CAPTCHA

A Completely Automated Public Turing test to all Computers and Humans Apart (CAPTCHA), is a test designed to distinguish human users from bots, to reduce the amount of bot traffic hitting a website.

Where CAPTCHA is used

CAPTCHA tests are often used on email login pages, forums and comment sections of a blog or news site to specifically prevent spam bots and automated brute force attacks. As threat actors have become increasingly sophisticated, CAPTCHAs have in turn needed to adapt to remain effective.

How CAPTCHA works

While traditionally, CAPTCHAs required a user to copy a jumbled sequence of numbers and letters. However, users are now more likely to see a grid of images from which they must, for example, select all images with bridges or all images with a set of traffic lights.

Types of CAPTCHA

What are the different types of CAPTCHAs? They are defined as follows:

• Text-based CAPTCHAs. These tests are designed to verify that you are human by requiring you to identify letters in a distorted format. For example, the image may appear as a bunch of vertical or horizontal lines. You must type the word or number presented in the boxes above each line. In some cases, this exercise is made more difficult if there are several words appearing in one line instead of one word at a time.
• Digital CAPTCHAs. Digital tests use symbols rather than text characters for verification, but they all follow the same basic principles – test your intelligence against an automated system. Solutions include shapes, colours, sounds and pictures (for example users have to select all images containing a cat).
• Image manipulation CAPTCHAs. Image manipulation tests are designed to identify the presence of real human users by looking for certain imperfections and inconsistencies in uploaded images. A common test is where an image is divided into 25 separate segments, and then each segment is warped slightly (up to 10 degrees). Humans can successfully identify the original image while automated programs cannot as they do not have enough information within each segment to correctly predict or recreate the whole image.
• Cryptographic CAPTCHAs. Cryptographic tests are designed to verify that a user is human based on the answer to a question which must be solved using mathematical methods – for example, calculating 1+1. The back end system uses an algorithm such as a hash function to generate the correct response that then needs to be deciphered by a user. Cryptographic CAPTCHAs are also combined with image manipulation tests in some cases.

Most popular CAPTCHAs

• reCAPTCHA – this is a free tool from Google that helps websites fight spam and abuse. When you type a word in the box, it asks you to verify that you’re human by clicking on all the images that have a predefined symbol in them.
• No CAPTCHA reCAPTCHA – No CAPTCHA is an advanced type of reCAPTCHA that allows you to create a seamless experience for anyone filling out forms on your site. It sends the data from each form directly to Google, so it’s difficult for attackers to defeat No CAPTCHA and bot detection protections.
• WebCAPTCHA – this is a JavaScript-based Captcha that was created by using the reCAPTCHA API keys. It offers different customizations including size, color and image selection options. You can also embed it with any code snippet in your website or CMS so it appears at various places on your site.
• Math CAPTCHA – a friendly CAPTCHA that asks you to enter the result of a math equation.
• hCAPTCHA – A CAPTCHA service that complies with the EU’s General Data Protection Regulation (GDPR), which means user data is encrypted, and human rights are protected.

The problem with CAPTCHAs

CAPTCHA tests are problematic from both a usability and accessibility perspective. Because CAPTCHA’s rely on a distorted text that is difficult for an automated program to recognize, users often find them impossible or extremely frustrating to complete. In order to overcome this challenge, users may employ various workarounds by asking a friend, colleague or family member for help.

CAPTCHA’s also impede accessibility for the elderly and other users with vision or dexterity impairments. In particular, people who are blind or living with failing eyesight often struggle to read distorted text on web forms which render CAPTCHAs unreadable. This in turn bars these users from registering on a website, posting comments, voting, reading news articles and even checking their email.

CAPTCHA evasion techniques

• CAPTCHA forms are fundamental to the web/sec admin’s detection and response arsenal, significantly reducing the number of spambots to a website and mitigating the effects of a brute force attack. Due to their ongoing usage, threat actors continue their attempts to defeat their tests using a variety of automated evasion techniques. Amongst the most common evasion strategies are CAPTCHA farms.
• CAPTCHA farms bridge the gap between threat actors and the site they want to access via a CAPTCHA form. A bot is integrated via a third-party API and when faced with a CAPTCHA form, a request is sent to a real human on a farm, who will solve the challenge. The human-generated response is sent to the bot, who solves the challenge via the web application and their “human” status is verified.

Blocking CAPTCHA evasion techniques

CAPTCHA continues to play a critical role in most cybersecurity solutions however, they are not enough on its own.