From the desk of Warren Axelrod:
Seemingly there are “numerous profiles” on Facebook that “were identical except with different names …” If someone clicked on a link within the profile then they could be tricked into paying for unneeded software, revealing credit card information, and subject to having spyware installed on their machines.
Roger Thompson, chief of research at the anitvirus provider AVG Technologies is quoted as saying that the bad guys “…have found a way to automate the creation of Facebook accounts, which means that they have found a way to bypass the Facebook Captcha, a hard-to-read image of letters [and other characters, such as numbers] supposed to ensure that a human is involved.” The use of a Captcha is required for opening a new account on Facebook.
Facebook spokesman Simon Axton claims that the Captchas were not in fact read automatically, but had been subject to human intervention.
There have been rumors for some time that hackers were working on recognizing Captcha characters by machine in order to overcome the effectiveness of the method. Were this to happen, then yet another heavily relied-upon authentication method will go down the tubes. It may be, in the Facebook example, that the Captcha technology was not in fact compromised. But it’s likely that it’s only a matter of time before it will be.
There are some who look forward to the possibility that the Captcha images will be broken signaling a material advance in pattern recognition. That may seem somewhat perverse, but early hackers and some current software vulnerability seekers claimed that they are a positive force, striving to improve security for all.
Whichever position you may take, the single most important lesson to derive from this is that any security measure is only effective until it is broken … and breaking it is only a matter of time and persistence.
Powered by Compendium Blogware
Comments for Tales from the Cloud – Part 3: Malicious Fake Profiles – Captcha Gotcha