30 June, 2012

CAPTCHA and Customer Context

In my previous blog post, my friend and colleague Santhosh Tuppad asks, “What are the different contexts in which customers might want to use CAPTCHA?”

Captcha and customers always makes for a difficult discussion. As a customer myself, I am annoyed at Captchas that are hard to read. If I had an option, I would obviously opt out as it reduces one step :-). However, as a tester, I would be concerned about the implications of not opting for a captcha. Here are a few contexts where customers might want to use Captcha. Some of these could be repetitive from my previous blog post - do bear with me.

Image credits : www.onlineaspect.com

Where would a customer prefer captchas?
Sign up
Suppose I run a testing forum on my website. This requires users to sign up to be part of the forums. What if a script is written to register infinitely? I would like a captcha on the registration forms to isolate fake accounts from genuine users. Unlimited Sign ups without appropriate verification could become a daunting challenge for website owners to solve.

Login page
If a user has keyed in wrong password 3 times consecutively, present a Captcha to this user to prove if he is a human or not :-). I have assumed that user’s account is locked out after 5 unsuccessful accounts. Some applications limit it to 3. Captcha along with account lockout policy helps curb brute force attacks early on.

Forgot password page
If an attacker tries to hack into another user’s account using Forgot Password feature, he could write a script for the same. I would prefer a captcha on Forgot password page as a second level check so that scripts are not capable of bypassing the same. Note that first level check for Forgot Password feature is to ask the user for username/email address. Also note that captcha database must be robust enough to prevent attackers from exhausting that list quickly. Captcha usage on this form prevents email spamming (could be one email or mass emails at a time).

Forms (Comments, Feedback, Suggestions, Sales queries etc)

As a blog owner, I get bogged down with all kinds of spam comments. I prefer a captcha to be presented to users who want to add genuine comments and keep spammers away.

Sales queries
Many startups can’t afford a 24/7 toll free line to answer customer queries. They place a nice little page on Contact Us section of their websites to invite sales queries. If some thirsty spam bots find such forms, it’s crocodile festival ;)

I prefer a captcha on feedback or suggestion forms to prevent random feedback from spammers or spam bots.

Discussion forums

Users who are willing to submit questions on forums that don’t mandate users to register are easiest targets for spamming. Presenting captchas while user posts a question is a good practice.

You post an update or upload a photo and you are presented with a captcha. There are two facets to captcha usage here.
1. As a user, if I am presented with a captcha while updating the status or uploading a photo, which is a one time activity, I would do it no matter how annoyed I am about this prompting. If I think of my account in an attacker’s hand, I would be worried about spam bots. Though I acknowledge the fact that spamming status updates can be done manually, it may not be done at a speed that a script would accomplish.
2. As a business woman selling something on facebook, I would hate a captcha. Suppose that I have a facebook account for my retail business where I am needed to update my status or post pictures quite often. Providing captcha details could be very annoying, yet unavoidable in this context. This could affect user experience.
Note: In either of the cases presented above, it’s better to have captchas.

Customer preference of a Captcha
Some customers who prefer captchas may have security aspects in their mind while many other think it spoils their user experience. Above listed contexts are a few where I would prefer captchas. If you have a different view, you can always spam me in the comments section as I don't have a captcha ;)

Take it with a pinch of salt
As users we think that if captchas are in place, we can bypass spam. Captchas are not 100% spam proof. Neither are they 100% secure. In today’s world where most of the captcha implementations are easily broken, its hard to trust captchas completely. Some friends suggest that re-Captcha is not broken yet. Well, it could just be a matter of time ;)

Santhosh Tuppad has written a cool blog on Testing Captchas. Have a feast.

Parimala Hariprasad