One of the more pervasive online threats comes from cybercriminals programming bots to roam the Internet looking for ways to manipulate online pages, access databases, and steal data.
Enter CAPTCHA, or Completely Automated Public Turing Test to Tell Computers and Humans Apart. It is meant to do just as it says — differentiate malicious bots from legitimate humans. As the sophistication of bots continually increases, can this conventional method of detection keep up?
Mise en Place: Gathering Ingredients of Traditional CAPTCHA
The original CAPTCHA tests, which first appeared in the late 1990s, were made up of distorted images containing a combination of random letters and numbers. There are many nefarious reasons why bots would want to access certain Web pages. For example, bad bots can:
- Create fake accounts and waste precious resources. Threat actors use these fake accounts to increase traffic to skew analytics, overload servers, and deny real users the services they are trying to access.
- Take over sites by spamming comments and contact forms. If left unmoderated, bots can flood websites with comments and messages containing inappropriate material and dangerous links. Users who click the links become vulnerable to potential scams.
- Allow scalpers to purchase large quantities of high-demand tickets and other products. For example, upon the release of this summer’s Barbie film, bots and scalpers began purchasing merchandise and relisting the products on eBay at as much as a 325% markup.
- Skew online polls by voting uncontrollably. Malicious bots can skew product ratings on various sites to make items appear more or less favorable. This affects the overall customer sentiment in such a way that is not representative of how real consumers feel about a product.
While CAPTCHAs developed back in the ’90s were once enough to address many of these negative effects of bots, today’s threat landscape has become far too sophisticated. Before bots could read distorted letters and numbers to solve the challenges, this was a solid security posture.
The Chopping Block: Recent Bypasses Are Proof of CAPTCHA’s Dark Side
Proof of growth in bots’ sophistication is outlined in a recent crackdown where police arrested nearly 70 people leveraging bots to book and resell immigration appointments by using tactics including methods to bypass various CAPTCHA tests.
This highlights why CAPTCHAs should never be your only line of defense. They are outdated, easily manipulated, and insecure. If organizations opt to use CAPTCHAs to challenge bots, they need to rely on ones that prioritize security and ensure new bot techniques are identified in real time, rendering CAPTCHA farms and CAPTCHA-solve bots useless.
Another security concern is that threat groups use cheap labor in these CAPTCHA farms to solve significant quantities of CAPTCHA puzzles. This is because it is costly for an attacker to conduct large-scale crawling or credential-stuffing attacks using real, automated browsers or automated headless browsers.
Simmer Down on Outdated CAPTCHAs
To effectively stay ahead of malicious actors’ capabilities, the secret ingredient is finding the balance of security, user experience, and user privacy. Adding a single layer of security no longer grants companies or their security tools carte blanche to handle user data as they see fit.
It’s clear they must go beyond single-layer, traditional CAPTCHA defenses and develop a security stack that combines this technology. To develop an effective CAPTCHA solution, consider these key concepts:
- A CAPTCHA should never be siloed. It should allow transparency for you to review false positives and negatives and include a complete feedback loop to update responses accordingly.
- Data privacy is paramount. Users should never have to be concerned about whether their data is being collected, where it is going, and what it’s being used for when they access a website. Traditional CAPTCHAs have been found to gather personally identifiable information (PII) from end users without clarifying how or where it is used. A CAPTCHA solution should be compliant with data privacy laws and regulations globally.
- CAPTCHAs must not obstruct the user experience. From long loading times to accessibility issues, traditional CAPTCHAs are notoriously bad for the customer’s experience. Look for a CAPTCHA that shows up only when necessary, loads quickly, is easy for humans but hard for bots, and puts accessibility at the forefront — all without compromising accuracy of its security.
Anyone Can Be a Chef With the Right Utensils
As threats evolve, so do CAPTCHAs, and with the right security posture, organizations can still outwit the bots. To do this, businesses should look for a solution with a dedicated team that can help tailor their protection strategy (including their CAPTCHA) and that leverages both client-side (device details and event tracking) and server-side (reputation, behavior, and fingerprints) capabilities.
While CAPTCHAs are not sufficient bot protection on their own, they can be a useful tool when properly integrated with a complete bot and online fraud protection program.
About the Author
Benjamin Fabre is the CEO of DataDome, a company he co-founded in 2015. A cybersecurity visionary, Benjamin foresaw the rise of bot-driven fraud. He understood early on that the race to block automated online threats would require an instantaneous response at the edge; static rules, no matter how quickly updated, would always be a step behind. Leveraging his deep expertise as a technologist, Benjamin set out to build a transparent and easy-to-deploy anti-bot solution that is a true force multiplier for IT security teams.
Read More HERE