Captcha

CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”, was devised in an attempt to confirm that a visit to a site has been made by a human being and not by a program.

What’s a captcha for?

They are mainly used to validate access or registration.

On the Internet, there are robots that constantly scan different web pages to identify resources. We call them ” crawlers ” or ” spiders “. Most of the time, they are used legitimately, for example by search engines or archiving systems.

But sometimes, they are hijacked to carry out malicious actions. One of these actions is to use the forms present on websites (registration, contact, etc.). The aim may be to find loopholes or simply to create mass accounts, which can then be exploited for spam campaigns.

Captcha was created to limit these practices. They require human validation, which limits the impact of crawlers.

They have evolved considerably in terms of complexity. Initially, captchas took the form of checkboxes or simple text to be copied, but increasingly sophisticated robots have been adapted to fill in these validations. So now we have images, distorted text or objects to identify, possibly several times, to validate the captcha.

There are even invisible captchas, which analyze the user’s actions on a page, right down to the movement of the mouse, to identify whether the user is human or not.

Can a captcha be fooled?

The answer is obvious: Yes.

As we said earlier, robots are constantly evolving, with new techniques enabling programs to better recognize the characters and objects present in the images displayed by captcha. They quickly take new protections into account and mimic the behavior expected by the latest captchas. What’s more, like all computer programs, they have their flaws and limitations. They therefore require regular monitoring, analysis and updating, which is sometimes lacking.

Finally, “captcha farms” have been identified. These are real factories, located mainly in developing countries, where labor costs are lowest. Teams of human workers fill in the captcha manually, for a small fee. Sources are obviously unclear, but we’re talking about costs in the range of $1 to $5 per 1,000 validated captchas.

And without even mentioning those farms that industrialize the process, a hacker or spammer can perfectly well validate a small number of captchas manually, if it enables the validation of a sensitive access.

Is captcha a bad security solution?

The captcha and its evolutions are not bad solutions, but they should only be one of the building blocks in securing your systems. Relying solely on validation to confirm access is a mistake. It offers a false sense of security which, as we’ve seen, can be easily circumvented. It is only justified if it forms part of a set of measures that work together to validate a procedure. If it is the centerpiece, or even the only security system, it can only be a weakness in the cybersecurity chain.