Interview: Why traditional picture captchas should disappear

After the German Federal Office for Information Security warned about fake captchas on Mastodon, these annoying things are a hot topic everywhere. Everyone has already come into contact with various captchas, mostly from Google – because captchas have to be integrated to protect websites from automated attacks or spam. They are available from various providers such as hCaptcha and MTCaptcha.

Benedict Padberg, co-founder of the cybersecurity provider "Friendly Captcha" from Wörthsee near Munich, explains why not all captchas are the same. The company has set itself the goal of replacing image captcha tasks with user-friendly captchas. Its customers include the European Union, Bundesliga and Zalando.

heise online: What is a captcha and why is not all captchas the same?

Padberg: Captchas are extremely important for a secure Internet and are omnipresent on every website and app worldwide because they provide essential cybersecurity protection against bots and hackers. A captcha therefore describes an anti-robot test. How this test actually works and looks varies greatly.

Unfortunately, there are still too many image tests in which users have to laboriously mark objects such as traffic lights, cars or crosswalks. This is often associated with the term captcha and opens up the security gap of fake captchas.

This must not be allowed to continue. Modern, secure captchas are needed. There are now completely invisible captcha tests that completely replace the nerve-wracking picture puzzles and other user tasks.

What does a fake captcha look like?

Fake captchas are usually based on the design of Google's captcha service, which is intended to protect websites from robots. They are often integrated into websites via online advertising banners and imitate manual Captcha user tasks.

Google's regular captcha prompts users to click on images of traffic lights. Fake captchas, on the other hand, prompt users to press crude key combinations and enter program code in the Windows command line.

What can captcha makers do?

A lot. Traditional image captchas are becoming increasingly insecure and annoying. That's why in 2020 we developed Friendly Captcha, a modern captcha that no longer requires any user tasks. Instead of overwhelming the user with image tasks, Friendly Captcha checks the user's device invisibly in the background. Captcha manufacturers can therefore develop modern, task-free captchas.

Traditional image captchas should be replaced by modern, invisible captchas as soon as possible. This will not only make the Internet less annoying, but also more secure, as it will make fake captchas impossible. This is because a modern captcha no longer requires any user interaction.

How does your captcha differ from the others?

Friendly Captcha takes a fundamentally new, barrier-free and data protection-friendly approach to securely protect web interaction against bots. At the same time, Friendly Captcha does not store any personal data, effectively protecting user privacy and ensuring compliance with legal frameworks such as the GDPR.

We use a novel proof-of-work mechanism so that users no longer have to perform manual tasks. In our case, this mechanism is based on a cryptographic puzzle. This puzzle is solved by the user's device in the background while the user fills out a web form. The complexity of the puzzle is dynamically adjusted based on a risk assessment by advanced risk signals.

What should users look out for?

Traditional image captchas require attention. If you are asked to enter key combinations, you should inform the website operator immediately. Website operators should then immediately eliminate the vulnerability and replace their traditional captcha with a modern captcha that no longer requires user interaction.

(mack)