Captcha being typed in

CAPTCHA and reCAPTCHA: How Can You Bypass It?

December 3, 2020

If you have spent any time on the internet in recent years, you’ve had to check a little box to tell the world, ‘I’m not a robot’. This little box was invariably accompanied by a small visual or audio test, called CAPTCHA. You have to pass the CAPTCHA test to prove you are ‘not a robot’ in order to access some part of a website. Usually, this occurs at a point where you need to complete a form in order to sign up, subscribe, or make a purchase. 

For many, these have been annoying, and often time-consuming, necessity of the internet. For the companies using them, however, they have been a reassuring security measure. This has given them confidence that the people accessing their website are genuine visitors and not fraudsters. There is one problem though, they don’t always work. 

In this article, we will go through exactly what CAPTCHAs are, how they can easily be bypassed or are otherwise ineffective, and what you can do instead to truly protect yourself from fraudulent users.

What actually is a CAPTCHA? 

Google reCAPTCHA GIF

As the internet started gaining traction in the 90s, internet malpractice followed close behind. CAPTCHAs were created in response to this as a way of differentiating genuine users from bad bots merely crawling through websites to perform some form of fraud. The very name CAPTCHA explains this goal, standing for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’, with a Turing Test being a creation designed to differentiate between human intelligence and that of a machine.

These early CAPTCHAs took the form of text altered in some way to make it impossible for bots to read. While initially, they were very successful, quick advances in computing meant that bots were able to read what the text said. In fact, pretty soon bots got so good at this that by 2014 google found that their reCAPTCHA program (a development from the original CAPTCHAs but not radically different) could be passed by bots over 99% of the time, while humans could only pass one-third of the time. 

With this in mind, google developed reCAPTCHA v2 and subsequently reCAPTCHA v3 to try and remedy this situation. ReCAPTCHA v2 introduced the familiar picture split into squares asking the user to select squares containing certain objects such as traffic lights or busses. Perhaps more significantly reCAPTCHA v2 added tests that went beyond the actual response the user gave and looked at the way they did it. This would include things like time taken to select the correct squares and mouse movement, to differentiate between the efficient, instant movement of bots to the unsteady and often confused motions of their human counterparts.  

What happens when an actual visitor is marked as a bot? It can be extremely frustrating as a human to try and select the boxes with a picture such as a crosswalk not knowing whether or not that tiny piece of that picture in another box should count. Website owners have a greater risk of losing legitimate visitors when relying on probability.

ReCAPTCHA v3 has taken this even further, and websites employing this tool will monitor all of a user’s activity on the site, and even past google behavior, in order to come up with a user rating to assess their likelihood of being a bot. This varies from 0 where they are very likely a bot to 1 where they are very likely a human. V3 also puts the responsibility on the website owner, allowing them to put on measures on users depending on their score. For example, a website owner could completely prevent a user with a score of less than 0.1 from their site, give them a hard v2 style test for 0.1-0.5, an easy one for 0.5-0.9, and no test at all for above 0.9. 

Almost all CAPTCHAs used today use either v2 or v3 systems.

What is going wrong?

Unfortunately, despite attempts to outrun malicious users in digital advertising, just a quick google search will provide you with an abundance of sites telling you exactly how to get around even the most complex tests. This comes alongside the fact that in many cases these tests have been so difficult that users get genuinely angry in dealing with them, painting a less than ideal picture of CAPTCHAs. Best case, this leads to a sour taste in their mouth from the user experience; worst case they leave the site altogether. 

Even when it comes to reCAPTCHA v3s, it is shockingly easy for fraudsters to gain a high score using a carefully crafted bot or by employing human fraud farms. These sophisticated fraudsters can easily bypass the CAPTCHAs they face. Not only this but by putting the responsibility on the website owner, you are left with people deciding what traffic probably should get to their sites. With all this in mind, probability comes with a high risk of false positives. The most commonly used CAPTCHAs today should not be used as a definitive solution to block fraudulent traffic.

What Can You Do About it? 

Thankfully, there are ways to block fraudulent traffic that are better at identifying malicious bots, malware, and human fraud that do not ruin the user experience and don’t leave the decision making in your hands. The most effective of these is an ad fraud solution. 

Anura detects fraud with precision via a robust, fine-tuned solution that delivers virtually no false positives. Get the peace of mind that comes with knowing you’re never blocking real visitors. This definitive and accurate approach gives you the freedom to run your business without the worries of fraudulent visitors. Contact us to learn more.

ipad and cell phone with anura's dashboard