Flaunting my ignorance yet again... so sad!
Say I've got web subscription service. I've got login using username, password, and CAPTCHA. I can set a timer on the CAPTCHA/login form. I can check for and prevent multiple, simultaneous logins by the same user. I might be able to check for and prevent multiple logins from the same user from geographically distant points within some reasonable time span. But, what can I do to prevent a legit subscriber (called badguy) from parsing my login screen, filling in the UN / PW via script, and passing the CAPTCHA on to an unregistered 3rd party. Couldn't badguy then return my login form with all the fields filled in (again via script) as though it were him (or her)?.

Is there a way to make the login process really secure?

Thanks!
joe