Royal Mail online tracking returns — with a frustrating captcha that works half the time

Royal Mail Track & Trace website appears to have returned after an outage that spanned a week, but with a caveat—anybody who wants to track a piece of mail or parcel must solve a captcha which is rather difficult, according to users.

Your parcel is one too many chickens away!

As observed by Security Report this morning, Royal Mail’s Track & Trace website is back up online with a drastic change: it requires users to solve a captcha before they can track their mail and packages.

This also applies to users visiting tracking links containing parcel tracking numbers in them, such as:

royalmail.com/track-your-item#/tracking-results/QR123456789GB

Except the difficulty level for this security puzzle seems to be higher than regular captchas, and that has left users angry:

Others have compared this to a “data mining” challenge requiring way too much effort:

DDoS unconfirmed but the mitigations indicate otherwise

Royal Mail has still not commented on the cause of the mysterious outage that lasted a week leaving British residents who heavily rely on the mail service in limbo. But the mitigations suggested by Royal Mail thus far and the introduction of the captcha challenge today hint at the mail provider trying to contain a DDoS attack.

Last week, I observed the Trace and Trace web API returning a HTTP 429/”Too many requests” status code when attempting to check the status of a parcel. This was seen again today on certain attempts, despite successfully solving the captcha:

A Royal Mail spokesperson had also earlier suggested that users download the Royal Mail mobile app for tracking while the Track & Trace website was down. The web app requires you to verify an email address should you want to submit more than 5 tracking requests one after another—which is yet another deterrent to excessive requests from bots (or DDoS attackers).

Responding to frustrated users on Twitter today, Royal Mail said, it is using “Google’s reCaptcha to protect our website to prevent any form of malware, viruses or phishing so we can make it accessible to a higher number of genuine customers and ensure a consistent performance.”

Note, however, the captcha put in place by Royal Mail is powered by hCaptcha, developed by a different company than Google’s reCaptcha. And, the reasoning given in the tweets is rather vague. As technologists may know, the primary purpose of a captcha is to limit bots, DDoS attacks, and fake accounts or submissions rather than prevent “malware, viruses or phishing.”

Earlier this month, Royal Mail had suffered a customer data leak exposing member information to each other which compelled the mail service to suspend its Click & Drop website.

While Royal Mail remains tight lipped on what’s truly causing these cyber incidents, the timing of these technological slip-ups coincides with the ongoing CWU member strikes making the matter all the more interesting.

---

Promotion: For increased privacy when browsing the internet or connecting to public Wi-Fi hotspots, download NordVPN.