 
becoming a banking trend.

      ----- Original Message ----- 
      From: Ray Foret Jr. 
      To: blindcooltech@xxxxxxxxxxxxx 
      Sent: Monday, February 27, 2006 6:04 PM
      Subject: [bct] Fw: CAPTCHA the Internet

      ----- Original Message ----- 
      From: Barb O'connor 
      To: broconnor1972@xxxxxxxxxxxxx 
      Sent: Monday, February 27, 2006 2:25 PM
      Subject: CAPTCHA the Internet

      I thought you might find this interesting.


      Tag-strategia.com (Blog)
      Tuesday, February 21, 2006

      CAPTCHA the Internet

      CAPTCHA (an acronym for "Completely Automated Public Turing test to tell
      Computers and Humans Apart") has been on my mind ever since Phil Windley
      suggested a graphical CAPTCHA would make a good web service. I thought 
      might be those willing to pay to use it. Well, it's been done.

      There is a need for this type of test. Yahoo! and Hotmail use a CAPTCHA to
      stave off spammers when a user requests an email account. I suspect the 
      common use is on other sites is an attempt block automated comment spam in

      CAPTCHA excludes legitimate users

      As the W3C points out graphical CAPTCHAs are a significant barrier to
      low-vision and blind users. Those with learning disabilities, such as
      dyslexia, may also be adversely affected. As visual CAPTCHAs become more
      sophisticated, busy, patterned background becomes more of an issue for
      color-blind users.

      The U.S. Census Bureau estimated that in 1997 about 7.7 million Americans
      had difficulty seeing the words and letters in an ordinary newspaper. The
      American Foundation for the blind reported about 5 in 1,000 Americans are
      legally blind, and gives a low estimate of 1.5 million visually impaired
      computer users. That's a fairly significant potential market to ignore.

      Requiring users to interpret a visual CAPTCHA may lead to legal 
      Earlier this month, the National Federation for the Blind filed suit 
      Target, claiming target.com discriminates by not being accessible to
      visually impaired users.

      Audio CAPTCHA

      Some companies are experimenting with audio CAPTCHAs, spelling out random
      letters with random noise in the background. However, aural disabilities 
      more common than visual ones, so the approach isn't really more 
      Speech recognition software is more advanced than character recognition, 
      the purported purpose of differentiating between humans and computers is 
      filled anyway.

      CAPTCHA is broken

      Several projects to crack common visual CAPTCHA algorithms, particularly 
      CAPTCHA Project (by the Carnegie Mellon School of Computer Science), the 
      Berkeley Computer Vision Group, and Sam Hocevar's PWNtcha, have had good
      success. Howard Yeend demonstrated a vulnerability in several public
      algorithms where he could reuse a solution several thousand times after
      manually solving it once.

      Social engineering is often easier than fancy programming. The first 
      recognized social engineering solution was "borrowing" CAPTCHAs from 
      sites and showing them at entry points to porn sites. Visitors to porn 
      would solve the CAPTCHAs, allowing spammers to get essentially free labor.
      Amazon's Mechanical Turk (tagline: "Artificial Artificial Intelligence"),
      which gives micro-payments for simple tasks is an example of another way
      CAPTCHAs could be defeated. Even at a few cents per image, the cost may
      still be too high for spammers, but it is a demonstration that the process
      can be outsourced. After all, the world is flat.

      What is the underlying purpose?

      The real reason for CAPTCHA is to screen undesirables. For low traffic
      sites, it means preventing automated access. This can be accomplished in a
      relatively simple way: add a single required question to the comment 
      form. Something like "What color was George Washington's white horse?" or
      "Enter the fourth word in this sentence." This is enough to make the form
      non-standard, thus unusable by generic bots. Bypassing this added security
      would be very easy for spammers, the advantage is the relative obscurity 
      most blogs. To target multiple blogs, a spammer would need to address each
      one individually; individual attention is unlikely, so I suggest this 
      is the easiest for bloggers with a knowledge of web programming, and is as
      accessible as a comment form without a CAPTCHA.

      Major sites like Yahoo! and Google have a bigger problem. After all, they
      are targets both because of the value of their services, and their size.
      When it first launched Gmail, Google limited accounts to those who had 
      invited by other active users. Initially there was a good bit of commotion
      in the tech community as gmail.com addresses became a sign of prestige. 
      invitation system allows Google to track which users may be abusing the
      service, and which users invited the abusers. Google has gone a step
      further, and now allows potential users to have an invitation code sent to
      their mobile phones. The number of accounts requested per phone number can
      be tracked. The potential gain from a limited handful of throw-away email
      accounts, and the cost of mobile phones (even disposable ones) is enough 
      deter spammers, because less troublesome alternatives exist.

      If you look at Google's account request page, you'll see a CAPTCHA there.
      Google responsibly offers a way for users with disabilities to bypass the
      CAPTCHA, although it involves human-to-human interaction (and quite a bit
      more time) to complete-a costly alternative.

      Real solutions

      Several solutions to the problems with CAPTCHA have been proposed and
      debated. Most have major cost or accessibility problems.

      It would seem the only good solution is some sort of federated identity
      system, which is really just offloading the trouble of user validation to
      someone else.


      BlindNews mailing list

      Archived at: http://GeoffAndWen.com/blind/

      Address message to list by sending mail to: BlindNews@xxxxxxxxxxxxxxxxxxxx

      Access your subscription info at:

      To unsubscribe via e-mail: send a message to
      BlindNews-Request@xxxxxxxxxxxxxxxxxxxx with the word unsubscribe in either
      the subject or body of the message

      Yahoo! Groups Links

      <*> To visit your group on the web, go to:

      <*> To unsubscribe from this group, send an email to:

      <*> Your use of Yahoo! Groups is subject to:

Other related posts: