Recently, some attention was drawn to the ineffectiveness of the CAPTCHA tool. In 2021, forcing users to count the number of traffic lights before purchasing tickets or registering for an account seems completely pointless.
Most discussions about CAPTCHA these days focus on ideas of what could replace it. For years it was ingrained in our heads that the CAPTCHA tool is the only - and best - way to defend websites against bot-based fraud and attacks. However, CAPTCHAs don’t work as intended, as they are easily beaten by knowledgeable attackers, and they add friction to the consumer buying experience. The false perception of security that CAPTCHAs provide very often comes at the cost of satisfied, loyal customers.
Evading the CAPTCHA
When CAPTCHA technology was first introduced in 1997 by AltaVista, it seemed like a revolutionary idea to a new problem - preventing bots from pretending they were human and logging into a website. And it worked for a little while. But like all problems, soon motivated attackers cleverly found a solution.
There have been many different versions of the CAPTCHA over the years, with the most recent (and popular) being Google’s reCAPTCHA technology. Google acknowledges user frustration, but now requires the application owners to create and manage the risk scores that differentiate humans and bots. The bots now have a security control that they can easily bypass. Understanding and limiting the differences between headless Chromium versus Chrome is a (dark) art that enables bots to obtain the same risk score as humans.
Attackers have two main approaches to choose from when defeating a CAPTCHA: (1) be undetectable; or (2) automate the process of solving the CAPTCHA. Services such as 2CAPTCHA ensure that CAPTCHAs present no obstacles to well-funded, semi-technical attackers. 2CAPTCHA specifically has over 300 reference cases of bots using their solution. This means that an attacker can solve a CAPTCHA problem for less than $1 per 1,000 solved.
The underlying problem is that, despite technology upgrades and tougher problems, Google and other CAPTCHA-type solutions all have the same result: attackers have proven they have effective workarounds to evade these tools.
Replacing the CAPTCHA
That brings us to the discussion that bubbles up in the security industry every so often - what do we replace the CAPTCHA with? How can we evolve the tool to better filter out bots? Will reCAPTCHA v4 be the one that stops bots cold?
The truth is, replacing CAPTCHAs with another similar system, or something like a user-owned security key, simply won’t work. On one hand, attackers are motivated to beat whatever the newest tool is; and on the other hand, moving the onus of security to the user themselves has traditionally failed. Just look at the numbers around employees inadvertently causing the biggest security breaches at their companies by not following the rules and policies as directed. Relying on users to be the point of security for your business’ success is a disaster waiting to happen.
Don’t Replace, Rethink
There is no doubt that differentiating between humans and bots can be challenging. The rationale for using CAPTCHA solutions, however, appears to be similar between security vendors and application owners – it’s a decision avoidance solution. Even though more advanced, specialized and less invasive CAPTCHAs exist in the market today, they add an unwanted level of friction and potential for false positives that ruin the customer experience and are merely an extension of decision avoidance.
It's time that the security industry stops forcing users to cover for a site's lack of security. What's clear is that there simply needs to be a greater effort made by organizations to identify and protect their own sites against bots.
Instead of using outdated technology that makes businesses believe they are stopping bots instead of actually stopping them, online businesses need to embrace new approaches to solving the problem. Modern security technology approaches exist that allow them to defend against malicious automation, without depending on their customers to validate that they are indeed human. The ability to detect automation without any reliance on outdated risk scoring models that rely on CAPTCHAs (even for “grey area” cases), coupled with an effective way to control and eliminate it, should be the starting point for any approach.
Preventing bots needs to become part of the base-level requirements for operating an online business. It should no longer be acceptable to hide behind technology whose biggest benefit is its ability to show users what traffic lights and crosswalks look like across the globe.
About the Author
Sam Crowther is an entrepreneur with a passion for cybersecurity. The Kasada founder got his start in the industry as a high school student when he joined the cybersecurity team of the Australian Signals Directorate (ASD). From there, he moved to a red team role at a global investment bank, an experience that inspired him to start his own company. With funding from leading U.S. and Australian investors, Crowther launched Kasada in 2015 to provide innovative web traffic integrity solutions to companies around the world. Based in New York and Sydney, Crowther loves creating simple technical solutions to complex problems and is motivated by challenging preconceived ideas and beliefs in order to have a positive impact on the world.