Challenge-response techniques called "CAPTCHAs" designed to keep spambots off Web sites can easily be broken by humans who are paid to type in the responses, according to a new report from security firm Imperva.
CAPTCHAs, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, are created by programs and are intended to be difficult for computers to fill out.
"One of its inherent flaws today is that it can be easily bypassed by outsourcing it to human solvers for a very low cost," the study (PDF) says. "When the CAPTCHA is solved for the attacker by other humans, it doesn't matter how good it is at distinguishing humans from machines. Therefore, a CAPTCHA alone is not enough to guarantee the security and the content quality of the site."
Bad CAPTCHAs can also turn people away if they are difficult or annoying to complete. To avoid this, the report suggests creating mini-games or using CAPTCHAs only when there is suspicious behavior.