Everyone, every online user, at some point in time (most probably during a purchase) has outwardly professed "COME ON!" when trying and failing to enter a CAPTCHA.
There is an old Ellen Degeneres joke which dryly states whoever is in charge of CD packaging must be sarcastically mean. Personally, this is how I feel about the inventor and users of the CAPTCHA.
Where did the CAPTCHA go wrong? How did it start with the best intentions of hackers and grow into a security solution almost guaranteed to cause cart abandonment? Why does the CAPTCHA make me/us so mad? Why hasn't something else come along to replace the CAPTCHA yet?
In this post, we explore the history of the CAPTCHA, noted issues with the bot/spam tech and possible alternatives.
It should be clear by now, I hate the CAPTCHA. Every Internet user has been forced to use one and every Internet user has been frustrated by one, or many - err - all of them. CAPTCHA's are terrible and yet, the CAPTCHA, much like the inventions of Thomas Midgley Jr., began as a project to help.
The story of the CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), much like everything on the Internet, finds its origins within the hacking community. Although slightly nefarious in nature, the modern day CAPTCHA sprung out of a desire by the hacking community to post about sensitive topics within online chat forums without having to worry about the content of their postings being monitored and picked up by lurking authorities.
To get around their security concerns, hackers devised a method of conversation which converted words to look-alike characters. An example is HELLO to |-|3|_|_(). The basic premise of the conversion was to ensure online filters could not pick up the context of written correspondence.
In the 1980s across various IRC's and BBS's, this method of symbol ciphers eventually became known as leetspeak (also called Leet or 1337).
It has to be noted, while CAPTCHA has its foundation in the early days of Leet, 1337 continued on and is still in use today to serve as a security cipher.
AltaVista and the term "CAPTCHA"
The next jump leading to the CAPTCHA came from two separate teams, one working out at AltaVista and the other working at the university level.
In 1997, the AltaVista team comprised of Lillibridge, Adabdi, Bharat and Broder, began work on a system to prevent Internet bots from adding active URL's to the AltaVista search engine platform.To do this, the AltaVista team worked to prevent OCR (Optical character Recognition) attacks by building puzzles and images which would cause OCR attacks to fail. Essentially the AltaVista team worked to create a system of varied typefaces, backgrounds, type style and size which would fool OCR readers. Although crude, the system worked.
The second team, comprised of Luis von Ahn, Manuel Blum, Nicholas J. Hopper nd John Langford gave birth to the term CAPTCHA in 2003.
From 2003 on, CAPTCHA's have been in constant use across the Internet without many updates, fixes, patches or general overhauls.
The basic premise of the CAPTCHA is simple yet highly annoying. Within the name, the term "automated" is at the same time both wonderful and terrible. The CAPTCHA was designed to run as a wholly independent process from human involvement. While this has caused quickness in the process, it has also caused the CAPTCHA to become a set it and forget it Internet tool. Like Google Voice, the CAPTCHA is in horrible need of an update and yet, like Google Voice, no major update has ever come.
Sure, there has been an evolution in the type of CAPTCHA's which are used across the Internet yet all said, no major update to CAPTCHA has ever come nor has any new tech overtaken CAPTCHA as the standard for bot/spam elimination. The akismet filter for WordPress comes close yet it is nowhere near as ubiquitous or publicly known. More on this in a bit.
At this point, you might be questioning, "if no major update has ever come, maybe CAPTCHA's work? Maybe CAPTCHA's work so well, no update is needed?" While a nice thought, it couldn't be further from the truth.
CAPTCHA's are supposed to fight against bots dead set on spamming websites. The very premise of the technology is to create hard enough to read text and images ensuring bots can not "read" them to fill out a user information form. The problem is, the premise of CAPTCHA's have not stayed current with the application of defeating CAPTCHA's.
In poll after poll after poll, modern day bots have been shown not only to bypass CAPTCHA's more often than not, they have also been able to bypass honey pots built into the system. For reference, a honey pot is an invisible field which human eyes can not see during a form filling process yet bots routinely fill out.
As with all things, CAPTCHA's have evolved to try and stay ahead of spamming bots. As CAPTCHA's have evolved from single words to phrases, to grainy pictures (as above) and grainy pictures matched with
strikethrough text, they have tried to stay ahead of bots without continually interfering with and annoying real users. Yet, this is exactly what has happened.
As CAPTCHA tests have become harder for bots, they have also become harder for humans. As noted in the aforementioned studies and surveys linked above, the harder CAPTCHA's have become the more human dropout rate (cart abandonment) increases. The bottom line is even as CAPTCHA's have grown to become more difficult for bots, the reality is bots are routinely defeating CAPTCHA tests while more and more humans are not. Another way of saying this: the modern day CAPTCHA test is accomplishing the exact opposite of what it originally set out to accomplish.
