At BotRx, we’re always wary about giving away secrets that cybercriminals can use as guidebooks on how to conduct automated attacks. But if we can be blunt for a moment, is it really a secret that it’s easy to defeat CAPTCHA? From Death by CAPTCHA, an entire site dedicated to solver bypass services, to a recent article on using artificial intelligence to crack Microsoft Outlook’s CAPTCHA, or Google’s latest reCaptcha even novice adversaries don’t have to go far to get what they need.
If there’s money to be had, bots will try. The problem is, years ago humans were already failing CAPTCHA challenges that machine learning algorithms easily solved. So making the problems harder isn’t the answer. In 2020, CAPTCHA provides nothing more than a false sense of security to the people who use it. The level of sophistication of modern-day machine learning and artificial intelligence gives bots the clear advantage and the clear victors in the CAPTCHA wars.
Is CAPTCHA Hurting Your User Experience?
CAPTCHA is always implemented with good intentions. Keeping bad bots out is important for protecting customers. But bots can defeat 90% of CAPTCHAs. Even with that point aside, asking your customers to select images of traffic lights and stop signs is an irritating experience.
User experience is more important than ever before. But so is security, which makes the balancing act challenging for many companies. At best, CAPTCHA is a waste of time. But, at the worst, it will actually act as a blocker to sales. Companies using CAPTCHA should consider conducting A/B testing to see how it impacts the user experience on your website. For example, eCommerce websites could measure user engagement through shopping cart abandonment.
Moz, an SEO research firm, did the work themselves to find out—Does CAPTCHA reduce conversion? The answer: yes.
Figure 1: CAPTCHA’s Effect on Conversion-CAPTCHA Turned Off
- 2,134 total conversions were entered while the CAPTCHA was off.
- 91 total SPAM conversions while the CAPTCHA was off.
- 0 total failed conversions while the CAPTCHA was off.
Figure 2: CAPTCHA’s Effect on Conversion-CAPTCHA Turned On
- 2,156 total conversions were entered while the CAPTCHA was on.
- 11 total SPAM conversions while the CAPTCHA was on.
- 159 total failed conversions while the CAPTCHA was on.
According to Moz, “with CAPTCHA on, there was an 88% reduction in SPAM but there were 159 failed conversions. Those failed conversions could be SPAM, but they could also be people who couldn’t figure out the CAPTCHA and finally just gave up. With CAPTCHA’s on, SPAM and failed conversions accounted for 7.3% of all the conversions for the 3 month period. With CAPTCHA’s off, SPAM conversions accounted for 4.1% of all the conversions for the 3 month period. That possibly means when CAPTCHA’s are on, the company could lose out on 3.2% of all their conversions!”
A Better Way to Secure
It seems like a lose-lose situation—but it’s not. While CAPTCHA clearly blocks some basic bots, it isn’t effective enough to warrant the negative effects on user experience. Other bot mitigation solutions could be the answer. The growing problem though is the malicious use of artificial intelligence.
Defenders and cybercriminals are in a cat and mouse game of who can use technologies like artificial intelligence and machine learning better. Bots will continue to grow more sophisticated as the fraudsters behind them train them with algorithms that make the bots appear more human. Simply relying on identifying who or what is behind the user session won’t be enough to reduce attacks like account takeover, checkout abuse, and ticket scalping.
At BotRx, we are pioneering bot mitigation. Using Moving Target Defense your attack surface becomes dynamic so that bots can never find what they seek. Unlike other bot mitigation vendors, we do not rely on the same artificial intelligence and machine learning technologies that the adversaries are also employing. To get behind the scenes on more of today’s most popular attacks, read our blog What Does Phishing Have to do With Bad Bots?