Selecting all the bridges in the picture, then all the taxis, fire hydrants, dogs, and more, can be very annoying! Especially when you’re in a hurry. Solving the CAPTCHA takes a few seconds but it feels like an eternity! It’s like there aren’t enough annoying things in our lives already, so we need this test to be making an appearance as well. Why do websites bother you with CAPTCHA instead of just letting you right in?
And let’s go one further! How can a 90-year-old grandpa pass a CAPTCHA test, but a modern and powerful robot can’t? We already said it was annoying, but come on, how hard is it to select all the fire hydrants or click on “I am not a robot”? Well, keep reading to learn more about CAPTCHA and how it’s stopping the robots from taking over the world, at least for now…
What is a CAPTCHA?
CAPTCHA is a challenge-response test developed to determine if a user is a human or a robot. It is the acronym for “Completely Automated Public Turing Test to Tell Computers and Humans Apart”.
Researchers at Carnegie Mellon University worked on the concept of CAPTCHA in the late 1990s and the term was coined in 1997. The first widely used CAPTCHA implementation was developed in 2000. The CAPTCHA tests were these distorted or obscured text images you currently are very familiar with.
Over time, different types of CAPTCHA tests have been created, including text, image recognition, audio-based tests, and more.
Why do we need CAPTCHA?
CAPTCHA tests were developed to enhance security on the Internet (websites), specifically to mitigate the overwhelming malicious activities executed by automated bots. A bit more than two decades ago, this solution was widely adopted to protect websites against:
- Account creation and abuse. Bots can create countless fake accounts on websites and online services. These accounts can be used to spread misinformation, post fake reviews, or engage in different frauds and forms of online manipulation.
- Spamming online forms. Bots can automatically fill out online forms on websites. They can do it non-stop, leading to massive flows of spam messages, comments, or registrations. This can overwhelm website owners and users with irrelevant or inappropriate content.
- Email addresses harvesting. Bots are skillful scrapers. They can get email addresses from websites, social media platforms, and forums. All the harvested email addresses frequently become targets of spam or phishing attacks.
- Data scraping. Their ability to scrape is also used to obtain strategic data from websites, such as user information, intellectual property, product prices, etc. This data can be used for competitive analysis, extortion, content theft, or fraud.
- Click Fraud. Automated bots can simulate clicks on online ads, leading to inflated advertising costs for businesses.
- Brute Force Attacks. Bots can attempt to gain unauthorized access to user accounts or systems by trying multiple username and password combinations until they find the correct one.
As you see, automated bots, maliciously programmed, can truly be a nightmare for all the Internet users around the world! That’s why CAPTCHA tests were created. They were thought of as a solution to identify bots and block them.
How do CAPTCHA tests work?
The classic CAPTCHA tests ask users to correctly identify a group of letters. What makes it challenging to answer is that letters are distorted. Users have the mission to identify the distorted letters, then type each of them into a form field, and finally submit the form to be evaluated. The result is simple, if there is a match, the user obtains access to the website and can continue the login process. But if the letters don’t match, the user won’t get access and will be invited to make a new attempt. You’ve probably seen these classic CAPTCHA versions in online polls, banking websites, login forms, e-commerce checkout pages, etc.
The tests were originally designed this way because bots can’t interpret the distorted letters unless they use an extra tool (we’ll talk about that a bit later). ’The distorted letters aren’t a problem for humans because we are used to deciphering letters in many different contexts like clear and unclear handwriting, different fonts, etc. Bots from the beginning have tried to pass the tests. Their most basic attempt has been by entering letters randomly, but they’ve been caught out easily and then blocked from the websites or applications.
There are also image recognition CAPTCHA tests in which you get a complete image divided into different squares, or different images in every square. Usually, these are in a 3×3 format with 9 square images – sometimes more squares are used. There, you (the user) must identify the exact images that contain specific objects like street signs, vehicles, traffic lights, animals, etc. If you answer correctly, you pass the test so you can interact with the website or application. If you fail, you can try again.
The problem is that bots can be trained. Through time, bad actors have put great effort into teaching bots how to pass these tests, by programming them to achieve this objective. Now, bots can use machine learning to identify the type of distorted letters we mentioned before. This has pushed developers to make more complex tests to protect websites from bots.
