1

My local mobile carrier (Play, Poland) and its paid SMS gate is the first example, that I recall in my entire Internet history, that forces users to fill out dully CAPTCHAs even on pages, which are secured by HTTPS protocol and user login.

Is there any reason for doing so in this situation? Is there any increased security or anti-spam effects?

In this particular case, user accounts are only half-self-registered. Anyone can create an account, but as long as he/she will not provide a valid, in-network mobile number, that is further verified by sending text message with unique code, then such account is unable to fully register and use SMS gateway.

I can't imagine spam-bot (or its author) creating an account in this situation or, even if that would be possible, a percentage of such cases would be minimal and -- in my opinion -- would not judge annoying a majority of normal, legal users with CAPTCHAs on pages available only after login.

Is this a common technique at all? I have the feeling that I was seeing CAPTCHAs only on free-access pages, i.e. without login required. I have real problems imagining Facebook, Twitter or any other service forcing user to fill out CAPTCHA once that user is validated and logged in. On registration or password-recall pages, yes. But, after login?

trejder
  • 3,329
  • 5
  • 23
  • 33

1 Answers1

2

Is it common? Yes.

Does this provide any increased security? Not at all.

As it is, CAPTCHA provides minimal benefit, even in the best situations. Remember, the alleged purpose is to reduce flooding of a certain request, protecting a specific asset. I say "alleged", since that is not what CAPTCHA is even designed to do - it is designed, quite explicitly, to "tell computers and humans apart".
There are many possible ways to abuse a service via overuse, even as a human. Likewise, there are many legitimate uses for a computer accessing the service.
A good summary here on Sec.SE

That said, it is not clear from your question what the CAPTCHA is ostensibly protecting: if this was a feature to anonymously send an SMS, for basically any internet user, that could be a decent use of CAPTCHA to prevent spamming and overuse. (FTR, there are still much better solutions, but nonetheless this is still kinda valid-ish).
It does seem from your question that unvalidated users cannot actually send SMS, so if its just a question of viewing certain pages, that is definitely pointless.

Community
  • 1
AviD
  • 72,138
  • 22
  • 136
  • 218