A common form of defense against bot and human-driven fraud, traditional CAPTCHAs (including reCAPTCHA, hCaptcha, and others) are widely used to fight malicious bots. From account takeovers to credential stuffing to hacking online traffic, organizations rely on these visual and audio challenges to protect their web properties.
All traditional “Completely Automated Public Turing” (CAPTCHA) tests are not the same. And unfortunately for businesses today, they are not as effective as they once were. But there is good news for users looking to go beyond traditional CAPTCHAs into more innovative fraud detection—traditional CAPTCHAs are no longer the only game in town.
What is CAPTCHA?
A CAPTCHA is any website authentication test intended to separate human traffic from bot activity. The idea behind these challenges is to provide visual tests for humans to solve, ones that machines cannot. Picture stretched letters and numbers to identify—or specific images to click. Websites rely on CAPTCHAs as tools to:
- Differentiate good from bad online traffic by stopping fraud at the front door.
- Maintain poll accuracy by ensuring each vote is entered by a good user.
- Limit registration or services to keep bad bots from creating bogus accounts and spamming registration platforms.
- Prevent fake accounts from bots looking to spam forms, sites, boards, and more.
- Stop ticket scalping by limiting the number of purchases fraudsters can make and preventing them from falsely registering to events.
Traditional CAPTCHAs use distorted and/or overlapping letters to confuse bots trying to access secure sites. CAPTCHAs were designed to allow humans to satisfy the visual challenges with little to no effort.
Things have changed, however, since bots began using machine learning to develop new skills. As a result, bad bots today are able to identify traditional CAPTCHAs with code designed to see patterns. More complicated challenges were created, such as reCAPTCHA, which requires users to click a specific area within a certain amount of time. Several types of traditional CAPTCHAs exist, many of which are owned by varying companies and providers.
What is reCAPTCHA?
The puzzle known as reCAPTCHA (which is a particular kind of traditional CAPTCHA) is a system first developed by scientists in 2007 and acquired two years later by Google. It is free, and relies on a risk analysis engine and adaptive challenges to keep bad bots at bay and malware from wreaking havoc on a website.
Types of reCAPTCHAs
Currently, there are four different versions of reCAPTCHA to choose from, although not all of them are still in use. For example, reCAPTCHA v1 was shut down in 2018. There are actually a few versions of reCAPTCHA v2:
- reCAPTCHA v2 (Android) provides a library with native APIs that users can integrate directly into an application.
- reCAPTCHA v2 (Invisible reCAPTCHA badge) does not require users to click anything; the challenge is invoked as soon as the user interacts with the site.
- reCAPTCHA v2 (“I’m not a robot” checkbox) asks users to click a box confirming their human identity. This version offers the easiest integration and only needs two lines of HTML code to create the challenge.
- reCAPTCHA v3 lets good users verify themselves without performing any action, and without impacting the online experience; however, it still raises privacy concerns and creates problems for website administrators.
Limitations of Traditional CAPTCHAs
Malicious bots are becoming so sophisticated that traditional CAPTCHAs work only for a while … until the bots learn how to solve or evade them. Many organizations also are moving away from traditional CAPTCHAs out of concern for end-users' privacy, and because these implementations provide a less-than-optimal user experience, including:
- Frequent disruption and potential frustration for users
- Many users have trouble understanding or using some challenges
- Some CAPTCHAs do not work with every browser
- Other CAPTCHAs are not accessible to users who are visually impaired or are using screen readers to view web content. Audio CAPTCHAs can be difficult to understand.
But there are efficacy problems to consider as well. While traditional CAPTCHAs do eliminate some spam, they are not able to mitigate it entirely. The bots of today have little trouble maneuvering around these tests, forcing web owners to up their security. This move can lead to the blocking of good traffic and a decrease in overall web traffic and revenue.
reCAPTCHA and GDPR Compliance
reCAPTCHA is not currently compliant with GDPR mandates. According to the GDPR, websites are supposed to collect only the amount of information they need to do business—nothing additional. Companies using reCAPTCHA should still use a Privacy Policy and a Cookie Policy on their websites.
Businesses operating in the EU (or potentially serving EU users) must comply with these policies so users are informed and consent is facilitated, including the option to block cookie-installing scripts. Google’s reCAPTCHA tool also deploys on a website without adequate notices and consent mechanisms in direct violation of GDPR. European businesses need new ways to authenticate user traffic and should consider alternative solutions.
Arkose Labs: A reCAPTCHA Alternative that Stops Bots Permanently
Arkose MatchKey is a state-of-the-art series of challenges with industry-leading security. Unlike traditional CAPTCHAs, the Arkose MatchKey challenges evolve over time to block all malicious bots, driving up the cost and effort for attackers.
Our challenges combine the highest levels of defensibility, usability, and accessibility into a single product. In fact, Arkose MatchKey is the most secure CAPTCHA ever developed.
Why Not Use a Traditional CAPTCHA?
Traditional CAPTCHAs still rely on photos and tests that are easy for bots to recognize. In fact, most easily identified photos are already labeled by off-the-shelf machine learning-based solvers. And, image recognition software continually improves image-detection at the cost of reducing defensibility and usability of traditional CAPTCHAs.
Conclusion
While traditional CAPTCHAs still are used by many organizations, these puzzles have many limitations including: a relatively low level of defensibility, a poor user experience, and very little in the way of accessibility for users who may be unable to see or hear.
Arkose Labs helps businesses stamp out spam and abuse using continuous intelligence to intercept and quickly remediate automated spam attacks. Our platform effectively distinguishes between human and automated traffic to neutralize bot attacks before they can scale. Using a combination of dynamic risk decisioning and targeted friction, Arkose Labs makes the attack incrementally more costly for fraudsters, which prevents them from scaling up their operations.
Find out how Arkose Labs can help your business move away from traditional CAPTCHAs and into a more innovative, secure and effective solution. Book a meeting with us anytime.
Share The Blog
