CAPTCHA is a security provision designed to confirm that an online user is actually human by asking them to complete a simple test which is difficult for computers to interpret.
Often appearing as wavy or handwritten words and numbers, CAPTCHA (standing for Completely Automated Public Turing test to tell Computers and Humans Apart) has been widely implemented as an online security confirmation system within email systems, blogs, ebusiness and egovernment sites. In fact you'll see it in use when commenting on this blog.
Example of a modern CAPTCHA image (source: Wikipedia)
However CAPTCHA is increasingly under threat due to the multiple ways of circumventing this security and organisations need to consider whether it is still worth implementing CAPTCHA or more advanced security systems.
How effective is CAPTCHA?
As was recently reported in AllSpammedUp, Spammers are once again attacking Microsoft's CAPTCHA, used in their Hotmail email system to distinguish between legitimate human customers and automated spam systems.
While 10-15% doesn't sound that significant, given that spammers are able to use automated systems to create hundreds of email addresses a minute - then use the successful ones to distribute spam email - that level of success is quite high.
Hackers are also able to use cheap eyeballs from third world countries to break CAPTCHA - with Indian crackers paid $2 for every 1,000 CAPTCHAs solved.
Other techniques also exist to break CAPTCHA, such as advertising a porn site, embedding CAPTCHA codes from legitimate sites and asking people to solve these codes in order to access the adult content for free.
Given all these different ways to defeat CAPTCHA tests, and the barriers for those with vision impairments (who often unable to complete visual tests where an audio equivalent is not provided), let alone the difficulties real humans have in interpreting CAPTCHA tests correctly, this approach to security is seriously under threat.
However effective alternatives to validating that humans are really humans are not yet available for use.
Where next for CAPTCHA?
Microsoft and other large providers of online systems remain dedicated to strengthening CAPTCHA technology, even where the line of what is actually readable by the average human begins to blur.
They have limited alternatives as to effective tests of whether a user is human or computer to help minimise the success of automated hacking attempts.
Some mechanisms already coming into use are to ask questions via CAPTCHA text which is based on trivia more difficult for a machine to guess, or to have multiple CAPTCHA images which must be reinterpreted based on additional text - also stored as a CAPTCHA image.
All of these remain vulnerable to cheaply paid third-world CAPTCHA breaking groups, albeit increase the difficulty for machines.
Where should organisations use CAPTCHA?
Given the lack of alternatives, organisations need to continue using CAPTCHA, but selectively apply other methods of detecting machine-based attacks (such as rapid or logically sequenced attempts at creating accounts or logging in).
Where possible CAPTCHA should be used only to validate the 'humanness' of a user, rather than as an outright security measure, thereby limiting system vulnerability.
Finally organisations need to use the most current versions of CAPTCHA and update regularly to reduce the risk of intrusion to only the most sophisticated hackers.
Thursday, October 09, 2008
Is CAPTCHA still effective as a security test? | Tweet |
The case for offering live customer support online | Tweet |
There are a variety of ways to simply and cost-effectively offer customer support online and, given that it's not yet common in the Australian public sector, I thought I'd quickly outline my own thinking on the case for and against offering this type of service.
In this post I'll focus on text chat - the simplest mechanism for live customer engagement online.
There are also more complex approaches, including asynchronous voice chat, synchronous voice chat, video-conferencing, co-browsing and virtual presence. I believe that an organisation needs to come to terms with basic text chat before exploring these options.
What is text chat?
Text chat refers to the ability to send and receive text between individuals via the internet. In context of customer support, this approach commonly involves accessing a chat window within or as a pop-up out of an organisation's website.
Within the window the participants can type in their questions, comments and responses, review them and then send them to the other person in real-time.
This is different to email in that the exchange is real-time and is fully visible to both parties at all times.
Who uses text chat?
USA.gov, the main US government portal, uses a Java custom-built web text chat tool with set opening hours and a decent privacy policy regarding use.
The Utah and Virginia state governments makes good use of text-based chat, via a third-party service named Livehelper. This is a footprint free, low cost approach well suited to initial steps into the channel. Also using the tool is the US National Cancer Institute.
In Australia, there are few governments agencies using text chat at this time for customer or public engagement, with the National Library being a standout - supporting cobrowsing via a third party service, Questionpoint produced by the US Library of Congress and the Online Computer Library Center.
Others include the National Cervical Cancer Screening Program and the State Library of Victoria.
