CAPTCHAs May Do More Harm Than Good

CAPTCHA -- Completely Automated Public Turing Test To Tell Computers and Humans Apart -- was created to foil bots attempting to mass-create accounts at websites. Once created, those accounts could be exploited by online lowlifes for malicious ends, such as spewing spam. However there are signs that the technology that uses distressed letters to weed out machines from humans may have outlived its usefulness. When users are presented with a CAPTCHA, they are 12 percent less likely, on average, to continue with what they came to do at the website, according to a Distil Networks study released earlier this month. That number is even worse for mobile users, who abandon their intended activity 27 percent of the time they're confronted with a CAPTCHA, the study suggests. "If it causes too much friction for a checkout or a transaction, it could cost a website real dollars and cents or users," Distil CEO and cofounder Rami Essaid told TechNewsWorld. Better Bots Distil got the idea for the CAPTCHA study from one of its customers. "They were trying to solve a fraud problem," Essaid said. "When they put in their CAPTCHA, it dramatically decreased their conversions by over 20 percent." So Distil decided to study the problem. "We wanted to see if that was unique to that company or if people were annoyed by CAPTCHAs to the point that they abandon any interaction that they're doing," Essaid said. "The results shocked me. I didn't think they'd be as dramatic as they were." The wide gap between desktop and mobile abandonment is largely a usability issue, he said. "CAPTCHAs were created for desktops. We've never seen one fully designed for mobile, and that impacts users much more," Essaid explained. The kicker to CAPTCHAs is that their purpose -- to block bots -- has become problematic. "Bots have evolved to a point where they can solve the CAPTCHAs," Essaid pointed out. "CAPTCHAs can stop most bots, but the worst bots know how to get past CAPTCHA." Bad Cert Microsoft issued a security advisory last week alerting Windows users that a rogue certificate had been issued that could be used to spoof the company's Live services. "Microsoft is aware of an improperly issued SSL certificate for the domain 'live.fi' that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," the advisory reads. "It cannot be used to issue other certificates, impersonate other domains, or sign code," it continues. "This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue." Certificates increasingly have become targets for cybercriminals, noted Kevin Bocek, vice president for security strategy and threat intelligence at Venafi. "Bad guys are not only trying to steal certificates, but use fraud to obtain them, too," he told TechNewsWorld. "There are over 200 public Certificate Authorities trusted around the world," he explained, "and at any one time, any could be attacked to obtain a valid certificate." Microsoft has taken actions to thwart anyone trying to use the illicit cert, but those measures only work on its products. Since the cert will work in other products, it's up to maker of those products to update them to block recognition of the cert. Mobile FREAK-out Earlier this month, researchers discovered a vulnerability in SSL implementations called "FREAK." It allows an attacker to force SSL to stop using 128-bit encryption and start using 40-bit encryption, which can be cracked in a matter of hours using commodity computers or readily available cloud computing resources. Most of the attention on FREAK has been focused on its impact on browser communication, but last week, researchers at FireEye found a substantial number of mobile apps are vulnerable to the SSL flaw. After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, the researchers found 11.2 percent of them vulnerable to a FREAK attack. A similar analysis of 14,079 iOS apps revealed that 5.5 percent of them vulnerable to FREAK. "This is a problem of a client or server being able to say, 'I don't want to do this really secure thing, let's do something less secure,'" said Jared DeMott, principal security researcher at Bromium. While that sounds serious, exploiting the flaw isn't a piece of cake. "You need to be in a position to sit on the traffic, and you still have to decrypt the downloaded encryption, even if it isn't very good," he told TechNewsWorld. "That's the kind of thing you'd expect to see organized players doing -- a nation state or big crime ring," he said. "I don't know if it's going to have a big impact on individual consumers."