Arkose News

How Machines Are Set to Conquer Legacy CAPTCHAs

June 16, 20204 min Read


CAPTCHAs are challenge-response systems that typically deploy visual tests in order to differentiate between malicious bots and good users. However, legacy solutions have lacked investment and innovation. As a result, they fail to keep pace with evolving threats and machines can solve them at scale. 

Keeping their customers safe throughout their online journey is one of the top concerns of digital businesses today. However, despite investment in multiple technologies, businesses find themselves scrambling to close the gaps that attackers leave exposed.

To prevent cybercriminals from using bots to access their digital ecosystems and degrading user-experience, a lot of websites use visual challenges such as CAPTCHAs. However, in its latest report, Cool Vendors in Identity and Access Management and Fraud Detection 2020, Gartner notes that these solutions are on the verge of being conquered by machines. Why are CAPTCHAs failing, and what can we do about it? 

Automatic solvers can break CAPTCHAs challenges

Bad actors are looking to maximize economic returns from their attacks, and are engaging in an arms race with digital businesses. They are sharpening their skills and using sophisticated tools to their advantage. On the other hand, too many businesses are still relying on bargain-basement bot solutions, which are increasingly ineffective against attacks. Legacy CAPTCHAs are designed to fight bots, but they are failing at their primary function and often unable to protect businesses from an onslaught of automated attacks.

Attackers pass CAPTCHA challenges at scale using automated breakers that use cookie creation and token harvesting. They use IP proxy services and run attacks in parallel to maximize the returns. They can also maximize the returns on investment by paying click farms and sweatshops nominal costs to pass the visual challenges at scale. Further, advancements in machine vision technology are helping develop automated solvers that can break the visual challenges rather easily.

While malicious actors use automation to clear the visual challenges at scale, good users face higher challenge rates. This holds especially true for users who clear the cookies. This disrupts the user experience without being effective in stopping attackers.

A better mechanism to detect and stop automated bots

Businesses cannot afford disruption to user experience. This is because consumers who face disruption or inconvenience tend to get frustrated. In worst cases, such customers may switch over to a competitor. Besides losing customers, businesses also risk damage to their reputation. Therefore, businesses need a better mechanism to root out automated bots decisively without damaging user experience.

Challenges that can step up based on the continuous feedback on a user's risk assessment are a better alternative to the currently used CAPTCHA challenges. Arkose Labs uses context-based 3D Arkose MatchKey challenges to accurately identify bots, sweatshops, and malicious humans from true users.

Machines can't solve context-based 3D challenges

The Arkose Labs platform does not block any user. Instead, it presents them with visual Arkose MatchKey challenges to prove their authenticity. Good users can pass these challenges easily but bots fail instantly as these challenges are resilient to automated solvers. It is nearly impossible to train the machines to clear these proprietary Arkose MatchKey challenges at scale as the challenges are context-based and have countless possible solutions. Also, Arkose Labs uses proprietary visual images that are rendered in real-time and cannot be classified or recognized by even the most sophisticated machine vision software. This creates high barriers to entry for bad actors looking to circumvent challenges at scale, making it extremely difficult for automated bots to wriggle in.

Understand and tackle malicious human sweatshops

Arkose Labs understands that cybercriminals can choose to invest in human sweatshops to solve enforcement challenges. This is where the feedback loop between risk assessment and enforcement mechanism comes into play. The dynamic risk engine of the Arkose Bot Manager platform feeds the real-time risk assessment of users into the challenge enforcement mechanism. This enables the Arkose Labs platform to render progressively more complex Arkose MatchKey challenges to malicious human users, owing to their higher risk.

Malicious sweatshops must spend disproportionate amounts of time and resources to clear the 3D challenges at scale. This graduated friction saps their time and erodes the returns from the attack, which eats into the meager rewards these humans get for solving the challenges. Since the returns keep diminishing progressively, the attack becomes financially non-viable and forces fraudsters to abandon the attack.

Beyond CAPTHAs

The Gartner 2020 Cool Vendor report not only flagged the issue of CAPTCHAs being conquered by machines, but it also emphasized the importance of a stand-out UX in attack prevention. Thanks to innovative vendors, such as Arkose Labs, businesses no longer need to rely on legacy systems. They can proactively improve user experience while delivering far higher security on their websites and apps.

To read why Gartner named Arkose Labs a Cool Vendor in the IAM and Fraud Detection report get your complimentary copy today.