From CAPTCHA to GOTCHA?

Posted on November 10, 2013 by Vijayashankar Na

Internet  users are familiar with the CAPTCHA system of identifying website users where the users will be presented with a picture which is humanly readable but difficult for a machine to read. When CAPTCHA is used in this manner the website presents a CAPTCHA picture and asks the user to enter the word or number shown in the  CAPTCHA in another box. Since CAPTCHA cannot be read or identified by a machine it is believed that only humans will be able to pass through this CAPTCHA test.  In many cases CAPTCHA is used independent of a password just to prevent automatic robotic access.

CAPTCHA test can also be used after the password entry if the objective is to prevent a computerized log in after a password has been stolen by fraudsters. In such a case it becomes a second line of defense with the limited objective of preventing mass break ins.

In India,  some Banks use a picture as a second factor of identification at the time of log in. In this case after the user enters the password,  some picture is displayed which the user has to confirm as his preferred choice. However this system is being implemented very poorly (eg: Corporation Bank website) and does not seem to offer any additional security. It is also reported now that the system of CAPTCHA has now been completely broken and it is possible to run an algorithm which breaks the CAPTCHA with 90 to 97% success.

In order to replace the CAPTCHA system now a new system of GOTCHA ink blot test has been developed by a team in Carnegie Mellon university which is referred to as the “Ink blot test” which is being hailed as a significant improvement over CAPTCHA and is being recommended as a second factor authentication to fortify the password system. It is a a randomized puzzle generation protocol, which involves interaction between a computer and a human. In such a system, after the password entry is successful (or simultaneous to the password entry), the user is presented with a set of ink blot pictures along with some phrases associated with the ink blots. The user is required to match the pictures with the phrases. The ink blot pictures are randomly developed by the system when the password is created. The phrases are created by the user himself when he first selects the password and ink blot pictures are presented to him and associated with the pictures at his choice.

Though the system appears a bit complicated and could be considered as an irritant (as all security measures are) it would be welcome if it can improve the security of the system to some extent. Though the system in theory appears to be innovative, it is necessary to see how it would be adopted by an average Internet user. If he finds ti too cumbersome and face too many rejections the system may ultimately become unpopular unless the users device their own innovative methods to remember the patterns and the associated phrases.

Naavi

Related Article

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.