Is CAPTCHA Redundant?
Is CAPTCHA Redundant?
Automated routines aim to prevent bots flooding websites with unwanted activity but also drive away regular users and are readily bypassed by SPAMers
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is one of several automated routines designed to limit access to websites. Some of this traffic is seemingly pointless SPAM. Obviously harmful attacks include Credential Stuffing where lists of stolen user names and passwords are input to web-forms in the hope of gaining unauthorised access. There are legitimate requirements to bypass CAPTCHA within the field of web scraping. Bots run through the web harvesting data for purposes such as emails for targeted marketing, price comparisons, stock price information and product reviews. These may need submission onto a form to gather details or sites may be protected to restrict unwanted traffic flooding the site.
CAPTCHA type tests expect the user to click a box, input text or select parts of an image to prove they are human. In some cases these tests can be almost impossible to fathom out. Solving may require detecting small elements of unfamiliar images or recognising heavily scrambled letters and numbers. Failure often presents another test and can result in potential customers giving up and finding alternate suppliers.
The system could be justified if it were trusted to always work but it is relatively easy to overcome. Software can recognise elements within an image and return the correct answer. Even if the system is very hard for algorithms to solve the puzzle can be sent to human users who will return the result. There is usually a cost for any solving service. If some of this cost needs to be passed on to a human worker then the final income they receive will be very low. Earnings could be as little as $2 for an 11-hour day. The solver is paid for each puzzle solved but at a higher rate for more complex systems (such as reCAPTCHAs vs CAPTCHAs) and with a bonus for faster rates of providing correct solutions. In the case of human and robot solutions the key to the puzzle is sent back to the operator as code that can be inserted within their automated stuffer software allowing the data entry barrier to be bypassed with minimal delay.
There are many solving services available to those wanting to stuff websites. Generally they charge the user for the number of puzzles solved and by type of puzzle. There could be a different rate for CAPTCHA, reCAPTCHA and reCAPTCHA v3 amongst other barriers. The system may provide an API to integrate with the stuffer’s existing software. Some products are available as plug-ins for popular browsers.
The process of avoiding CAPTCHA like barriers is not illegal and the cost per use is very low. This may be charged in groups of a thousand or more solutions so is clearly aimed at serious SPAMers and hackers rather than the casual surfer. The whole process is at best ‘shady’ there is no guarantee that the process is going to work out. The big players offer dedicated support and have an interest in being seen as reputable if not entirely ethical. Some providers come and go with a ‘take the money and run’ business profile. Although avoiding CAPTCHA can benefit the casual web user, especially those with poor vision who cannot discern the puzzle, Kindus cannot recommend any such service due to the risk of malware infection or outright fraud. The reviews of one Firefox plug-in reCAPTCHA solver on the official Firefox site include comments suggesting that the product does not work and that it can take over the host browser.
The current evolution of the CAPTCHA service is reCAPTCHA Enterprise from Google. There is no image or text to interact with but Google rates the behaviour of the browser as and before it accesses the data entry page together with expected traffic to the page. This information is then used to gain or deny access. It does seem to offer an improved user experience but could lead to genuine users being unexpectedly denied access. It would probably impact more on users wishing to hide their browsing history and who are not willing or able to submit to 2FA (Two Factor Authentication) to prove their identity. While these individuals might be more likely to be up to no good they could still be genuine customers.
Kindus would not usually recommend the use of image recognition routines to prevent data stuffing as they are relatively easy to overcome. Dedicated attackers will also cycle their source IP addresses to circumvent automatic blocks of suspicious actors. Kindus can advise on alternative routines that will meet a user’s specific data protection needs.