Wednesday 1 April 2015

CAPTCHAs May Do More Harm Than Good

If you have been presented with the choice- CAPTCHAs or Password, I am pretty sure passwords will take the cake and emerge as winners as the most preferred choice of internet users. CAPTCHA also known as the “Completely Automated Public Turing Test to Tell Computers and Humans Apart” was created with the aim of foiling bots from their attempts of creating mass accounts on the websites.

After account creation, these can potentially lead to the exploitation of the accounts for malicious works like spewing spam by some of the online lowlifes. But the recent technological advancements also highlighted that the highly acclaimed use of letters for differentiating between human and machines might have become old school.

According to the study conducted by Distil Networks, whenever a user visiting a website is offered with a CAPTCHA, statistics indicates that nearly 12% of these visitors tend to discontinue with the main purpose of visiting these websites.

The study also suggested that when it comes to mobile users, nearly 27% of them abandon their task when they are presented with CAPTCHAs. As per Rami Essaid, Distil CEO and co-founder, if these CAPTCHAs are creating problem when carrying out any transactions then eventually it will lead to loss of money or even the user for the website.

Evolution of the Bots: 

According to Distil the idea behind the study was initiated by their customers. One their customer was looking into the fraud problem when they identified that using their CAPTCHA decreases the conversion by nearly 20%.

The results indicated that the people are starting to get too much annoyed by the CAPTCHAs online that they prefer to abandon the websites rather than carrying out the specific transactions. Essaid highlighted that there is a wide gap between mobile and desktop abandonment and this is mainly attributed to usage. He further added that these CAPTCHAs were meant for desktops and there is nothing which has been fully formed.

The purpose of blocking the bots itself has created a problem. Bots have now evolved and able to solve CAPTCHAs which might have been difficult in the past.

Bad certification: 

A rogue certification being used for spoofing the company’s live services was already issued by Microsoft. Even though this certificate cannot be used for issuing or impersonate another domain or sign code but it can certainly be used for spoofing content, phishing and middle attacks.

According to Kevin Bocek, vice president for security strategy, cybercriminals are increasing using certificates as their main targets. Fraudulent tricks are being used for acquiring these certificates. With nearly 200 public Certificate Authorities being trusted around the world, it is easy to get hands on a valid certificate. Even though Microsoft has been taking stern action against these but the solution is only applicable to their products.


Freak was another vulnerability that was discovered earlier this month. Through this an attacker can stop using the128-bit encryption by forcing SSL and then start using 40-bit encryption, which is easily crack able. Even though initial studies highlighted the impact of Freak on the browser communication but the latest studies highlights its significant impact on mobile apps as well.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.