It's a common occurrence on modern web applications where anti-automation is required. CAPTCHAs are everywhere, and now even more prevalent are reCAPTCHAs. The problem is two fold here, and you've probably experienced this already.
The first real issue is that CAPTCHAs were the most advanced way to deter automated scripts, bots, and programs from filling in forms - such as free web email registration forms - for quite some time. The reality is that CAPTCHAs were easily broken by anti-automation automation software through the use of OCR (Optical Character Recognition) software. In a strange irony the software that was built to "read" graphics and translate them into text (as in a scanned document) was being used to "read" CAPTCHAs and thus break the anti-automation.
Next came the reCAPTCHA. This is much more difficult to break for a number of reasons not relevant here, but the sad reality is that when high-tech solutions fail the bad guys turn to low-tech answers. The answer in this case turned out to be low-cost worker pools in 3rd world countries. The evil masterminds out there wrote programs that pulled the reCAPTCHA images into a console and someone would just sit all day and type in the letters they saw. These worker-drones are often in 3rd world countries, and make on average $0.01 (that's a penny, USD) per image they successfully transcribe. Now, that may sound insane to someone like you or I - but remember these are 3rd world, impoverished workers who have rapidly expanding access to technology. Through the Internet's reach they are able to make as much as $3.00-$5.00 per day - that's a fairly good wage when you consider the average income for some of these parts of the world. Add to that the ability to work from anywhere there is an Internet connection (which doesn't even have to be fast!) and this can turn into the perfect labor for entire families in some of these places.
The economy of greed will always find a way to thrive - and this example is just one way of many ways that anti-automation is overcome by ingenuity and low-tech solutions. This isn't the end of this story though because there is a a problem.
What if, in order to compensate for the ever increasing leaps in OCR technology, CAPTCHA companies start to create CAPTCHA images that even a normal human can't decipher? I ran into one such incident lately, and since it's been happening more and more I thought I should write about it to raise some awareness.
The situation I can most clearly describe (and one that you may already be familiar with) happened on TicketMaster.com. If you've been ripped off by TicketMaster lately... I mean, if you've bought tickets on TicketMaster lately - you've undoubtedly had to transcribe the CAPTCHA image to complete your ticket search and purchase. How many times have you found yourself squinting and thinking real hard before typing in those letters you think you see? I'm betting pretty often. The problem comes when we have to make turing tests so hard that humans are failing them. This undoubtedly brings on the obligatory rant about usable security - right? Think about it.
This is just one story, one example - I'm sure you have a few of your own like this
If turing tests become so difficult that a normal person fails them - and thus is prevented from performing a legitimate transaction - yet criminals are finding ways around this ...who's winning?
Update 1 [3/12/10 @ 10:14am] ______
So ... this is disturbing but I got an email from someone that says I have my numbers wrong. This someone would know... apparently the $/CAPTCHA is wrong - the real number right now is: $0.85 USD per 1,000 transcribed CAPTCHAs. Wow, just wow.