CAPTCHAs May Do More Harm Than Good

https://i1.wp.com/tech.thaivisa.com/wp-content/uploads/2014/12/Kill-Captcha.png

If an annoyance contest were held between passwords and CAPTCHAs, passwords would probably win, but not by much.

CAPTCHA — Completely Automated Public Turing Test To Tell Computers and Humans Apart — was created to foil bots attempting to mass-create accounts at websites. Once created, those accounts could be exploited by online lowlifes for malicious ends, such as spewing spam. However there are signs that the technology that uses distressed letters to weed out machines from humans may have outlived its usefulness.

When users are presented with a CAPTCHA, they are 12 percent less likely, on average, to continue with what they came to do at the website, according to a Distil Networks study released earlier this month.

That number is even worse for mobile users, who abandon their intended activity 27 percent of the time they’re confronted with a CAPTCHA, the study suggests.

“If it causes too much friction for a checkout or a transaction, it could cost a website real dollars and cents or users,” Distil CEO and cofounder Rami Essaid told TechNewsWorld.

Better Bots

Distil got the idea for the CAPTCHA study from one of its customers.

“They were trying to solve a fraud problem,” Essaid said. “When they put in their CAPTCHA, it dramatically decreased their conversions by over 20 percent.”

So Distil decided to study the problem.

“We wanted to see if that was unique to that company or if people were annoyed by CAPTCHAs to the point that they abandon any interaction that they’re doing,” Essaid said. “The results shocked me. I didn’t think they’d be as dramatic as they were.”

The wide gap between desktop and mobile abandonment is largely a usability issue, he said.

“CAPTCHAs were created for desktops. We’ve never seen one fully designed for mobile, and that impacts users much more,” Essaid explained.

The kicker to CAPTCHAs is that their purpose — to block bots — has become problematic.

“Bots have evolved to a point where they can solve the CAPTCHAs,” Essaid pointed out. “CAPTCHAs can stop most bots, but the worst bots know how to get past CAPTCHA.”

Bad Cert

Microsoft issued a security advisory last week alerting Windows users that a rogue certificate had been issued that could be used to spoof the company’s Live services.

“Microsoft is aware of an improperly issued SSL certificate for the domain ‘live.fi’ that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks,” the advisory reads.

“It cannot be used to issue other certificates, impersonate other domains, or sign code,” it continues. “This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.”

Certificates increasingly have become targets for cybercriminals, noted Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.

“Bad guys are not only trying to steal certificates, but use fraud to obtain them, too,” he told TechNewsWorld.

“There are over 200 public Certificate Authorities trusted around the world,” he explained, “and at any one time, any could be attacked to obtain a valid certificate.”

Microsoft has taken actions to thwart anyone trying to use the illicit cert, but those measures only work on its products. Since the cert will work in other products, it’s up to maker of those products to update them to block recognition of the cert.

Mobile FREAK-out

Earlier this month, researchers discovered a vulnerability in SSL implementations called “FREAK.” It allows an attacker to force SSL to stop using 128-bit encryption and start using 40-bit encryption, which can be cracked in a matter of hours using commodity computers or readily available cloud computing resources.

Most of the attention on FREAK has been focused on its impact on browser communication, but last week, researchers at FireEye found a substantial number of mobile apps are vulnerable to the SSL flaw.

After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, the researchers found 11.2 percent of them vulnerable to a FREAK attack.

A similar analysis of 14,079 iOS apps revealed that 5.5 percent of them vulnerable to FREAK.

“This is a problem of a client or server being able to say, ‘I don’t want to do this really secure thing, let’s do something less secure,'” said Jared DeMott, principal security researcher at Bromium.

While that sounds serious, exploiting the flaw isn’t a piece of cake. “You need to be in a position to sit on the traffic, and you still have to decrypt the downloaded encryption, even if it isn’t very good,” he told TechNewsWorld.

“That’s the kind of thing you’d expect to see organized players doing — a nation state or big crime ring,” he said. “I don’t know if it’s going to have a big impact on individual consumers.”

Breach Diary

  • March 17. Premera Blue Cross of Mountlake Terrace, Washington, reveals a data breach has placed at risk personal information of some 11 million customers. Intrusion took place on May 5, 2015, but was not discovered until Jan. 29 of this year.
  • March 17. Advantage Dental, of Redmond, Washington, reports that information on more than 151,000 patients is at risk after a data breach lasting three days in February. An employee’s credentials were compromised and used for unauthorized access to a membership database.
  • March 17. FireEye researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen report 11.2 percent of popular Android apps and 5.5 percent of popular iOS apps are vulnerable to a FREAK attack, in which HTTPS traffic can be forced to use a weak form of encryption.
  • March 17. Microsoft warns that a certificate for the live.fi domain has been improperly issued and can be used for malicious purposes such as website spoofing and hijacking Internet traffic.
  • March 17. American Federation of Teachers demands Pearson Education come clean about its monitoring of students’ social media to protect the integrity of its testing materials. Pearson says it is contractually obligated by the states it does business with to monitor social media posts to make sure students do not disclose test questions.
  • March 17. Microsoft announces Windows 10 will include Hello, which allows a user to log into a computer or other device through biometric authentication such as facial, iris or fingerprint recognition.
  • March 19. Federal Judge Paul A. Magnuson grants preliminary approval of US$10 million settlement of data breach class action lawsuit against Target. In 2013, data thieves stole payment card and personal information of some 101 million Target customers.
  • March 19. Security researcher Laxman Muthiyah posts blog item describing vulnerability in Facebook’s mobile app that can be exploited to steal photos stored in the software.

Source: CAPTCHAs May Do More Harm Than Good ( http://www.technewsworld.com/story/CAPTCHAs-May-Do-More-Harm-Than-Good-81872.html )

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s