Businesses urgently need to rethink CAPTCHAs
CAPTCHAs are a headache for customers and businesses alike
Are you a human?
This question has become nearly ubiquitous in our daily online activity when making a purchase, filling out a form, or booking a ticket. Whether in the form of a puzzle, question prompt or a check box, for most people, rarely a day goes by without being asked to complete a CAPTCHA.
It’s vitally important for businesses to know if a website or app user is a human or a bot for many reasons – including protecting against DDoS cyberattacks, scalpers and data-scrapers that might use the information of a website without consent – and CAPTCHAs have long been a part of that process.
Originally, visual CAPTCHAs served distorted images that bots couldn’t interpret, or used simple math problems that could stump a machine. But now, fraudsters have adopted more sophisticated techniques to bypass these traditional CAPTCHAs, including a combination of AI and human-labor. In this process, a bot will leverage AI for automated image or audio recognition and if it's unable to solve the test, it will be sent to a CAPTCHA farm, where human workers solve the test.
A world where websites cannot effectively detect genuine users is harmful for businesses and consumers. We need only look at the volume of disappointed Taylor Swift fans who had tickets scooped from under them by scalpers or the rising amount of DDoS attacks to see the worrying consequences. For this reason, businesses urgently need to reevaluate the kinds of security challenges they are serving.
Vice President of Research at DataDome.
A headache for businesses and consumers alike
Perhaps traditional CAPTCHAs could be tolerable if they were effective. But DataDome’s aggregate customer data shows 50% of “users” that pass them are actually bots. This isn’t surprising; traditional CAPTCHAs are easily completed by bots because they were never coupled with sophisticated security logic for advanced and evolving threats.
Nonetheless, some have doubled down on the existing CAPTCHA-dependent security approach, suggesting the only way to outrun this problem is to create increasingly difficult CAPTCHAs, an approach ominously labelled by some as ‘CAPTCHA hell’. It’s an accurate description of a process that has become vastly more annoying and onerous over time, where the path of least resistance for some businesses has become the path of maximum friction for users.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
That’s a problem; businesses should want to provide a seamless user experience that is as pleasant as possible, because it directly impacts their bottom lines. A Stanford study showed including CAPTCHAs on a form reduced sales conversions by up to 40%, turning away potential buyers with frustrating processes. That frustration rings especially true for users with visual impairments, dyslexia, dyspraxia and other disabilities, finding many CAPTCHAs more difficult to use, especially as they grow more complex.
That being said, the consumer perception of CAPTCHAs is a nuanced one. A recent Forrester study found that while consumers feel frustration when faced with CAPTCHAs, they also feel more secure seeing the test. It is therefore worthwhile for companies to consider how these security procedures affect the user experience of their company websites.
For a business conducting thousands, if not millions, of online transactions every day, these small inconveniences that alienate or frustrate a customer can add up significantly in the aggregate, leading to unhappy customers and depressed sales figures.
A better solution - Invisible challenges, an alternative to CAPTCHAs
Imagine then, if we rethought the traditional model for CAPTCHAs, which have proven to be neither effective from a security standpoint, nor ideal for the customer experience. What then?
The good news is that we don’t have to imagine this scenario; it’s already possible. Thanks to ‘invisible challenges’, a website or app can distinguish between a bot and a human with astounding accuracy – drastically reducing the need for users to see a visual CAPTCHA.
Whether it's blocking scraping bots, or identifying fraudulent traffic, invisible challenges are a powerful tool. By collecting thousands of signals in the background, such as those related to the user device (like browser/device fingerprints), or detecting proxies used by fraudsters, invisible challenges ensure online security and an optimal, seamless user experience.
The “invisible” nature of these challenges means they are much harder for bots to adapt to and learn from, given the code operates behind the scenes and doesn’t present the bot with an obvious test on which to perform A/B testing. Ultimately giving the edge back to the online businesses.
While these challenges don’t eliminate the need for CAPTCHAs altogether, they can be combined with new techniques for CAPTCHAs which are far less frustrating and time consuming for users. A combined approach like this means businesses can maintain flexible options in response to suspicious or malicious behavior.
Rather than either/or, businesses can arm themselves against bots by employing invisible challenges and CAPTCHAs, eliminating the need for a manual test in almost all cases, while still retaining a user-friendly, last line of defense. Instead of placing the security burden onto the customer, this method will allow for a frictionless experience while simultaneously improving security – and revenue – for businesses.
We've featured the best firewall software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Antoine Vastel is Head of Research at DataDome - the bot and online fraud protection platform.