The “Completely Automated Public Turing Test To Tell Computers and Humans Apart” or, as it is more commonly known, “CAPTCHA”, has provided a first threshold to separate automated bot website sign-ins from real people since at least the early 2000’s. Over the past fifteen years, bots and automated attacks have grown in sophistication at the same pace as CAPTCHA technology. Google bought CAPTCHA’s developer in 2009 and subsequently launched “No CAPTCHA reCAPTCHA”, which in part asked users to simply verify that they are not robots. Notwithstanding every new CAPTCHA development, however, hackers have developed automated bots that are able to crack more than two-thirds of all CAPTCHA protections. Accordingly, organizations need more than just a CAPTCHA defense to fend off form-based and other automated attacks on their online presences.
Four common cyberdefenses in addition to CAPTCHA are as follows:
1) Honeypot Fields
Honeypots are artificial lures that serve no purpose on a website other than to attract automated attacks. A network system will flag any interaction with a honeypot as suspicious, giving network security teams an early opportunity to erect defenses against an attack that is probing the honeypot. The overall success of a honeypot is a function of its ability to attract an automated bot. Like all lures, honeypots are not foolproof. As hackers gain even more sophistication, they will likely build automated bots that recognize and avoid honeypots.
2) Email Verification
An advanced email verification routine will filter out DNS calls from email addresses that have bad syntax or that come from nonexistent domains, and will require the additional step of having a user click on a specific link that is sent to the user’s inbox to verify that he or she is human and not an automated bot. An equally advanced bot can mimic the required responses. Moreover, some legitimate users might object to providing an email address out of concerns that the address will be used for additional marketing or tracking.
3) Server Timestamps
Server timestamps are built on the premise that real users take longer to complete required fields than automated bots. For example, if a user takes less than five seconds to fill in and submit a password, a system can flag the login attempt as dangerous and possibly originating from an automated attack. Hackers can simply defeat timestamp technology by building delays into their automated attack bots, and like other defenses, timestamps are not foolproof.
4) Confirmation Pages and Server Signed Tokens
Server signed tokens are an advanced version of email verification. The organization’s website creates a user account and token that is set to “false” until the user clicks a query string in an email message that is sent to him or her. Rather than simply verifying the user’s email, this technique relies on advanced encryption and other technology that is more difficult (albeit not impossible) for an automated attack bot to respond to.
These strategies, either individually or in combination, are useful and valid defenses against automated cyberattacks. They will not stop every form of automated attack, and even an organization with the most tightly-protected website can find itself suffering from direct and third-party losses from a successful unauthorized incursion into its network systems. Every organization, regardless of size, can benefit from cyber liability insurance that provides reimbursement for those losses. Underwriters and other cyber insurance specialists can also help their clients to establish the best defenses against cyberattacks and to maintain and update those defenses as hackers increase their sophistication and the abilities of their automated attack tools.