The Evolution and Effectiveness of Captcha

Priyanka Aggarwal, Director of Risk Management, PayPal
Feb 20, 2024


Recently, I filled a registration form and went through an experience to pass CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This sparked a question in me: In the ever-evolving world of cybersecurity, is CAPTCHA still effective in serving its purpose?

What is CAPTCHA?

We’ve all encountered them: the puzzles that ask you to pick out all the traffic lights in an image or to decipher letters that are written in squiggly lines. Modern CAPTCHAs fall into three main categories—text-based, image-based, and audio.

paypal captcha 1



CAPTCHA’s Invention and Evolution

CAPTCHA was invented in 1997 to differentiate if a human or a bot is accessing or attempting to access organization websites, possibly completing onboarding or registration forms, attempting to brute force login pages, or access online forums.

According to numerous publicationsmore than one-third of the top 100,000 websites use CAPTCHAs.                                                                                                  

An estimated 200 million CAPCTHAs are being typed daily worldwide, with so many internet users completing these tests every day, Google saw an opportunity for something more.

Google purchased CAPTCHA in 2009 and rebranded it reCAPTCHA. Even before AI and machine learning, spammers could still create bots that succeeded to correctly complete reCAPTCHA challenge, and/or employed people to solve reCAPTCHA challenges. A 2014 study by Google found that AI robots were able to decode the CAPTCHAs with 99.8% accuracy, and numbers in images with 90% accuracy.

To strengthen reCAPTCHA accuracy, Google launched reCAPTCHA version 2 in 2014. It was depicted on a merchant’s website as a simple rectangle with a check box. 


Although this box may look simple, there is a very sophisticated process behind it. There is AI technology running behind to record human patterns on the website to make appropriate assessments to determine whether the user is human or robot. It assigns trust based on cookies and multiple user and site interactions — if the user seemed suspect, or if there was not sufficient information, he/she was then asked to identify pictures.

And now there is reCAPTCHA v3. Unlike v2, reCAPTCHA v3 is invisible for website visitors. There are no challenges to solve. Instead, reCAPTCHA v3 continuously monitors each visitor’s behavior to determine whether it’s a human or a bot. It produces a score between 0-1, 0 means higher likelihood of a bot attempt.

What are CAPTCHA bots and CAPCTHA farms?

CAPTCHA bots are a system designed to solve CAPTCHA in the automated way possible. The least sophisticated ones keep rapidly trying combination of numbers and letters to guess the correct answer to a CAPCTHA challenge. The more sophisticated ones, use optical character recognition (OCR), internal logics (built by collecting customer’s samples), or with human help through CAPTCHA farms (where humans are employed to complete CAPCTHAs in bulk at a very low cost, as low as $1-$3 for every 1,000 v2 reCAPCTHA solved).

In one report that appeared on BlackHat; the writers were able to solve 70% of reCAPTCHA challenges.

How CAPTCHA Affects Merchants

Given with AI and machine learning advancements, fraudsters are able to solve reCAPTCHAs, this technique may have become more of pain for customers than a way to combat bot attacks.

Alternative to CAPTCHAs

Given fraudsters have found ways to bypass this control, this is not a complete solution to solving fraud problem and need to be supplemented with Fraud risk management strategies.

Anomaly detection and Biometric verification: Anomalies in digital information such as multiple attempts via same IP address, digital asset, combined with behavioral biometrics (way person type, speed at which they type or move their cursor, or position of the cursor) can be more efficient way to reduce customer friction for capturing BOT attacks.

There are also alternatives to CAPTCHAs such as Anti-Spam Honeypot. A honeypot is a hidden field in your form that should not be filled out by humans (and should be empty when submitted) but will be automatically filled out by bots and then used to identify spam. The theory is simple: If the honeypot field contains data, it must be a bot — and if it’s a BOT, we can ignore its submission.

Time based forms evaluates time it takes for human to complete and submit the form. If there is anomaly in it, then higher chances of being a BOT. The challenge is every user may take different time and fraudsters can develop BOT to mimic human timings.



In conclusion, while CAPTCHA and its subsequent iterations have played a pivotal role in the fight against automated threats and spam, the landscape of cybersecurity and digital fraud is continually evolving. The efficacy of CAPTCHAs, once hailed as an innovative solution, has been challenged by advancements in AI and machine learning, as well as the ingenuity of fraudsters employing CAPTCHA bots and farms. This has led to an increased exploration of alternatives that balance user experience with security. Techniques like anomaly detection, biometric verification, honeypots, and time-based form analysis offer promising avenues. Google's reCAPTCHA v3 represents a significant step forward by monitoring user behavior without disrupting their experience. As we move forward, it's clear that the future of digital security will rely on adaptive, multifaceted strategies that stay ahead of malicious actors while prioritizing legitimate users' ease of access and overall experience. The journey from the initial CAPTCHA to its current state underscores the dynamic nature of cybersecurity, reminding us that innovation and adaptation are key to staying ahead of threats in the digital age.





Blue-tinted background of a man watching a webinar

Host a Webinar with the MRC

Help the MRC community stay current on relevant fraud, payments, and law enforcement topics.
Submit a Request

Publish Your Document with the MRC

Feature your case studies, surveys, and whitepapers in the MRC Resource Center.
Submit Your Document

Related Resources

Cookies help us improve your website experience.
By using our website, you agree to our use of cookies.