In this article, we explain why we have implemented the captcha and in what way you can encounter the captcha when logging in to our website.
Why has the captcha been introduced?
We have added the captcha to protect our customers' accounts and data against credential stuffing attacks. Before the implementation of the captcha, a large number of credential stuffing attacks have been repeatedly carried out on the TransIP control panel by a botnet for some time.
In credential stuffing attacks, attackers try to enter different random passwords and account names (mostly stolen) with the aim of gaining access to accounts: in this case control panel accounts beloning to our customers. This external article offers an excellent insight on this credential stuffing attack that also targeted us.
We have taken various measures against this, making it impossible for the attacking botnet to even try a password. However, this did not reduce the amount of offensive traffic on our website. Additional measures were needed to catch offensive traffic.
The attacks were carried out by a very large botnet where each IP address only made a few attempts to log in. As a result, for example, it was not possible to easily filter the attacking IP addresses with regular brute force protection.
To cope with these attacks, we have therefore chosen to introduce a captcha. In the meantime, however, we are investigating other options for catching offensive traffic which you will not notice when you visit our website.
Two-factor (2FA) authentication
If you are using 2FA, you might be wondering if that is sufficient to secure your account. This is indeed sufficient for securing your account, but unfortunately, it has no influence on the attempts made by a botnet to log in to random accounts. The captcha therefore serves to capture bots' attempts to log into TransIP accounts.
How does a captcha work?
A visitor to a website that is secured by a Google-captcha (in this case transip.nl) is assigned a risk score. This score is based on the way in which the website is used (clicks on the site, speed of completion, etc.) and other factors such as the IP address of the visitor.
Based on the risk score, it is automatically determined whether the visitor is legitimate or not. Depending on the risk score that the captcha gives you, you will see one of the following two options:
- If there is any doubt as to whether the visitor is legitimate, you will see a box that you can check:
- In case of major doubt, an image with several boxes where you must select the boxes in which a specified item can be seen, for example, traffic lights in the example below:
Privacy and captchas
Captchas fall under functional cookies and have the necessary implications for visitor privacy:
The captcha algorithm first checks whether there is a Google cookie on the computer from which you visit the website that uses the captcha (in this case our control panel). For this, for example, the cookie that is set if you have created a Gmail account with Google is sufficient.
A captcha specific cookie is then placed on your browser. The following information is then collected from your computer:
- A full screenshot of the screen of your browser when that cookie is placed.
- All cookies from Google from the last 6 months.
- How many times you have clicked on the screen that is protected by the captcha.
- The CSS information of that page.
- The date.
- The language of your browser.
- Plugins installed on your browser.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.