The Evolution and Effectiveness of Captcha

Recently, I filled a registration form and went through an experience to pass CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This sparked a question in me: In the ever-evolving world of cybersecurity, is CAPTCHA still effective in serving its purpose?

What is CAPTCHA?

We’ve all encountered them: the puzzles that ask you to pick out all the traffic lights in an image or to decipher letters that are written in squiggly lines. Modern CAPTCHAs fall into three main categories—text-based, image-based, and audio.

CAPTCHA’s Invention and Evolution

CAPTCHA was invented in 1997 to differentiate if a human or a bot is accessing or attempting to access organization websites, possibly completing onboarding or registration forms, attempting to brute force login pages, or access online forums.

According to numerous publications, more than one-third of the top 100,000 websites use CAPTCHAs.                                                                                                  

An estimated 200 million CAPCTHAs are being typed daily worldwide, with so many internet users completing these tests every day, Google saw an opportunity for something more.

Google purchased CAPTCHA in 2009 and rebranded it reCAPTCHA. Even before AI and machine learning, spammers could still create bots that succeeded to correctly complete reCAPTCHA challenge, and/or employed people to solve reCAPTCHA challenges. A 2014 study by Google found that AI robots were able to decode the CAPTCHAs with 99.8% accuracy, and numbers in images with 90% accuracy.

To strengthen reCAPTCHA accuracy, Google launched reCAPTCHA version 2 in 2014. It was depicted on a merchant’s website as a simple rectangle with a check box. 

Although this box may look simple, there is a very sophisticated process behind it. There is AI technology running behind to record human patterns on the website to make appropriate assessments to determine whether the user is human or robot. It assigns trust based on cookies and multiple user and site interactions — if the user seemed suspect, or if there was not sufficient information, he/she was then asked to identify pictures.

And now there is reCAPTCHA v3. Unlike v2, reCAPTCHA v3 is invisible for website visitors. There are no challenges to solve. Instead, reCAPTCHA v3 continuously monitors each visitor’s behavior to determine whether it’s a human or a bot. It produces a score between 0-1, 0 means higher likelihood of a bot attempt.

What are CAPTCHA bots and CAPCTHA farms?

CAPTCHA bots are a system designed to solve CAPTCHA in the automated way possible. The least sophisticated ones keep rapidly trying combination of numbers and letters to guess the correct answer to a CAPCTHA challenge. The more sophisticated ones, use optical character recognition (OCR), internal logics (built by collecting customer’s samples), or with human help through CAPTCHA farms (where humans are employed to complete CAPCTHAs in bulk at a very low cost, as low as $1-$3 for every 1,000 v2 reCAPCTHA solved).

In one report that appeared on BlackHat; the writers were able to solve 70% of reCAPTCHA challenges.

How CAPTCHA Affects Merchants

Given with AI and machine learning advancements, fraudsters are able to solve reCAPTCHAs, this technique may have become more of pain for customers than a way to combat bot attacks.

• The average consumer spends 25 seconds to complete CAPTCHA. In today’s environment where companies are trying to reduce friction in application processes, CAPTCHA may be the reason for customer drop-offs. Studies show that the conversion rate drops 40% when customers encounter captchas, and these negative interactions make it much harder for businesses to earn loyalty in the future. (reference: https://www.anura.io/captcha)
• For every dollar a business loses to bogus transactions, it turns away $30 by mistakenly blocking or discouraging legitimate customers, including through use of CAPTCHAs.
• With CAPTCHA bots easily accessible, it has become inadequate to stop bots and account take overs, carding, scalping attacks.

Alternative to CAPTCHAs

Given fraudsters have found ways to bypass this control, this is not a complete solution to solving fraud problem and need to be supplemented with Fraud risk management strategies.

Anomaly detection and Biometric verification: Anomalies in digital information such as multiple attempts via same IP address, digital asset, combined with behavioral biometrics (way person type, speed at which they type or move their cursor, or position of the cursor) can be more efficient way to reduce customer friction for capturing BOT attacks.

There are also alternatives to CAPTCHAs such as Anti-Spam Honeypot. A honeypot is a hidden field in your form that should not be filled out by humans (and should be empty when submitted) but will be automatically filled out by bots and then used to identify spam. The theory is simple: If the honeypot field contains data, it must be a bot — and if it’s a BOT, we can ignore its submission.

Time based forms evaluates time it takes for human to complete and submit the form. If there is anomaly in it, then higher chances of being a BOT. The challenge is every user may take different time and fraudsters can develop BOT to mimic human timings.