The problem with that is the issue of privacy. I'd prefer not to allow
any old forum moderator to have my phone number, for example. Even
getting past that, phone numbers can be faked, and I'd imagine the
phone system would have to be automated, which means that once the
counter-response is figured out it could be cracked rather easily. On
top of that, what if the web site in question isn't in your country of
residence? Some of those international rates can get nasty, at least
in the U.S.
This is a problem with no easy solution, unfortunately, though I
personally believe that questions structured in an odd way that the
human brain could figure out is the best compromise. It has its
problems, such as needing to be familiar with the language in
question, but at the same time I believe it to resolve most of the
other problems. Let's face it, no matter what security measure anyone
comes up with there will always be someone to break it. And the ones
trying to make things secure wind up playing catch-up as their
security measures are broken. The question in my mind is how much
security will the end users tolerate? Hopefully it's a question we
won't ever have to actually see answered.
On Jun 20, 2008, at 9:25, Chris Blouch wrote:
This is another example of how to avoid hackers getting in. Add some
real expense and traceable communications to the authentication
process. A hacker doesn't care if they have to try 10000 times to
crack one captcha since they are doing though some botnet. The
bandwidth and compute power are essentially free and they can hide
behind a shield of relative anonymity. If they have to make a phone
call that raises the bar. For one that call is traceable so if
something funny happens it comes back to a phone number under
somebody's name. It also has a real cost as the phone line or cell
phone account costs real money and they can't automate it so some
real human will have to make the call. The 10000 tries now isn't
such a great deal.
CB
Dan Eickmeier wrote:
And that is good for those who are on cell phone providers that
support that verrification. Mine didn't, and I had to email their
support to get it fixed.
On 19-Jun-08, at 12:21 AM, Chelsea wrote:
Well, that is good for those who have talking cell phones. :(
On Jun 18, 2008, at 9:17 PM, John Moore wrote:
They should do it like Facebook, where they take the Captcha
away when you varify your cell phone number with a code they send
you via text message. When you type the code in right, Captcha
becomes nonexistent.
