Google’s reCaptcha used to identify human customers can be subverted by automation through HTTP parameter pollution according to security researcher Andres Riancho who discovered the problem. Ryan Wilk, VP of Customer Success at NuData Security commented below.
Ryan Wilk, VP of Customer Success at NuData Security:
“As the saying goes, you cannot judge a book by its cover, but you can judge a captcha by its provider. The use of automated tools to commit Account Takeover (ATO) and create fraudulent accounts on a massive scale is growing. To stop this, many companies are using “freeware” captcha tools. The problem with these offerings is that they don’t stop the automated risk they claim to mitigate, and at the same time they create a terrible customer experience by constantly challenging valid human users. Using one of these providers to protect a website’s login is analogous to leaving your front door open when you go on vacation with a nice sign asking criminals not to enter. While captcha itself is not the issue, these “freeware” versions of captcha can be easily subverted by cybercriminals. To effectively solve the issue of automation without creating a terrible customer experience, companies need to implement good intelligence behind the captcha tool, such as a passive layered security solution. Using behavioral analytics and passive biometrics to accurately identify if the user is a human or a machine the interdiction will only be presented to machines. Without sophisticated intelligence behind the captcha puzzle, get ready for over 67% of all automation to walk past security controls with ease.”