The Queensland government used to provide an online chat service for community consultation via Generate, using IRC (Internet Relay Chat), however discontinued this in 2004. A good presentation on the service, Ministers Online (PDF), is available from AGIMO.
Several government bodies, such as NSW Health, use it within elearning sessions and some, such as the NT Department of Employment, Education and Training, make it available for supporting remotely located students and teachers, however do not make it publicly available.
Benefits of text chat
There are a number of benefits in the use of text chat, both for customers and an organisation.
For organisations,
For customers,
Disadvantages and risks
Reasons to not introduce text chat
In brief
Text chatting can be a more efficient use of customer service operative time while simultaneously supporting more flexible information sharing than phone-based communication.
It does not replace phone use, instead supplements it by providing an alternative customers can choose to use to engage an agency. It can be managed through existing call centres and generally through phone and written correspondence policy and be easily run as a pilot before a more complete implementation.
Due to chat logging, both the organisation and the customer can have an accurate record of the contact. This can be stored with the official customer record for later reference in a way that is difficult to achieve with phone based communication.
The primary risks are around security and staff written communications ability - both of which can be managed.
Security can be addressed through appropriate communication of the risks to customers, allowing them to choose whether they wish to engage in this manner, similar to the warnings at the start of phone conversations "This call may be recorded". As chat doesn't replace other engagement channels, customers are not disadvantaged if they do not wish to use it.
Staff's ability to manage the channel can be addressed through training, selecting staff already competent at written customer communications and by placing appropriate guidelines in place (as commonly exist for phone or written correspondence).
Wednesday, October 08, 2008
Do your customers expect you to be online? | Tweet |
The 2008 Cone Business in Social Media Study in the US, has found that 93 percent of social media users believe a company should have a presence in social media, while 85 percent believe a company should not only be present but also interact with its customers via social media.
With 60 percent of Americans now reportedly using online social networks, this means that more than 50 percent of the US population believes that the organisations they engage with require a social media presence.
Extrapolating this to Australia, which generally runs a few years behind the US, there's strong reasons to look seriously at engaging via social media channels.
It is estimated that almost half of all Australians use online social media (Neilsen). As such I'd expect that at least a third of Australians would similarly want to find Australian organisations represented at social media sites and around a quarter expect to engage them online.
As Australian Anthill's Brad Howarth suggests in the article, Not just for kids - social networks just grew up, If social networking isn’t part of your marketing strategy, the only person’s time you’re wasting is your own.
Here's a couple of other interesting findings from Cone's report on how organisations are expected by their customers to engage,
Tuesday, October 07, 2008
50 ideas on using Twitter for organisations | Tweet |
Following from my post this morning on Telstra's use of Twitter, Chris Brogan wrote an excellent piece last month on how organisations can use Twitter to better engage their customers titled, 50 Ideas on Using Twitter for Business.
For me (as it was for Chris) the number one reason or idea for using this type of tool is for listening to your constituency. Hearing what real people are saying about your organisation, services and topic area provides an ongoing temperature of public opinion.
Another key reason in my view is for building an organisation's online reputation.
Most communicators understand that their organisation's public reputation shapes how people engage with them, thereby influencing their capacity to send messages out to their customers as well as their capacity to provide effective customer service.
However in my view few Australian organisations (particularly in the public sector) have as yet grasped how important it is to establish a sound online reputation. Assuming that their past reputation will carry over only goes so far, and it can rapidly be damaged through inept online engagement (or no online engagement at all!)
Laurel Papworth explains this well in her article, Twitter: Reputation Management in Social Networks.
She uses the diagram (illustrated below) to explain the stages in development from creating an online profile (not simply a 'corporate' website!!) to building reputation and trust-based relationships.
Incidentally, the power of Twitter to allow customers to self-organise rapidly is demonstrated in one of the most recent posts in Laurel's blog, Twitter Agency - crowd sourced consultancy.
Telstra does Twitter | Tweet |
Telstra recently took up 'tweeting' as a channel for providing customer service.
Discussed via their Nowwearetalking site, there's been a lot of initial feedback on the approach taken.
Telstra has also linked to some of the broader online commentary in their post.
This step helps legitimise Twitter and microblogging as a customer service option for Australian organisations.
It also provides insights for other organisations so they can learn from both Telstra's missteps and successes.
I'm watching carefully to see how Telstra's foray into microblogging goes. The channel has been used successfully in the US.
When executed well I believe it has customer service and marketing/PR benefits in some, but not all, service delivery areas.