Write Up 2: CAPTCHAs For Your Life!

# CAPTCHAs FOR YOUR LIFE! *by Justine N. Gudito, Mercyd Sinadjan, Sam Bondj A. Tupa* > ![purr](https://hackmd.io/_uploads/SJBc0OYxC.jpg) Fun fact: CAPTCHAs are certainly older than us (the bloggers). As a chronically online person, every so often when registering new accounts or accessing (non)sussy sites, we encounter the image above. This image is infamously known as CAPTCHAs. Based on personal experiences, it is a type of security measure used on websites to distinguish between human users and automated bots. Just like the above image, it typically challenges the user to decipher distorted texts. However, there are also other challenges such as selecting appropriate images that match the keyword or checking a box to confirm that they are human. Overall, CAPTCHAs help enhance online security by protecting against spam and fraud or by verifying the authenticity of human users in various online interactions. However, the question is how does the human user feel about it? As we all learned from previous writeups, humans are the weakest link in computer security. The majority of humans, whether we like it or not, prefer convenience over security. Thus, the question now is, are CAPTCHAs worth the effort? --- ## ROUND 1: CAPTCHAs VS The Digital Threats In the digital realm, CAPTCHAs act as security measures to prevent malicious software from causing harm to websites. They stop a variety of harmful activities, such as illegal data scraping, spamming, and credential stuffing attacks. Spamming can be annoying and can significantly interrupt real communication by leaving unsolicited messages on forums, comments, and contact forms. For instance, let's say you're running a blog where users can leave comments on your posts. Without a CAPTCHA, automated bots could flood your comment section with spammy links and advertisements, making it difficult for genuine users to engage in meaningful discussions. By implementing a CAPTCHA before allowing users to submit a comment, you can effectively filter out most of the spam while still allowing legitimate users to participate. Additionally, there are credential stuffing attacks, in which automated systems attempt to breach accounts by utilizing stolen passwords and usernames. CAPTCHAs play a crucial role in preventing such attacks by thwarting automated bots from creating fake accounts. For instance, when signing up for a new email account, including a CAPTCHA during the registration process ensures that each account is created by a real person, safeguarding against bot-driven spam or abuse. --- ## ROUND 2: CAPTCHAs VS The Users From the mentioned scenarios above, CAPTCHAs can be useful since they offer a test that is difficult for bots to pass and prevent these frauds. However, it is also worth noting that CAPTCHAs are not foolproof. Sometimes they can even be inconvenient for users. For instance, when completing an online survey, a CAPTCHA might appear overly complex, making it difficult for the user to proceed smoothly. In such instances, users may feel frustrated and opt to abandon the survey, leading to the potential loss of valuable data for the website or research project. Thus, CAPTCHAs can sometimes be more trouble than they're worth from a user's perspective and can negatively impact the user experience Similarly, there may be situations where CAPTCHAs fail to effectively distinguish between humans and bots, leading to false positives or false negatives. For instance, if the CAPTCHA is too easy to solve or if the bot has advanced capabilities for bypassing CAPTCHAs, it may still allow automated bots to slip through the verification process. So, while CAPTCHAs can be a valuable tool for protecting against automated threats, it's important to consider the user experience and potential limitations when deciding where and how to deploy them. --- ## ROUND 3: CAPTCHAs VS The Modern Society As previously stated, CAPTCHAs do work, but not always. In modern society, AIs are evolving, more systems are being compromised, and more people are becoming involved with technology. This indicates that CAPTCHA is becoming more and more vulnerable. First, through iterative training and advanced image recognition or machine learning techniques, AI algorithms can solve CAPTCHAs. Moreover, as we said, humans are the weakest link and some can be tricked by their fellow humans who can act as human solvers and can function as bots to bypass the intended security measures by either completing the CAPTCHA manually or by using the software. Furthermore, some CAPTCHA systems, such as those that have problems in their implementation, design, or configuration, may include vulnerabilities that can be exploited. An example of this was the problem with Ticketmaster (New York Show Tickets Inc., 2019). Many people trying to buy Broadway tickets on Ticketmaster faced a blank CAPTCHA screen, making it hard to finish their purchase. This showed how poorly designed CAPTCHA systems could frustrate real users and help attackers. Despite Ticketmaster's intention to use CAPTCHA as a security check against ticket brokers and bots, the blank CAPTCHA screen impeded regular ticket buyers and potentially facilitated exploitation by malicious actors. Additionally, Ticketmaster's suggested fixes, like restarting the computer or using a different browser, showed they did not have a clear solution, revealing the difficulty in making CAPTCHA work effectively. We also pondered an excerpt in the CS161 textbook that if you search 'crack CAPTCHA' on Google, you'll find services offering solutions for as little as $0.10 per CAPTCHA, where humans do the work. CAPTCHAs now ask, 'Is this a human or a bot willing to spend a fraction of a penny?’ Are CAPTCHAs losing their worth when attackers can crack them for just $0.10? It's time to rethink our reliance on this security measure. Hence, in response to the question of whether or not CAPTCHAs work, sure, they do provide some defense against automated attacks. However, people are beginning to doubt their effectiveness due to advancements in technology, human involvement, and cognitive abilities. What lies ahead in the future? Hmmm. We don’t believe they can stand alone. We think they could overcome these limitations if combined with other essential security measures for optimal safety, though it may entail higher expenses. Therefore, we conclude that as technology and society evolve, so must our approach to online security, ensuring we stay one step ahead of potential threats --- ## BONUS ROUND: CAPTCHAs VS The Nyan Tradition Before we have our final verdict, let us commemorate some of our favorite nyan references as with any of our previous writeups :3 > ![pur2](https://hackmd.io/_uploads/ByGJmp5eA.png) > French Nyan > ![puzz](https://hackmd.io/_uploads/ByVkQ6qeC.png) > I am not a PURRBOT!! > ![huhh](https://hackmd.io/_uploads/SyI17pqgR.png) >When you're on your 9th life trying to prove you're not a robot t.t --- ## FINAL ROUND: CAPTCHAs VS The Verdict So, are CAPTCHAs worth the effort? Personally, it is not worth the effort considering it is not entirely foolproof and only reduces spam to an extent due to the continuous evolution of spam bots. Moreover, the prevalence of inexpensive CAPTCHA-solving services that utilize human labor to bypass CAPTCHAs makes the security measure futile. Lastly, it also does not help that many users are turned off by it which leads to a decline in website traffic from people finding it difficult to complete or don’t complete them at all. However, it can be also argued that not every user would always have to encounter CAPTCHAs every time they are online; more so, it only takes up at least a minute of your time. So, yes it can be frustrating but we also have to understand that a bit of protection is still better than no protection. Thus, going back to CAPTCHAs’ original purpose to protect websites, it can be effective; however, we should look for better alternatives that will still prevent spam and fraud while considering user experience. This is because people are not likely to change their behavior and will always prefer convenience over security. --- ### *References* *1. Wagner, D., Weaver, N., Kao, P., Shakir, F., Law, A., & Ngai, N. (2023). [CS 161: Computer Security](https://textbook.cs161.org/). UC Berkeley.* *2. New York Show Tickets Inc. (2019, August 1). ReCAPTCHA Security check failing on Ticketmaster website. New York Show Tickets Inc. https://www.nytix.com/articles/recaptcha-security-check-failing-on-ticketmaster-website*