CAPTCHAs May Do More Harm Than Good

If an annoyance contest were held between passwords and CAPTCHAs, passwords would probably win, but not by much.

CAPTCHA — Completely Automated Public Turing Test To Tell Computers and Humans Apart — was created to foil bots attempting to mass-create accounts at websites. Once created, those accounts could be exploited by online lowlifes for malicious ends, such as spewing spam. However there are signs that the technology that uses distressed letters to weed out machines from humans may have outlived its usefulness.

When users are presented with a CAPTCHA, they are 12 percent less likely, on average, to continue with what they came to do at the website, according to a Distil Networks study released earlier this month.

That number is even worse for mobile users, who abandon their intended activity 27 percent of the time they’re confronted with a CAPTCHA, the study suggests.

“If it causes too much friction for a checkout or a transaction, it could cost a website real dollars and cents or users,” Distil CEO and cofounder Rami Essaid told TechNewsWorld.

Better Bots

Distil got the idea for the CAPTCHA study from one of its customers.

“They were trying to solve a fraud problem,” Essaid said. “When they put in their CAPTCHA, it dramatically decreased their conversions by over 20 percent.”

So Distil decided to study the problem.

“We wanted to see if that was unique to that company or if people were annoyed by CAPTCHAs to the point that they abandon any interaction that they’re doing,” Essaid said.”The results shocked me. I didn’t think they’d be as dramatic as they were.”

The wide gap between desktop and mobile abandonment is largely a usability issue, he said.

“CAPTCHAs were created for desktops. We’ve never seen one fully designed for mobile, and that impacts users much more,” Essaid explained.

The kicker to CAPTCHAs is that their purpose — to block bots — has become problematic.

“Bots have evolved to a point where they can solve the CAPTCHAs,” Essaid pointed out. “CAPTCHAs can stop most bots, but the worst bots know how to get past CAPTCHA.”

Bad Cert

Microsoft issued a security advisory last week alerting Windows users that a rogue certificate had been issued that could be used to spoof the company’s Live services.

“Microsoft is aware of an improperly issued SSL certificate for the domain ‘’ that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks,” the advisory reads.

“It cannot be used to issue other certificates, impersonate other domains, or sign code,” it continues. “This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.”

Certificates increasingly have become targets for cybercriminals, noted Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.

“Bad guys are not only trying to steal certificates, but use fraud to obtain them, too,” he told TechNewsWorld.

“There are over 200 public Certificate Authorities trusted around the world,” he explained, “and at any one time, any could be attacked to obtain a valid certificate.”

Microsoft has taken actions to thwart anyone trying to use the illicit cert, but those measures only work on its products. Since the cert will work in other products, it’s up to maker of those products to update them to block recognition of the cert.

Mobile FREAK-out

Earlier this month, researchers discovered a vulnerability in SSL implementations called “FREAK.” It allows an attacker to force SSL to stop using 128-bit encryption and start using 40-bit encryption, which can be cracked in a matter of hours using commodity computers or readily available cloud computing resources.

Most of the attention on FREAK has been focused on its impact on browser communication, but last week, researchers at FireEye found a substantial number of mobile apps are vulnerable to the SSL flaw.

After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, the researchers found 11.2 percent of them vulnerable to a FREAK attack.

A similar analysis of 14,079 iOS apps revealed that 5.5 percent of them vulnerable to FREAK.

“This is a problem of a client or server being able to say, ‘I don’t want to do this really secure thing, let’s do something less secure,'” said Jared DeMott, principal security researcher at Bromium.

While that sounds serious, exploiting the flaw isn’t a piece of cake. “You need to be in a position to sit on the traffic, and you still have to decrypt the downloaded encryption, even if it isn’t very good,” he told TechNewsWorld.

“That’s the kind of thing you’d expect to see organized players doing — a nation state or big crime ring,” he said. “I don’t know if it’s going to have a big impact on individual consumers.”

Breach Diary

  • March 17. Premera Blue Cross of Mountlake Terrace, Washington, reveals a data breach has placed at risk personal information of some 11 million customers. Intrusion took place on May 5, 2015, but was not discovered until Jan. 29 of this year.
  • March 17. Advantage Dental, of Redmond, Washington, reports that information on more than 151,000 patients is at risk after a data breach lasting three days in February. An employee’s credentials were compromised and used for unauthorized access to a membership database.
  • March 17. FireEye researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen report 11.2 percent of popular Android apps and 5.5 percent of popular iOS apps are vulnerable to a FREAK attack, in which HTTPS traffic can be forced to use a weak form of encryption.
  • March 17. Microsoft warns that a certificate for the domain has been improperly issued and can be used for malicious purposes such as website spoofing and hijacking Internet traffic.
  • March 17. American Federation of Teachers demands Pearson Education come clean about its monitoring of students’ social media to protect the integrity of its testing materials. Pearson says it is contractually obligated by the states it does business with to monitor social media posts to make sure students do not disclose test questions.
  • March 17. Microsoft announces Windows 10 will include Hello, which allows a user to log into a computer or other device through biometric authentication such as facial, iris or fingerprint recognition.
  • March 19. Federal Judge Paul A. Magnuson grants preliminary approval of US$10 million settlement of data breach class action lawsuit against Target. In 2013, data thieves stole payment card and personal information of some 101 million Target customers.
  • March 19. Security researcher Laxman Muthiyah posts blog item describing vulnerability in Facebook’s mobile app that can be exploited to steal photos stored in the software.

Upcoming Security Events

  • March 30. New Account Fraud — Understanding Fraudsters Behavioral Prints. 2 p.m. ET. Webinar sponsored by BioCatch. Free with registration.
  • March 31. Monitoring for Network Security. 1 p.m. ET. Webinar sponsored by ThousandEyes. Free with registration.
  • April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100, Kansas City, Missouri. Registration: open sessions pass, $25; conference pass, $75; SecureWorld plus training, $545.
  • April 11. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 11-12. B-Sides Charm. Howard Community College, Gateway Building, Charles I. Ecker Business Training Center, 6751 Columbia Gateway Drive, Columbia, Maryland. Fee: TBD.
  • April 11-12. B-Sides Orlando. University of Central Florida, 4000 Central Florida Blvd., Orlando, Fla. Fee: $20.
  • April 17-18. B-Sides Algiers. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers, Algeria. Free.
  • April 18. B-Sides Oklahoma. Hard Rock Casino, 777 W. Cherokee St., Catoosa, Oklahoma. Free.
  • April 19-20. B-Sides San Francisco. 135 Bluxome St., San Francisco. Registration: $20, plus $2.09 fee.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • April 25. B-Sides Rochester. German House, 315 Gregory St., Rochester, New York. Free.
  • April 29. Dark Reading’s Security Crash Course. Mandalay Bay Convention Center. Las Vegas, Nevada. Registration: through March 20, $899; March 21-April 24, $999; April 25-29, $1,099.
  • May 6-7. Suits and Spooks London. techUK, 10 Saint Bride St., London. Registration: government/military, $305; members, $486; industry, $571.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1,795; before July 25, $2,195; after July 24, $2,595.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Registration: through May 31–member, $895; non-member, $1,150; government, $945; student, $300; June 1-August 31–$995, $1,250, $1,045, $350; Sept. 1-Oct. 1–$1,095, $1,350, $1,145, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels