RIP, CAPTCHA

At the online RSA Conference 2021, researchers talked about CAPTCHA farms.

In a panel discussion at RSA Conference 2021 about Web attacks and online fraud, researchers discussed lessons drawn from studies of cybercriminal tactics and attacks on large organizations. One speaker, former law enforcement officer Dan Woods, talked about his experience training as a CAPTCHA farm worker. The work was copious and the pay meager (about $3 a day), but his main takeaway was that CAPTCHA is no longer fit for its purpose.

Generally speaking, if an interface is created for a human, there is no need for a bot to access it. Programs communicate with each other through APIs, not user interfaces; a bot trying to access an online resource or service through a user interface is almost certainly part of an exploitation attempt.

For many years, CAPTCHA, a mechanism for distinguishing human users from computers, has waged a lonely war against illegal bots. Many services, including online banking systems and loyalty programs, still use it. But can we still trust CAPTCHA?

What is a click farm?

Click farm refers to the human element of click fraud: lots of people clicking on ads that pay per click, or boosting a Web pages’ search rankings, or driving up likes, views, votes, and other metrics. Bots used to do the clicking, but the use of antifraud algorithms has led scammers to engage real people.

Some click farms, like the one that hired Woods, specialize in CAPTCHA services, taking over for bots that encounter verification issues.

The CAPTCHA farm worker’s job is to perform tasks that are very simple for a person but unreliably complex for a machine. They may select images with a fire hydrant, decipher a distorted sequence of letters, solve a very simple arithmetic equation, or do any number of other, similar chores.

You may have seen a variation on the theme of this image circulating online:

Internet meme about robots and CAPTCHAs

Internet meme about robots and CAPTCHAs

Well, it’s not just a joke.

Do you need CAPTCHA?

Users have never been particularly fond of the CAPTCHA mechanism. There is always room for error: accidentally clicking the wrong image, missing a fire hydrant lurking in the background, missing a character in the jumble of letters and numbers. Even if nothing goes wrong, the CAPTCHA process is UX-negative — that is, it disturbs the flow and detracts from the user experience.

Also, CAPTCHA farms are not CAPTCHA-focused scammers’ only tools. Some, for example, are still trying to create an AI capable of solving such riddles. As imperfect as it is, CAPTCHA mechanisms represent one more layer of protection and therefore using them seems sensible. But nothing is ever that simple.

CAPTCHA alternatives

CAPTCHAs no longer reliably protect against intruders, and they annoy real users. All in all, it’s probably time to abandon this outmoded mechanism.

Fortunately, however, CAPTCHAs are not the only automated means to determine whether a human or a machine is trying to access the system. For a better option, look to Kaspersky Fraud Prevention‘s Advanced Authentication, which eliminates unnecessary authentication steps and creates a seamless user experience.

Thanks to machine-learning technologies, Advanced Authentication uses extensive user behavior analysis, passive biometric indicators, data about the device from which someone is requesting authentication, their environment, and more to decide quickly and correctly whether to allow the user to log in, perform additional verification, or restrict access. At its heart, the technology accurately determines whether the service is being accessed by a person or a machine.

More details about the solution are available here.

Tips