- Bots backed by tens of thousands of lines of code are increasingly good at acting like humans.
- That has some cybersecurity experts saying tools like CAPTCHA, designed to make humans prove they are not bots, have failed by targeting us rather than than machines, and come at a cost for e-commerce sites in abandoned sales transactions.
- But Google, which owns RECAPTCHA, says it is constantly improving, and other cyber analysts say the underlying bot detection technology has a continuing role to play in combination with newer cyber defense models.
Have you ever been left confused by the mutated text that often appears when trying to make an online purchase, asking you to prove you're not a robot? Or gotten a headache from squinting at your screen, trying to figure out if one of the boxes actually has a bike, car, boat, stop sign or traffic light in it?
These are called CAPTCHAs – an acronym standing for "Completely Automated Public Turing test to tell Computers and Humans Apart."
The tests, invented by a group of researchers out of Carnegie Mellon in 2000, are usually made up of text, images or audio and are used as a security measure to detect bot activity online. Except some cybersecurity experts say in addition to the problem of human user annoyance, there's a problem with the underlying approach to cybersecurity.
Get top local stories in San Diego delivered to you every morning. Sign up for NBC San Diego's News Headlines newsletter.
"The problem that we've seen over the years, that we deal with over and over again, is what would you do if you could look like a million humans? The answer is virtually anything," said Tamer Hassan, co-founder and CEO of cybersecurity firm HUMAN Security, who claims the CAPTCHA system has been categorically defeated by the bots for years.
How machines are becoming more like humans
As a standalone cybersecurity tool, CAPTCHAs can be unreliable because of their partially behavioral-based approach. In addition to tracking the user's ability to solve the puzzle at hand, the tools also monitor actions like how fast they move through a webpage or the curvature of the mouse. Machine learning and artificial intelligence have become more humanlike over the last decade, Hassan said, and are in some ways much more capable at solving large-scale puzzles than humans. With extensive memory that allows machines to process several things at once, solving single puzzles like CAPTCHAs can be a quite simple task for bots.
Money Report
CAPTCHA solving farms have also been used as an inexpensive way to debunk CAPTCHAs. Bots can be programmed to call out to the human solving farm overseas that decipher the CAPTCHA, all in the timespan of a few seconds.
"We shouldn't be testing our humans; we shouldn't be treating our humans like they're the fraudsters," Hassan told CNBC Senior Washington Correspondent Eamon Javers at the CNBC Work Summit in October. "We should be testing the bots in different ways, and so increasing friction on humans is not the way to go."
In today's world, CAPTCHAs used without any additional layers of cybersecurity protection are typically not enough for most enterprises, said Sandy Carielli, a principal analyst for Forrester. However, when used in tandem with other protection measures, CAPTCHAs may be a feasible measure to prevent bot attacks.
"CAPTCHAs on their own are really only part of the story for a lot of sites," Carielli said. "You can think of CAPTCHAs as one piece of the puzzle in a lot of cases."
Carielli's report, "We All Hate CAPTCHAs, Except When We Don't," found that 19% of adults in the United States have abandoned online transactions in the past year when they are met with CAPTCHAs.
Google's evolving approach to bot detection
Google acquired reCAPTCHA – a CAPTCHA service developed by Luis von Ahn, one of the original researchers who developed CAPTCHA and went on to co-found language learning app Duolingo – in 2009, and has since developed multiple updated versions of the service. It's now one of the most popular CAPTCHA platforms.
The technology has evolved to make the user experience more seamless, Sunil Potti, vice president and general manager of Google Cloud, said in a statement to CNBC. ReCAPTCHA v3, which was first introduced in 2018, requires no actual interaction with the end user. According to the Google Developers website, reCAPTCHA v3 monitors user interaction within select pages on a website and generates a score of how likely it is that the user is or isn't a bot.
In 2020, Google launched reCAPTCHA Enterprise, which evaluates potential instances of fraud across entire websites as opposed to being restricted to certain pages. ReCAPTCHA Enterprise has helped the reCAPTCHA technology evolve from being an anti-bot tool to an enterprise grade anti-fraud platform, according to Potti.
While image reCAPTCHA can detect basic bots, sophisticated attackers have developed ways to circumvent the system. Potti said Google is constantly searching for new signals to help protect sites and evaluating against known bots and CAPTCHA solving services.
"We are actively focused on building technologies that are difficult for fraudsters and easy for legitimate users, and strongly encourage organizations to adopt the newest versions of reCAPTCHA," Potti said in the statement.
Carielli said reCAPTCHA's technology includes additional aspects of detection and defense that makes its CAPTCHA software more reliable. This layered approach allows the service to be a dependable source of bot prevention.
"In a way, CAPTCHAs are evolving because they're not being used just on their own," Carielli said. "They're being used as part of a broader bot management defense, and that's what the evolution is."
Some bot management systems often employed in conjunction with CAPTCHAs can include blocking, delaying and honeypots, Carielli said. With reCAPTCHA Enterprise, the traditional reCAPTCHA process upgraded to a comprehensive security platform to tackle fraud is helping Google establish itself in the bot management realm, but "it will need to invest aggressively to reach par with other bot management vendors," according to Carielli.
HCaptcha pitches itself as the most popular alternative to Google's reCAPTCHA, running on 15% of the internet as of January. Three versions of hCaptcha are available – Publisher, Pro and Enterprise – and the service includes additional layers of privacy protection, keeping no personal information on users. The company argues that human verification methods such as CAPTCHAs will continue to exist "as long as people remain people."
Though hCaptcha is a strong CAPTCHA provider in terms of privacy, it comes with fewer security responses in place to strengthen its protection and requires the customer to deploy additional responses, according to Carielli's research. But hCaptcha says that as bot attacks have evolved, hCaptcha has maintained a detection accuracy of more than 99%; and 99% of people pass hCaptcha visual challenges on the first or second try. The company says it uses proof of work as well as direct detection and hardware attestation among other additional security measures, including more options for enterprise clients.
"Bots are eternally playing catch-up to us: when they improve, our questions change," an hCaptcha spokesperson said in a statement to CNBC. And he added, "While hCaptcha has included both direct bot detection and proof of work challenges for many years, neither approach is sufficient on its own to deal with more sophisticated or larger scale attacks."
'Hard for CAPTCHAs to keep up'
Even when they do catch suspicious activity, Hassan said CAPTCHAs cause a decrease in user experience that can have much more significant impacts for a business in areas like conversion, usability or product adoption.
Forrester Research survey data indicates that whatever frustrations consumers experience with e-commerce cybersecurity, overall feelings about CAPTCHA are split right down the middle – almost equal percentages of adults in the U.S. reported feeling safer when asked to complete a CAPTCHA, or frustrated by them.
One way to minimize the human frustration that sometimes comes with CAPTCHAs could be to only present them when a user first creates an account or profile on a website as opposed to every time a transaction is made, according to Prateek Mittal, the interim director for the Center for Innovation Technology Policy at Princeton University. This would minimize the amount of times consumers would be confronted with CAPTCHAs, but the idea isn't completely viable as it would potentially decrease the number of cybersecurity checkpoints in place.
Machine learning isn't perfect and will make mistakes, Mittal said in a recent interview with CNBC, so it is also important to include humans in the loop when creating cybersecurity systems to recover from any errors.
"It will be hard for CAPTCHAs to keep up with the massive innovations in technology," Mittal said. "I think it's fair to say that we will likely see different types of security systems."
Correction: hCaptcha has security responses in place to strengthen its protection without requiring the customer to deploy additional responses. An earlier version of this article misstated this security protocol.