The Evolution and Effectiveness of Captcha
Recently, I filled a registration form and went through an experience to pass CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This sparked a question in me: In the ever-evolving world of cybersecurity, is CAPTCHA still effective in serving its purpose?
What is CAPTCHA?
We’ve all encountered them: the puzzles that ask you to pick out all the traffic lights in an image or to decipher letters that are written in squiggly lines. Modern CAPTCHAs fall into three main categories—text-based, image-based, and audio.
CAPTCHA’s Invention and Evolution
CAPTCHA was invented in 1997 to differentiate if a human or a bot is accessing or attempting to access organization websites, possibly completing onboarding or registration forms, attempting to brute force login pages, or access online forums.
According to numerous publications, more than one-third of the top 100,000 websites use CAPTCHAs.
An estimated 200 million CAPCTHAs are being typed daily worldwide, with so many internet users completing these tests every day, Google saw an opportunity for something more.
Google purchased CAPTCHA in 2009 and rebranded it reCAPTCHA. Even before AI and machine learning, spammers could still create bots that succeeded to correctly complete reCAPTCHA challenge, and/or employed people to solve reCAPTCHA challenges. A 2014 study by Google found that AI robots were able to decode the CAPTCHAs with 99.8% accuracy, and numbers in images with 90% accuracy.
To strengthen reCAPTCHA accuracy, Google launched reCAPTCHA version 2 in 2014. It was depicted on a merchant’s website as a simple rectangle with a check box.
Although this box may look simple, there is a very sophisticated process behind it. There is AI technology running behind to record human patterns on the website to make appropriate assessments to determine whether the user is human or robot. It assigns trust based on cookies and multiple user and site interactions — if the user seemed suspect, or if there was not sufficient information, he/she was then asked to identify pictures.
And now there is reCAPTCHA v3. Unlike v2, reCAPTCHA v3 is invisible for website visitors. There are no challenges to solve. Instead, reCAPTCHA v3 continuously monitors each visitor’s behavior to determine whether it’s a human or a bot. It produces a score between 0-1, 0 means higher likelihood of a bot attempt.
What are CAPTCHA bots and CAPCTHA farms?
CAPTCHA bots are a system designed to solve CAPTCHA in the automated way possible. The least sophisticated ones keep rapidly trying combination of numbers and letters to guess the correct answer to a CAPCTHA challenge. The more sophisticated ones, use optical character recognition (OCR), internal logics (built by collecting customer’s samples), or with human help through CAPTCHA farms (where humans are employed to complete CAPCTHAs in bulk at a very low cost, as low as $1-$3 for every 1,000 v2 reCAPCTHA solved).
In one report that appeared on BlackHat; the writers were able to solve 70% of reCAPTCHA challenges.
How CAPTCHA Affects Merchants
Given with AI and machine learning advancements, fraudsters are able to solve reCAPTCHAs, this technique may have become more of pain for customers than a way to combat bot attacks.
- The average consumer spends 25 seconds to complete CAPTCHA. In today’s environment where companies are trying to reduce friction in application processes, CAPTCHA may be the reason for customer drop-offs. Studies show that the conversion rate drops 40% when customers encounter captchas, and these negative interactions make it much harder for businesses to earn loyalty in the future. (reference: https://www.anura.io/captcha)
- For every dollar a business loses to bogus transactions, it turns away $30 by mistakenly blocking or discouraging legitimate customers, including through use of CAPTCHAs.
- With CAPTCHA bots easily accessible, it has become inadequate to stop bots and account take overs, carding, scalping attacks.
Given fraudsters have found ways to bypass this control, this is not a complete solution to solving fraud problem and need to be supplemented with Fraud risk management strategies.
Anomaly detection and Biometric verification: Anomalies in digital information such as multiple attempts via same IP address, digital asset, combined with behavioral biometrics (way person type, speed at which they type or move their cursor, or position of the cursor) can be more efficient way to reduce customer friction for capturing BOT attacks.
There are also alternatives to CAPTCHAs such as Anti-Spam Honeypot. A honeypot is a hidden field in your form that should not be filled out by humans (and should be empty when submitted) but will be automatically filled out by bots and then used to identify spam. The theory is simple: If the honeypot field contains data, it must be a bot — and if it’s a BOT, we can ignore its submission.
Time based forms evaluates time it takes for human to complete and submit the form. If there is anomaly in it, then higher chances of being a BOT. The challenge is every user may take different time and fraudsters can develop BOT to mimic human timings.
Conclusion
In conclusion, while CAPTCHA and its subsequent iterations have played a pivotal role in the fight against automated threats and spam, the landscape of cybersecurity and digital fraud is continually evolving. The efficacy of CAPTCHAs, once hailed as an innovative solution, has been challenged by advancements in AI and machine learning, as well as the ingenuity of fraudsters employing CAPTCHA bots and farms. This has led to an increased exploration of alternatives that balance user experience with security. Techniques like anomaly detection, biometric verification, honeypots, and time-based form analysis offer promising avenues. Google's reCAPTCHA v3 represents a significant step forward by monitoring user behavior without disrupting their experience. As we move forward, it's clear that the future of digital security will rely on adaptive, multifaceted strategies that stay ahead of malicious actors while prioritizing legitimate users' ease of access and overall experience. The journey from the initial CAPTCHA to its current state underscores the dynamic nature of cybersecurity, reminding us that innovation and adaptation are key to staying ahead of threats in the digital age.