Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.

reCaptcha Considered Harmful

posted by martyb on Friday June 28 2019, @04:27PM   Printer-friendly
from the you-are-not-necessarily-paranoid-if-they-are-watching-you dept.

An Anonymous Coward writes:

Given that most sane people now have blocked google analytics, Fast Company reports that the new recaptcha wants to embed itself everywhere and declare those who don't use chrome or aren't signed in at their google account as bots, and thus not worthy of accessing the internet.

“It’s a better experience for users. Everyone has failed a Captcha,” says Cy Khormaee, the reCaptcha product lead at Google. Instead, Google analyzes the way users navigate through a website and assigns them a risk score based on how malicious their behavior is. Khormaee won’t share what signals Google uses to determine these scores because he says that would make it easier for scammers to imitate benign users, but he believes that this new version of reCaptcha makes it incredibly difficult for bots or Captcha farmers—humans who are paid tiny amounts to break Captchas online—to fool Google’s system.

[...]“You have to understand what behavior on the site should be and mimic that well enough to fool us,” he says. “That’s a really hard problem versus the general problem of, ‘Pretend like I’m a human.'” Website administrators then get access to their visitors’ risk scores and can decide how to handle them: For instance, if a user with a high risk score attempts to log in, the website can set rules to ask them to enter additional verification information through two-factor authentication. As Khormaee put it, the “worst case is we have a little inconvenience for legitimate users, but if there is an adversary, we prevent your account from being stolen.”

[...]To make this risk-score system work accurately, website administrators are supposed to embed reCaptcha v3 code on all of the pages of their website, not just on forms or log-in pages. Then, reCaptcha learns over time how their website’s users typically act, helping the machine learning algorithm underlying it to generate more accurate risk scores. Because reCaptcha v3 is likely to be on every page of a website if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner.

And that information is just one request, subpoena, or National Security Letter away from being in the hands of the government, too.

Original Submission

 
This discussion has been archived. No new comments can be posted.
reCaptcha Considered Harmful | Log In/Create an Account | Top | 44 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @09:36AM (1 child)

    by Anonymous Coward on Saturday June 29 2019, @09:36AM (#861287)

    You really must try auth0
    My energy provider uses it for website logon
    I assume because they are too lazy to implement their own
    Oh no, Auth0 it is
    Aweful. Just awful.
    auth0 puts captcha and recaptcha to shame.
    Just when you think these things can't get worse someone invents a new one.

  • (Score: 0) by Anonymous Coward on Sunday June 30 2019, @01:08AM

    by Anonymous Coward on Sunday June 30 2019, @01:08AM (#861493)

    You'd love their website -- https://auth0.com/ [auth0.com]

    94% of our customers implement Auth0 in less than one month