In the 1984 sci-fi/action classic “The Terminator,” Arnold Schwartenegger, as the titular murderous cyborg, wreaks havoc on Los Angeles in pursuit of Sarah Conner. The machines want to kill Sarah before she can give birth to the leader of the resistance. She has great value, so the robot attacks her.
While the stakes aren’t life or death, a cyber attack on a public form is similar: it is often a bot bent on causing mischief. Lucky for Sarah, the resistance knew of the machines’ plot to kill her. They too sent someone back in time. A protector. Someone to foil the Terminator’s attack.
For many businesses, public forms are essential. They might be contact forms to communicate with the sales department or support. A public form could be a survey or a request for an insurance quote. Whatever the use, the idea is the same. Public forms provide a way for users to communicate with your company without going through a bunch of red tape. Essentially, they improve user experience, making it seamless and streamlined.
But, their benefit is also their drawback. Because public forms do not require a log-in or verification, they are prime real estate for attacks. Since anyone can access a public form without needing to verify their identity, this means hackers can use them to gain access to customer information or your company’s servers.
In a nutshell, a hacker/bot can use a public form as a way to send emails to your users through a verified source, i.e., your company, without triggering spam filters. In addition to infiltrating on the client side, bots/hackers can also infiltrate on the server side, copying API calls and running them in a script. Once successful, they will be back for more. Unless you stop them.
In order to foil the bots, you need a Turing test. This is where reCAPTCHA comes in. Previous versions are likely familiar to you. They required users to solve a sort of puzzle, something that a machine would be unable to do. Just as with the war against the machines in “The Terminator” franchise, the solution has been to fight fire with fire, to use machine learning and AI.
Current versions of reCAPTCHA monitor activity on your public forms such as cursor movement and the time it takes a user to fill out a form. Then, based on that information, the software makes an assessment as to how likely a user is to be human. If the user doesn’t meet that threshold, your system throws a warning and denies access.
Making use of reCAPTCHA will solve the lion’s share of issues surrounding public forms, but there are other details to consider.
While executing reCAPTCHA is fairly straightforward, understanding the ins and outs of attacks isn’t. For that, you will need your own Kyle Reese — a partner to guide you. Understanding how your public forms are at risk and balancing that risk with the value of a streamlined user experience is insight a partner can offer.
A partner can offer analysis on the impact of a breach and even troubleshoot finer solutions for greater security not under the umbrella of reCAPTCHA. Denying requests on public forms that have a link in the description, two-factor authentication and token generation are just a few examples of this type of granular security.
Further, a partner can help secure your data to prevent future attacks and mitigate the impact of a breach. Fight the machines. Join the resistance. With the reCAPTCHA and an experienced partner, terminate the bots.