Captcha and why it is not so secure nowadays.


Nowadays millions of web pages have adopted captcha for their security and preventive measures, but why is it not considered as secure these days?

At the moment the captcha is one of the most used web security mechanisms; it has many presentations and it seems to have proved to be effective. On the other hand, every day security methods are being renewed while others are becoming obsolete. So it is not surprising that some computer security analysts consider the captcha as outdated or not as effective as before; however, we must also take into account the update that cybercriminals have. They spend most of their time looking for vulnerabilities in order to gain access to them. So stick around and learn more about captcha and why it is no longer the best option.


What is captcha?

CAPTCHA is an acronym, which stands for ” Completely Automated Public Turing Test to tell computers and humans apart”; this tool is in charge of separating automated users from real users. These generate graphic situations that must be solved and for a computer it is complicated; unlike a human who can easily select the options. In basic terms the captcha system is a simple puzzle that determines whether the user is a human or a machine.

How does the captcha work?

They work by providing a piece of information to the user and they solve it by creating a kind of “translation” that the system interprets. Since it was invented, A.I. has been used to improve them, as they are more efficient at decoding an action performed by a human. In the beginning, the first versions of the captcha worked by adding a group of letters, numbers, or combined; in a distorted way, which the user had to copy in a blank space. With time and new versions, images or text fragments taken from Google or the New York times newspaper were added.

Are there several types?

Yes, in fact, as we had mentioned, the captcha has gone through different updates over time, some of the different captcha presentations are:

  • Image captcha: these were created to replace text captchas; these image components use eye-catching text, such as animals, nature or shapes. Usually in this type of captcha the user is expected to choose different images of the same subject; it can be selecting all the traffic lights he sees among the different images, for example.
  • Text-based captchas: this consists of using known phrases or a set of random codes of numbers and letters, which the user must recreate in a blank box. The numbers and letters may be distorted as they imply a higher level of security.
  • Word or mathematical problems: these types are those that consist of a simple mathematical problem that the user must solve, such as 20-4. Similarly, there is also the variable where the person must complete a word with the missing letter.
  • Audio captcha: this was created as another option, which works through an audio that the person listens to and writes what is dictated in a blank box; normally this type of captcha is usually accompanied by images, such as the one mentioned above.

The cybersecurity dangers of captchas

If we focus, captchas are present in almost every website; from blogs, to game pages, mails, etc. So we can say that it has a high level of popularity; looking at it this way, we know that captcha is a great tool to help such websites differentiate ordinary users from bots or automated applications. However, the creators of captcha did not foresee that cybercriminals would at some point use it to their advantage.

Likewise, the malware called “Campaign Dudear” of the CAPTCHA Excel type appeared in January 2020; according to the information gathered, the group; which was responsible for stealing private information by redirecting HTML addresses, is using advanced methods to evade detection.

Email antivirus generally scans files for code, drivers, etc. It can be mined on the first click. Other programs are responsible for collecting samples of various malware and run in an automated fashion for further analysis. But the CAPTCHA request means that the scan can only be performed after the user has downloaded the malicious file. As a result, automated scanning becomes less of a priority, which increases the chance of exploitable code evading detection and helps adversaries deploy malware.

What could be safer alternatives to captcha?

At this point in this article, we cannot say that captchas are bad or have been useless; on the contrary, they have always been evolving to create new generation captchas. However, there are other alternatives to the captcha, these can be:

  • Honeypot: this is a good alternative to traditional captchas; it acts as a bait to divert and analyze suspicious systems on the Internet. This allows to visualize some threats that other systems, such as captchas, may overlook. However, the Honeypot on its own is not as efficient against threats, although if coupled with the captcha it can be a very good complement.
  • Bot manager: in this case we can see that the job of captchas is to differentiate bots from real people; in the case of bot managers, they are responsible for analyzing the interactions of these bots on the web, thus understanding the interaction of humans and differentiating them from bots; all this in order to identify vulnerabilities that can be corrected.
  • 2FA/MFA: two-factor authentication validates the identity of users; it verifies that the user is actually a human and not an automated system. This method and captcha solve the same problems, so they are more of a complement than alternatives.

As mentioned above, we cannot conclude that captchas are not very effective; rather, it is preferable to combine them with other detection methods to improve their effectiveness. It is also important to clarify that the simplest captchas are becoming less and less frequent; they are always being improved to make them better and better, and thus combat threats.

Interesting related articles: Why are low-rating vulnerabilities important?

Other articles that may interest you: Regret Locker the malware of 2020.