Why does a payment need a CAPTCHA? Hrush
While recharging my Tata Sky account today, I noticed that along with payment details such as card number etc., I had to fill out a CAPTCHA field as well.
Wikipedia defines a CAPTCHA as:
a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human.
Note: Tata Sky uses Billdesk to process their online payments, so this payment form was actually designed and created by Billdesk.
I’m left wondering why I need to prove that I am a human and not a computer in order to make an online payment to my DTH provider. CAPTCHAs have absolutely nothing to do with security, so it’s not like the presence of a CAPTCHA is enhancing the security of my payment. So, what is this CAPTCHA doing on this form?
Baffling.
Captchas are used to prevent a brute force attack by automated( albeit naive) bots which try to crack the credentials of a credit card by trying out zillions of combination of names and numbers, such an attack is not targeted against any particular credit card user, it just tries to match an arbitrary combination of digits and names at a payment gateway service such as Billdesk, and needless to say that such an attack can only be carried out by a computer or a group of computers and since images are not interpreted by computers (atleast not yet and not as well as humans) the presence of a captcha is of utmost necessity at a page where authentication of credentials is needed.
Shivansh–you may be right, but the form pictured above is not the form that does the actual payment authorisation or authentication of credentials. That is done when I am redirected to my bank's Verified by Visa page, where I am asked to enter my VBV credentials. Only if the VBV credentials are correct, is the payment authorised.
So, given that, what purpose does this captcha serve?
@Shivansh And trying out zillions of combination is not likely as most card issuing banks decline a transaction after 5 or so failed attempts…
In a day that is.
This is a general issue with the payment systems across most websites in India (Cleartrip is just about ok). Anyone ever purchased a single item via Amazon.com would realise how much of a difference there is. Ever tried CCAvenue? You have to fill a page long form with billing address and shipping address even if the item is a service or something digital. And now the mandatory VBV. If anything, all these counter measures ony scares the general public away from online purchases using credit cards. If I'm not wrong, the amount of credit card fraud is no lesser than the US.
IMHO, the right solution would be to educate customers and dealing with fraud in a more advanced manner without compromising on user experience.
Hrush should consider a more user friendly approach for Cleartrip's payment integration too. It is a PITA to enter card details again and again.
Sankar — we couldn't agree more. The state of online payment systems and regulations in India is one of the biggest barriers to ecommerce growth in the country.
We hope to improve this soon.
For an immediate smoother payment, visit cleartrip.com from your iPhone or Android phone — it rocks.
seriously… it is ridiculous that a captcha is there in a payment form.
@shivansh:
It is impossible to randomly generate the name, card number, expiry date and cvv number.
I don't think having a captcha is such a big deal. First of all it is a very simple captcha. Moreover people are nowadays quiet accustomed to filling out these things. Wrong passd three times in gmail and there is a captcha, sending a message to a non friend in facebook and there is a captcha. Almost all registration forms have them.
From a brute force point of view it is possible to buy credit card numbers with expiry dates, names and CVV from some Russian hacker(http://www.computerworld.com/s/article/9180589/Russian_charged_with_selling_credit_card_numbers_online
). Then it all comes down to brute forcing the VBV number.
Moreover it may not be there for only to prevent credit card fraud at all but to reduce such malicious form posts designed to overload their systems
your comment form has a captchaa!!!
Is there really a captcha as Piyush commented? havent faced one till now.
@Hrush: you can use VisaBillPay (visabillpay.in). Same billdesk guys but a slightly better interface. Good luck with finding the link for Tatasky though
Tata Sky (or Bill Desk) is not alone. While paying bill for Reliance Mobile, the HDFC Bank's payment gateway also presents CAPTCHA.
While having CAPTCHA at that stage is bad enough, the CAPTCHA images are ridiculously hard. The string is case-sensitive and it's difficult to find case of the letters like 'S', 'O'. And yeah, I positively hate who present CAPTCHAs with O and 0.
I dont mind if a robot pays my tata sky bill
@anil try to post a link
Piyush–the comment form's captcha is a perfectly relevant use case for captchas, because we don't want bots spamming our blog posts with comment spam. There is a perfectly legitimate reason for us to ensure that it is a human being posting a comment, not a computer.
On a payment system, the authorisation and authentication is all about whether the credentials entered are correct or not. There is no reason to care whether a human is entering the credentials or a computer.
If I want to write a small script that pays my bills every month with MY credentials, I should be able to. What is the harm? Why should I have to go do it manually every month?
While one has the right to code a script for paying such bills of his own, who questions the smoothness of these scripts? I as a programmer can tell you that some scripts have looping-errors leading to the page being submitted a zillion times in an hour. This not only slows the server, but also affects other users as the site is blocked/down/slow during this time.
A captcha makes sense on a payment site also because it will discourage hackers to use stolen records and fill the forms using scripts to make huge number of payments anonymously.
Thirdly, captcha have a social benefit too. i.e., only if they are designed as a "reCaptcha". Surprised? Read this – http://www.google.com/recaptcha/learnmore
CAPTCHA is not for preventing programming error (zillion loops mentioned above! Such loops will have the right CAPTCHA- as submitted by the form.But it can prevent accidental resubmissions / reloads from the browser.
I wish there was a captch on that page.
To understand the "value" of it, you should be a regular user of "reload Every" addon on Mozilla browser. Once, by mistake of course, I bought a few shares online with the browser set for reload in every minute. in less than 10 minutes, my account got emptied, and I become a proud owner of 10 times the number of shares I would have opt for
BTW, I dont think the catcha on the payment page abobve was an intentional smart move – I would say it could be accidental feature, mostly happen when you copy from somewhere;)
great observation, I have paid my SCB CC bill numerous time but never put the thought as why this was present, Interesting observation.
Great!! Your article contains informative information
http://carcarcebuspecialchicharon.blogspot.com/ –BASIC DOG TRAINING
http://blogzip.info —- HOW DOGS THINK
http://blogitnow.info — HEALTH CARE
Why does a payment need a CAPTCHA? is very smart posting…….
I also think having a captcha is such a big contract. First of all it is a very easy captcha. Moreover people are these days calm down accustomed to substantial out these things. Wrong passd three times in gmail and there is a captcha, sending a message to a non friend in facebook and there is a captcha. Almost all registration forms have them.