Why are CAPTCHAs still used?

The success of your online business hinges on your customers’ ability to properly recognize crosswalks or traffic lights.

I’m, of course, referring to CAPTCHAs, the online security tool that asks end users to prove they’re human by recognizing specific elements in various images. Unfortunately, the process is far from foolproof, and these days it can be easily bypassed by cybercriminals.

The other problem with CAPTCHAs is the way they affect your conversion rates. As far back as 2009, companies were complaining about the technology, saying that it was imperfect, difficult, and drove some customers away from completing a purchase.

So, if it doesn’t offer the protection it once did, and its major accomplishment for the past 12 years is that it slows down the customer purchase process, we have to ask ourselves: Why are CAPTCHAs still a thing?

Where did CAPTCHA come from?

According to Wikipedia, CAPTCHA “…was coined in 2003 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford. The most common type of CAPTCHA (displayed as Version 1.0) was first invented in 1997 by two groups working in parallel.”

Currently there are more than twenty vendors providing CAPTCHAs, with reCAPTCHA from Google in use on more than 6 million websites.

The technology has been around for a while, and it’s well ingrained as a normal part of doing business on the internet. According to BuiltWith, more than one-third of the top 100,000 websites use CAPTCHAs. Companies feel they must use it, and consumers (somewhat begrudgingly) accept it. Should this be the case? Shouldn’t there be another way to prove users’ humanity and detect bots?

Do CAPTCHAs even work anymore?

In a basic sense, sure. They serve as a gateway, preventing basic bots and fraudsters from accessing a website.

But while attack technology has evolved, CAPTCHAs have not kept up with the times. Even though they have been improved to be less invasive (and don’t require identifying traffic lights or crosswalks all of the time), they still introduce friction and are easy to bypass.

Today’s bot operators have a wealth of tools available to them; there are both AI-driven technologies that can evade a CAPTCHA and manual labor approaches that can do the work for them. These tools are widely available at a low cost (or no cost at all) with a quick web search. Even folks without a technical background can easily find a bot to evade CAPTCHAs, let alone a bot that will help them to line-jump and purchase desired limited edition goods before other consumers.

Now, if anyone can do this, think about what well-funded, well-staffed criminal organizations can do. They have the money, people, and technological know-how to bypass any security solution presented to them – and they can easily do so at scale.

The bottom line is that the types of fraud and abuse you’re looking to prevent simply won’t be stopped by a CAPTCHA. All you will do is frustrate a loyal customer that missed the corner of a crosswalk and must look at another series of images to prove that they’re not a bot.

How bots bypass CAPTCHAs

The most common way for a bot to bypass a CAPTCHA is through low-cost, outsourced manual labor from what’s referred to as a “CAPTCHA farm” (it’s essentially a digital sweatshop). There are APIs, browser plugins, and other methods available on the web that make it easy for bot operators to connect with a group providing this service.

The company 2CAPTCHA, for example, outsources its work within emerging economies, and charges bot operators less than $1 for every 1,000 CAPTCHAs solved. In fact, it’s becoming even more economical for services like this to be offered.

The way it works is that a bot attempts to access a website to purchase goods and is served up a CAPTCHA to prove that the request has come from a human. The bot then uses an API key to send data to a CAPTCHA farm. A human worker at the farm then solves the CAPTCHA on the bot’s behalf, and sends the authorization token back to the bot. Next, the bot submits the authorization token to the website, and the website allows the bot’s request for access, as it would if it were a legitimate user.

Now that the CAPTCHA is bypassed, the bot operator can easily purchase goods or commit fraud. This can be done on a massive scale by bot operators, only costing them pennies on the dollar for every purchase made. When you’re talking about high-in-demand goods, like exclusive sneakers, graphic cards or PS5 consoles, the profit margins to be had are huge.

If not traffic lights, then what?

Whether it’s ineffective CAPTCHA technology or an unrealistic idea like making every user purchase their own security dongle, what’s clear is that there simply needs to be a greater effort made on the part of businesses to identify and protect against bots. Preventing bots should be part of the base-level requirements for securing an online business.

Part of the problem is that CAPTCHAs seem to be an easy solution to the problem, one supported by many big names in the technology industry. This leads most online businesses to feel it’s OK to implement it, believe it’s working, and look the other way when told that it isn’t. It’s like a form of plausible deniability – “We use CAPTCHAs to prevent attacks and protect our customers and site.”

For some reason, we’ve collectively decided that it’s OK to either hide behind this technology that doesn’t catch anything, or to throw up our hands and say that bots are a fact of life. It’s time for this to end.

This means we all need to hold companies – not their customers – accountable for stopping this type of fraud and unwanted access. To fix the problem, there needs to be investment in modern approaches that enable malicious automation – bot usage – to be detected as they try and conduct business. While this may mean a decrease in business for those that photograph traffic-related symbols, it will result in a safer, fairer online business environment for all.