A CAPTCHA in the Rye
Today, we released our latest Hacker Intelligence Initiative report, A CAPTCHA in the Rye. We detail how are CAPTCHAs broken by hackers and what should security teams do to make them stronger yet appealing to consumers who intensively hate them.
Why would hackers want to bypass CAPTCHAs? What is the motivation?
CAPTCHAs are put in place to protect sites from automation of actions. There are many types of hacker activities that are used to break CAPTCHAs, such as:
- Searching databases – a hacker may want to enable a user to search a database to see what you have and possibly download the contents.
- Adding comments on sites – a hacker may want to automatically add SPAM comments to all the posts in your site with links to, for example, websites with malware.
- Account creation – The site wants to prevent an automat from creating a lot of fake accounts to dupe legitimate users.
Is there specific website they target?
Hackers are often scraping websites that contain personal details. Some example that are presented in the report:
- Collecting financial details from online tax payment
- Collecting personal details from voting related sites, i.e., transactions or personal details etc…
What CAPTCHAs work?
Security teams should use novel CAPTCHA methods that make the CAPTCHA into something enjoyable, like a mini-game. Also, we help identify how to present a CAPTCHA only when users exhibit suspicious behavior by implementing various automation detection mechanisms.
To download our report, click here (no reg required).
Authors & Topics: