CAPTCHA and reCAPTCHA: How Fraudsters Bypass It
If you have spent any time on the internet in recent years, you’ve had to check a little box to tell the world, “I’m not a robot.” This little box was invariably accompanied by a small visual or audio test, called CAPTCHA.
You have to pass the CAPTCHA test to prove you are “not a robot” before you can access some part of a website. Usually, this occurs at a point where you need to complete a form to sign up, subscribe, or make a purchase on a website or app.
For many users, these have been an annoying and time-consuming necessity of the internet—often leaving them wondering how to avoid CAPTCHA. For the companies using them, however, CAPTCHA tools have been a reassuring security measure. This has given them confidence that the people accessing their website are genuine visitors and not fraudsters. There is one problem though, they don’t always work.
In this article, we will go through exactly what CAPTCHAs are, how they can easily be bypassed or are otherwise ineffective, and what you can do instead to truly protect yourself from fraudulent users.
- What Is CAPTCHA?
- What Is reCAPTCHA?
- The Downsides of CAPTCHA
- What Can You Do about CAPTCHA Bypasses?
What Is a CAPTCHA?
As the internet started gaining traction in the 90s, internet malpractice followed close behind. CAPTCHAs were created in response to this as a way of differentiating genuine users from bad bots merely crawling through websites to perform some form of fraud.
The very name CAPTCHA explains this goal, standing for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’, with a Turing Test being a creation designed to differentiate between human intelligence and that of a machine.
These early CAPTCHAs took the form of text altered in some way to make it impossible for bots to read. While initially, they were very successful, quick advances in computing meant that bots were able to read what the text said.
In fact, pretty soon bots got so good at bypassing CAPTCHA that, by 2014, Google found that their reCAPTCHA program (a development from the original CAPTCHAs) could be bypassed by bots over 99% of the time.
What Is reCAPTCHA?
reCAPTCHA is a human verification system developed in 2007 and purchased by Google in 2009. Initially, the tool was developed to help digitize books that couldn’t be scanned by computers. Once enacted to verify users, reCAPTCHA displayed two different distorted words with lines running through them (compared to CAPTCHA’s random sequences of letters and numbers).
By 2012, the project began incorporating images from Google Street View. By now, you’ve almost certainly spent a decent chunk of time clicking all of the images that contain a stoplight just to prove you’re not a bot. And you’ve probably failed some of these tests, too! As noted by Baymard Institute, “Only 66% of users during our qualitative usability testing successfully entered the CAPTCHA on the first attempt.”
There were a few more iterations of reCAPTCHA, including the noCAPTCHA reCAPTCHA (where low-risk users only had to click a checkbox that stated “I’m not a robot”) and reCAPTCHA v3.
About reCAPTCHA v3
In 2018, Google unveiled reCAPTCHA v3, the latest iteration of the tool. Even if you’re an incredibly proficient internet user, there’s a good chance you’re scratching your chin and wondering whether you’ve come across reCAPTCHA v3 before.
With reCAPTCHA v3, you don’t have to decipher distorted words, you don’t have to click boxes to indicate you know what a car looks like, and you don’t even have to click the “I’m not a robot” checkbox, either. That’s because reCAPTCHA v3 exists largely in the background—completely invisible to the average user.
As such, reCAPTCHA v3 helps companies detect bots while ostensibly delivering a better user experience—but it hurts user privacy in exchange.
Here’s how it works: Google analyzes behavior as users navigate a website, and they rank that behavior to determine how “risky” the user is, i.e., how likely it is that the session is actually a bot and not a human.
While reCAPTCHA v3 can help websites detect bots, it’s only good for that use case. If you want to protect your website from ad fraud, you’ll need to do more than rely on this service. Based on client performance data, carefully crafted malware and human fraud will get past reCAPTCHA v3 and has a high false positive rate in mismarking real people as fraud.
The Downsides of CAPTCHA
As useful as CAPTCHA has been in the past, it’s important to realize that they aren’t without their downsides. These tools leave much to be desired as ad fraud prevention methods. Some key issues with CAPTCHA and reCAPTCHA include:
CAPTCHAs Hurt the User Experience
Imagine you’re heading to a retailer’s website to complete an e-commerce transaction. You just found out about a new product, and you’re eager to buy it as soon as possible. As you begin the process of checking out, you run into a CAPTCHA. Worse yet, you fail the test. Would such an experience make you more or less likely to complete the purchase?
