Login without "human code" - it's secure?

notset

Hello,

I'm creating my new page with members system. It won't be a bank or such project, but the money will be in it.

My question is about log-in and others actions which the user does.

Can be the system secure without the "human code"?

Do you use it?

Maybe there are any alternatives for this security function?

P.S. "human code" is a picture with code which user need to type before doing some actions, of example: https://www.e-gold.com/acct/gen3.asp?x=1623&y=69592C83C9B4C1B122178BCAA319A06A

laserlight

Can be the system secure without the "human code"?

Yes. This is just used to ensure that the info is entered by a human, not a bot.

You might to read a PHPBuilder article concerning this.

MarkR

You mean a CAPTCHA?

Firstly, you only need a CAPTCHA on registration, not on logon. Secondly, you probably don't need one at all. It's very unlikely that bots will register on your site - particularly if it's just one site and there aren't 10,000 others using the same code.

The bots have to be programmed specifically for each site; if you aren't Google or Yahoo, the authors generally won't bother.

Mark

ahundiak

MarkR wrote:
You mean a CAPTCHA?

Firstly, you only need a CAPTCHA on registration, not on logon. Secondly, you probably don't need one at all. It's very unlikely that bots will register on your site - particularly if it's just one site and there aren't 10,000 others using the same code.

The bots have to be programmed specifically for each site; if you aren't Google or Yahoo, the authors generally won't bother.

Mark

Absolutely 100% wrong.

Blulagoon

ahundiak wrote:
Absolutely 100% wrong.

Perhaps you'd like to elucidate your view on this ?

etully

Many of my small and medium sized clients are seeing bot activity. Further, we are seeing bot activity on pages other than registration. One of the smallest sites I take care of does one CC auth per week and their site was slammed with a bot that was using our site to test hundreds of thousands of sequential CC numbers to figure out which of them were good.

I'm not sure that CAPTCHA is ultimately the right solution - but it's quick and dirty and solves the problem in the short run.

ahundiak

Blulagoon wrote:
Perhaps you'd like to elucidate your view on this ?

Basically what etully just said.

Big companies can lose millions of records and shrug it off because, well, because they are big. Smaller sites are easy to prosecute and if the owners ignore security then they will get burned. The "I'm so small do no one would ever hack me" defense just does not cut it.

MarkR

You really have to ask yourself- what motivation does a bot author have for creating a script to register on your site. If the answer is "none", then they almost certainly won't bother.

I'm not advocating poor security. A site where bots may register is going to be absolutely fine 99.9% of the time, provided it has no real motivation for the bot author.

There are some really reliable ways of stopping bots registering that don't require a CAPTCHA. Email validation is a straightforward one (this does not STOP a bot registering, it makes it sufficiently much harder that it probably won't bother).

Telephone validation via SMS (Short message service, a mobile phone text messaging system which is very popular in Europe) is very good and will stop almost anyone from creating multiple accounts and/or using a bot.

CAPTCHAs are really very lame and a bad solution to a problem which in most cases is imaginary.

Mark

MarkR

ahundiak wrote:
Smaller sites are easy to prosecute and if the owners ignore security then they will get burned. The "I'm so small do no one would ever hack me" defense just does not cut it.

A bot registering on your site should not be able to "hack you" and even if a bot registers 1,000,000 times it should require only a small amount of time to delete all of its accounts.

If it does not, then you are doing something wrong, or aren't very good. Logging the date/time and IP address of a registration is sufficient in most cases to allow you to ban accounts en-masse without affecting real users.

Mark

laserlight

Smaller sites are easy to prosecute and if the owners ignore security then they will get burned. The "I'm so small do no one would ever hack me" defense just does not cut it.

It helps to prevent brute force attacks, but there are other ways, such as enforced pauses between tries, caps on number of tries, and having intermediate pages.

Perhaps where CAPTCHA is particularly useful in are games where bots might allow some form of farming, or to prevent spamming where registration is not required (or in registration itself).

etully

MarkR wrote:
A bot registering on your site should not be able to "hack you.

Hacked isn't just someone gaining root privledge on the web server.

In my previous example, we had a web site that took the cart contents and checked the customer's credit card to see if it was valid for purchase. (This was NOT a home grown shopping cart, this was a commercial package that is very popular). The bot submitted 200 attempts a minute for 48 hours before we discovered the problem. Since my client wasted a few days dealing with the CC auths that were rejected, the 500,000 failed auths were costly. In my opinion, I would say that my customer was hacked. You could argue that it was our fault for not being prepared and I'd probably agree - but I would still define it as being hacked.

Another client set up a "Contact Us" mail form that sent an autoresponse to the email address they supplied. The bot submitted hundreds per minute with someone else's email address. Our site ended up mail bombing the victim and filling up his account. Again, I would say we were hacked - though it was a pretty low tech hack.

laserlight

In my opinion, I would say that my customer was hacked. You could argue that it was our fault for not being prepared and I'd probably agree - but I would still define it as being hacked.

I think 'spammed' would be more accurate.

ahundiak

MarkR wrote:
You really have to ask yourself- what motivation does a bot author have for creating a script to register on your site. If the answer is "none", then they almost certainly won't bother.
Mark

Fortunately for criminals your attitude is not uncommon.
http://weblog.infoworld.com/article/06/05/01/77515_18FEsslmalwareworks_1.html?VIRUSES%20AND%20WORMS

Remember that this site is going to deal with money. A significant motiviation in my opinion. Saw another article on Africa's fastest growing and most sucessful industry: Internet theft and scams. There really are thousands of people out there making a living by stealing from web sites.

pohopo

laserlight wrote:
I think 'spammed' would be more accurate.

I would classify his situation as a hack as they are exploiting a loophole that uses a brute force type method which works the same as spamming, but goes further in that they are trying to get credit card numbers. Regardless of the symantics, it was preventable security hole where I would have blamed the developers.