So, if CAPTCHA's are failing to accomplish their primary goal, what can be done to get the test back on track or what solution can be implemented to supplant the Completely Automated Public Turing Test to Tell Computers and Humans Apart security failure?
We have already hit on one of the possible solutions. As mentioned earlier, if the CAPTCHA test is meant to filter spam out of the system by defeating bots, the Akismet filter might be a viable option. Might be a viable option is key. If you Google, "Does Akismet Work?" or "How Effective is Akismet?", you quickly see that opinion and statistics on Akismet are split. Some people and surveys love it. Some people and surveys hate it. From the data available, the only clear aspect of Akismet is that it might work, for some people, some of the time and it might fail, for some people, some of the time. Consensus is split. Akismet works and it doesn't work. It's a toss up.
The Honey Pot
Adding honey pot fields to an online form is a very popular form of spam filtering. As noted, the basic idea of a honey pot is to add an invisible field to a form which human eyes can not see. When filled out, the system flags the submission as spam thus filtering the bot out of the system. As noted in the aforementioned linked content, honey pot's enjoy a more successful rate of spam filtering than the CAPTCHA yet they can also be defeated by bots.
The honey pot is a more successful bot/spam filtering method than CAPTCHA however, like the CAPTCHA, it can be worked around by self teaching bots.
Somewhat Complex Mathematical Equations
Another popular alternate CAPTCHA method is mathematical equations. The catch with mathematical equations serving as spam filters is that the problems presented have to be complex enough for bots to fail yet simple enough for human minds to understand/work through. This means a basic problem such as 2 + 2, although elementary and universal, offers no resistance to bots. On the other hand, a problem such as 4 x 24 - 13 / 3, would sufficiently defeat a bot yet might also defeat a non mathematically inclined human user. Again, the habitable zone falls in the middle.
Nothing too complex yet complex enough to defeat spamming machines. Where that line falls is anyone's guess.
Text Message or Email Verification
Google and Amazon utilizes text/email verification a decent amount. Instead of taking a CAPTCHA test, users are asked for their mobile number or email account information. Once entered, the service sends an automated message to the submitted address containing a verification code. While this method defeats bots (bots don't own mobile tech), it runs the issue of human spammers utilizing services like Google Voice or free emails accounts to move past verification check points.
Is text/email verification more useful in terms of filtering out spam bots than the CAPTCHA or honey pot? Without question. Is text/email verification susceptible to human spammers circumventing the system with fake phone/email accounts? Without question. Does text/email verification propose a possible security risk of hackable personal information shared freely over the Internet? 100%.
On average, how long does it take you to fill out an online form with 10 fields of data entry? If you are like most people, you fill out the average online form within a few minutes. If you are a bot though, that form is filled out instantaneously. The idea behind time thresholds is to flag any form submissions which take under a certain amount of time to fill out.
For this system to work, developers have to:
Likewise, for this system to be compromised, spammers have to:
It should be noted, this method works yet only to a point. As you might have guessed setting time thresholds requires study on behalf of those setting the wall and guess work/targeted spam attempts on behalf of spammers. The solution works, yet not all the time.
Fun and Simple Games
Using games to fight against spam is quickly becoming one of the most used forms of bot filtering. Instead of deploying the CAPTCHA, companies asks users to play a small game to prove they are human. The games can be anything from making a cartoon character jump up and down with your mouse to piloting a cartoon rocket into space using your keyboard. In addition to defeating bots, games have the added pleasure of adding a level of fun to human verification methods over the standard dullness presented by other verification systems.
The only major issue: games will not work for the visually impaired.
The last alternative to be mentioned in this space is the audio prompt. Instead of entering text presented by a CAPTCHA, some services provide an audio prompt - "Write These Words" - to prove the user is human. While a good method in theory, in practice the technology hinges on user speaker audio quality, the audio quality of the automated audio presenter and the ability of the user to hear.
Like games, audio security tests are ruled out by many services to ensure they do not alienate or leave behind a variety of human users.
Form submission security is needed for both the provider and the consumer. No one likes spam or being spammed. At this point, it is clear that the CAPTCHA has run it course and some other security tech needs to step in. While other forms of spam/bot filtering have risen to the surface, none are yet used widely across the Internet and none currently have the backing to supplant the CAPTCHA.
With this in mind, what do you think about the CAPTCHA? Do you love it or do you hate it? If you dislike it, what are some alternatives you believe can step in to supplant it?
Remember, if you like this content and want to chat about it, you can reach me at the following social spaces:
Take advantage of special member promotions, everyday discounts, quick access to saved content, and more! Join Today.
Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP)