Does CAPTCHA Really Enhance Login Security?
Every second counts on the Internet, and even the most patient users get frustrated when online tasks aren't completed in the quickest, most efficient way possible. Hence, even the most tolerant people are often annoyed by CAPTCHAs – the simple tests that are often put in registration forms and comment sections.
To a layman, CAPTCHAs look like an unnecessary annoyance created by someone who just wants to make people's lives harder. More experience users know that although they bring additional friction to the overall experience, we need them for security purposes. Few, however, realize just how many problems CAPTCHA tests solve, and how important they are.
What is a CAPTCHA test
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It's not the nicest-sounding name in the world, but at least it does the job of conveying what the technology is all about – it's an automated way of discovering whether or not a real person is on the other end of the keyboard. But why do we need to do this at all?
As we mentioned already, in the online world, it's important to do as much as possible in as little time as possible. And this goes not only for regular computer users but also for people who are up to no good. Automated scripts can now do most of the things you can do – post comments, log in to online accounts, and register for new services. Often, the bad guys program automated scripts to do all these things with the intent of causing harm, compromising users' privacy, or simply, to annoy them. CAPTCHA's goal is to limit these activities.
The annoying problems CAPTCHA solves
If you're developing a service or a product, it's important to hear what people think about it, and thanks to the Internet, this is easier than ever. Negative customer reviews can often act as a deal-breaker for many people, and naturally enough, vendors are scared of them. Many try to silence any criticism by realizing that some mistakes might have been made during the design and development of the product, and then investing time and effort into fixing the errors.
Sadly, others take a different approach. They use automated bots to post an overwhelming number of positive reviews and comments about their own products. The positivity drowns out the real opinions, and would-be customers get a wrong impression of what real users actually think. Obviously, the same technique can be used in the opposite direction – flooding comment sections and discussion boards with negative reviews about a certain product in order to sway people away from it.
CAPTCHA tests don't allow comments or reviews to be posted by automated bots meaning that people who want to gain an unfair advantage by influencing users' opinion need to do it manually which is neither quick nor efficient. This is good news, but there's a lot more to CAPTCHA than this.
As you probably know, there are many people out there that want to collect as much information about you as possible. The activity is known as web scraping, and although it could have legal repercussions in some countries, this obviously isn't enough to deter many people and organizations. Once again, speed is of the essence which is why there are tools designed to harvest data automatically. As you might have guessed already, CAPTCHA tests render them inefficient.
The more serious problems CAPTCHA solves
Having your personal information collected by aggressive marketers isn't particularly pleasant, and neither is getting fooled into buying a low-quality product. Both these things, however, are unlikely to have particularly long-lasting effects on your life. Unfortunately, automated scripts are sometimes used for schemes that have far more serious consequences.
Spam, as you probably know, is one of the biggest problems cybersecurity professionals face. It's used for anything from advertising dodgy pharmaceutical products to distributing malware, and it can be a very powerful weapon in the crooks' arsenal. The criminals need to send the spam from somewhere, though, which often presents a bit of a problem.
They can (and often do) use compromised email accounts of users who don't suspect a thing. The problem for the spammers is that soon after the first wave of fraudulent messages is unleashed, the senders are added to blacklists quickly, and subsequent messages often remain undelivered.
Free email providers that don't have CAPTCHA tests on their registration pages give crooks a solution. The spammers can simply write an automatic tool that creates hundreds of new, unique email accounts in minutes. Then, when those get blocked, the script can register another batch of accounts, and so on. All the crooks need to do is click some buttons, sit back, and wait for the results.
Speaking of which, this is pretty much all they do when they launch an online brute-force attack as well. Contrary to popular belief, you don't actually need to do a lot of "hacking" in order to launch a cyberattack. Often, it's all down to finding the right tools and deploying them. In a brute-force scenario, a CAPTCHA test could mean the difference between a successful attack and a failure, especially when the attackers aren't very sophisticated. Unfortunately, they sometimes are.
The evolution of CAPTCHA
Most of you probably think of images of distorted words when you discuss CAPTCHA. You might have noticed, however, that CAPTCHA tests have changed somewhat over the last few years.
The whole point of a CAPTCHA test is that it should be easy for a human but an impassable obstacle for a computer. Some years ago, the classic CAPTCHAs with the twisted words were just that. Over the years, however, Optical Character Recognition (OCR) technology got better and better, and slowly but surely, computers started "reading" the distorted words. Developers responded by making the challenges more difficult, but at one point, people started complaining that the words are quite simply unreadable. The audio equivalents provided for visually impaired users were also proven to be ineffective against sophisticated attacks.
Realizing that something must be done, Google developed noCAPTCHA reCAPTCHA – a test that is seemingly a lot easier to solve than the classic CAPTCHA. Right now, on most websites, you just need to click a checkbox to prove that you are a human being, and when there is another challenge, it's usually something easy like selecting a group of photographs that have similar objects on them.
Google is tight-lipped on how the technology works, but it's supposed to be much more reliable than the traditional CAPTCHA. Apparently, it takes a number of different factors into consideration in an attempt to determine whether a real person is interacting with the service. If it thinks that you might be a bot, it will present the checkbox challenge, and if it still isn't sure, it will give you a selection of photos, asking you to pick the odd ones out.
As you can see, CAPTCHA is a very important, rather clever solution to a variety of different problems. It has been criticized in the past, but over the years, it has come leaps and bounds in terms of both user experience and security.
Is CAPTCHA the perfect solution
No, it doesn't. For one, although Google's new system is supposed to be quite effective against automated bots, some hackers still reckon that they can organize an attack with a respectable success rate. Even if they can't do it right now, they will sooner or later find a way of fooling Google's bot-recognition system, and the experts will need to work hard to stay one step ahead.
There's more. As we mentioned already, some people think that working around CAPTCHA tests is crucial for their business success, and sure enough, there are organizations that are willing to cater to them. A number of CAPTCHA-breaking services are just a Google search away, with some of them basing their tools on OCR technology while others are reportedly paying real people woefully small amounts of money in exchange for solved CAPTCHA tests.
Of course, there is also the fact that while it can be a solution to quite a few problems, it's not (and will never be) a panacea. In an offline brute-force attack, for example, it is not going to do much.
So, CAPTCHA is not perfect. It is rather good at what it's designed to do, however, and although it often means that we need to spend a bit more time completing a particular task, we shouldn't underestimate its importance.