If the CAPTCHA test is poorly made, it can be failed multiple times. For example, if there’s a requirement to “pick all boxes that have a fire hydrant” and it’s all one big fire hydrant with just the tip of a piece on a few pixels on one box, should it be clicked or not?
This can be extraordinarily frustrating for users—which impacts user engagement and conversions.
CAPTCHAs Can Waste Customers’ Time
In more recent news, CAPTCHAs have been shown to eat up extra time for users. For example, the PS5 and Xbox Series X console launches have pitted human buyers against bots owned and operated by scalpers on retailer websites.
When a human encounters a CAPTCHA test, they have to spend precious seconds looking at it and responding. A bot can bypass the test—acting like a CAPTCHA skipper and proceeding almost directly to purchase in milliseconds. The result? The bot buys dozens of consoles and the human gets an “out of stock” error message by the time they finish the test.
Killing Conversion Rates
Taken together, it comes as no surprise that annoying experiences and more time required to complete actions translate into a 40% lower conversion rate with CAPTCHA. It’s worth noting that CAPTCHAs won’t just prevent you from generating more leads or selling more products at that moment. Since consumers are likely to stop supporting brands after a bad experience, they may very well prevent you from racking up sales in the future, too.
CAPTCHA Bypass Is Too Easy with Modern Bots
If hurting the user experience wasn’t enough to cause you to think about ditching CAPTCHAs, here’s something else to consider: Due to the evolution of technology, artificial intelligence (AI) has gotten to the point where a modern “CAPTCHA bot” or “block reCAPTCHA tool” can bypass the test with ease—defeating their purpose entirely.
Since CAPTCHAs don’t offer any kind of support or analytics, you can’t zero in on where fraud is coming from. Even if your CAPTCHAs somehow prevented bots from getting around them, you’d still have to deal with malware and human fraud.
Unfortunately, despite attempts to outrun malicious users in digital advertising, just a quick Google search will provide you with an abundance of sites telling you exactly how to get around even the most complex tests.
Additionally, these tests are often so difficult or poorly made that users get genuinely angry in dealing with them, painting a less than ideal picture of CAPTCHAs. Best case, this leads to a sour taste in their mouth from the user experience. In the worst case, they leave the site altogether.
Even when it comes to reCAPTCHA v3, it is shockingly easy for fraudsters to gain a high score using a carefully crafted CAPTCHA bot or by employing human fraud farms. These sophisticated fraudsters can easily bypass the CAPTCHAs they face.
By putting the responsibility on the website owner, you are left with people deciding what traffic probably should get to their sites. With all this in mind, probability comes with a high risk of false positives. The most commonly used CAPTCHAs today should not be used as a definitive solution to block fraudulent traffic.
What Can You Do about CAPTCHA Bypasses?
Thankfully, there are ways to block fraudulent traffic that are better at identifying malicious bots, malware, and human fraud that do not ruin the user experience and don’t leave the decision-making in your hands.
You could verify users are real humans and not bots by using biometrics. For example, you might ask people on smartphones to prove their identity with their fingerprints. There are other kinds of biometrics to consider, too—including typing biometrics, speech recognition, and facial recognition.
Depending on your use case, however, biometrics might not be the best option. On one hand, such systems tend to be pretty pricey. On the other, not too many consumers are keen on giving away their biometric data to a company that sells socks, for example.
You can also implement multi-factor authentication (MFA) method to make sure actual humans are accessing your systems. For example, you might have someone log into their account and then send them a text message with a one-time passcode they need to input on your website to get to the next step.
While this method can be helpful in secure environments—like banking and brokerage accounting apps—it will likely create far too much user friction for the average company.
Ad Fraud Solutions
An ad fraud solution like Anura enables you to stop bots in their tracks while also protecting you from malware and human fraud. The solution sits entirely in the background of your website, with no effect on the user experience at all.
Have Questions about Ad Fraud Detection? Get the eBook with everything you need to know!
Anura detects fraud with precision via a robust, fine-tuned solution that delivers virtually no false positives. Get the peace of mind that comes with knowing you’re never blocking real visitors. This definitive and accurate approach gives you the freedom to run your business without the worries of fraudulent visitors.
With Anura, you’re able to sell more, generate more leads, and optimize your campaigns with the peace of mind that comes with knowing your data is accurate and that fraudsters haven’t taken advantage of you. It’s the easiest way to stop bot traffic—and several other kinds of ad fraud, too—without hurting the user experience.