For sure you have tried those tests that present a box with the “I’m not a robot” statement. The only thing you have to do is to click the checkbox and that is it! Perhaps you thought “How easy; this site trusts me”. Well, no actually – not at all! It evaluates every one of your moves while approaching the cursor to the checkbox.
What it measures is accuracy on a microscopic level. A bot will take the most direct path to reach the checkbox without hesitating. This is what machines do. They are programmed to be more efficient than humans. If you program a bot to reach a specific point on a webpage, it will go straight to the exact X and Y axis points. Of course, through coding, it is possible to add some instructions for it to delay its arrival to the checkbox, some extra trajectory to disguise its identity, but experts assure that still, they can’t mimic this randomness or lack of accuracy we humans show when we move the cursor.
And there is more! To increase the security and make the test more efficient, when you land on most of the pages with the “I’m not a robot” test, it checks much more information than you imagine from your browser, such as your location (IP address), your timezone and time, loading time of the page, which browser you use, plugins, cookies, the resolution and size of your screen, even the number of clicks, scrolls, and keystrokes you have made. It sounds as invasive as it is!
Why can’t robots pass the CAPTCHA test?
Robots can’t pass CAPTCHA tests because they are designed to demonstrate purely human characteristics that machines cannot replicate, at least not yet. Let’s not take it as a compliment, because in the first place, our lack of precision and our mistakes, are what easily distinguish us from machines.
Besides, we humans are used to pattern recognition, therefore we can decipher distorted characters. Contextual understanding is also common for us, we can identify objects on an image based on context and not only literally like bots do. We have a deeper language understanding that helps us decipher text-based CAPTCHA or audio CAPTCHA. Just think how many people (different voices) you communicate with daily, through mobile, video calls, physically, in all types of noisy environments (restaurants, streets, bus stations, etc.). We are well trained, but guess what? Robots are getting better and can develop these skills using machine learning.
Are CAPTCHA tests still useful?
CAPTCHA tests are still detecting and blocking bots. But in all these years since their creation, bots have become smarter, and humans haven’t. For sure you have seen how hard some CAPTCHA forms are getting recently. Before it was simple math questions like how much is 1+1 or 4+11, but now you must decipher a very unreadable text. Is it W or VV? You are starting to doubt if the site really wants to let you in. It takes longer to solve them; it is more annoying for regular users and a nightmare for users with impaired vision!
Well, with the everyday smarter bots, CAPTCHA tests had to be more complex to achieve their objective. Nowadays, cyber security is dealing with CAPTCHA farms, more powerful bots, malware, and deep learning techniques. In this scenario, CAPTCHA is not as efficient as it once was. To protect a website, a combination of different technology solutions is required. A single method won’t manage to stop all the existent cyber threats, like bots.
There are challenges ahead for CAPTCHA to survive. Now, some website owners are looking for other security measures, because CAPTCHA tests irritate users (potential clients) too much. Yes, developers have created new versions of CAPTCHA that reduce the users’ intervention to the minimum. For example, the checkbox you click once to state “I’m not a robot”. If your eyebrows raised, yes, then you got it! Users are paying a high cost for this type of easy and less time-consuming test.
To give you a brief context, reCAPTCHA is Google’s CAPTCHA system. The technology was created at Carnegie Mellon University to replace the prior CAPTCHA and it was purchased by Google (2009). Since version 3, reCAPTCHA does not interrupt you with the test, it runs automatically and simply accesses your browser history and analyzes your location, cookies, interaction with other websites, the number of clicks and keystrokes you have made, etc. If you are getting angry, well, we have to tell you that you agreed when you accepted Google’s terms and conditions.
Conclusion
Bots learn at a fast pace thanks to other technologies so they are a very real and big threat. We strongly need to identify and block them to prevent harm both for websites and users. Imagine if they learn to mimic you and nothing stops them. Multiply the situation by millions of users globally. Security solutions like CAPTCHA must evolve and go at least a couple of steps ahead of the criminals to be useful. There is too much at stake not to try! Don’t you think so?