Why do websites still use CAPTCHA?
This is just one of the stories from our “I’ve Always Wondered” series, where we tackle all of your questions about the world of business, no matter how big or small. Ever wondered if recycling is worth it? Or how store brands stack up against name brands? Check out more from the series here.
Listener Jake Raskob asks:
Why is CAPTCHA still a thing? Some websites require a response to verify human users and block automated bots. Completing these challenges often feels like a waste of time and money. Can’t current artificial intelligence technologies “prove” they are a human (to a computer)?
To prove you’re an actual human on the internet, you might have to correctly identify all the fire hydrants in a photo, or rotate an animal to make sure it faces just the right direction.
This often frustrating, time-consuming test is known as CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Solving an image-based CAPTCHA test can take 15 to 26 seconds, according to a recent study.
“The original idea was to try to prevent spam and the fraudulent creation of new accounts. So for example, one way somebody might go about sending spam might be to create 10,000 Gmail accounts,” said Chester Wisniewski, director and global field chief technology officer at the cybersecurity company Sophos. “Companies’ email filters aren’t going to block Gmail because they would block too much legitimate mail. So the criminals always want to mix in their behavior with authentic behavior.”
CAPTCHAs are inconvenient, at best, for most visitors and can make the internet less hospitable to people with impaired hearing or vision. In many cases, they can be defeated by cybercriminals with the right know-how.
But we will continue to see them because websites are desperate to combat spam, Wisniewski said.
New iterations of CAPTCHA only work for a short window of time because bad actors eventually find ways to solve them, he said. If you want to prevent robots from taking over, you have to define what it means to be human. That existential question has plagued us for millennia.
“With modern, advanced AI, it’s getting harder and harder to tell if anything is real,” Wisniewski said.
Wisniewski said every alternative to CAPTCHA he can think of would be worse for users’ privacy. “The only real way to solve this would be everybody has to have a national ID that’s got biometric data in it, and every time you want to go to one of these websites, you need to show your ID,” he said.
A spokesperson for hCaptcha, a leading independent developer of CAPTCHA tests, said that while the tests can’t completely banish fraud and abuse online, they still serve as “a valuable tool for defenders.”
One downside to some CAPTCHAs is that visually impaired people may not be able to see the text they need to identify, Wisniewski said. However, if you make it more accessible, that can negate the whole point of the test, he added.
For example, there might be an audio option allowing sight-impaired users to listen to the characters they must type out. “But, of course, it’s so easy for a computer to hear something say, ‘6347,’” Wisniewski said.
Some systems, like Google’s reCAPTCHA v3, don’t rely on sensory ability, creating “less friction for legitimate users,” a Google Cloud spokesperson said.
Instead, reCAPTCHA v3 gives users a score instead of a challenge. That score is based on your behavior, like your mouse movements.
There’s money to be made in verifying humanity: hCaptcha provides a basic plan for free, although website owners can pay about $100 for more sophisticated features as part of its “pro” plan. Meanwhile, Google’s reCAPTCHA system offers up to 10,000 assessments a month for free. The standard reCAPTCHA plan charges $8 for up to 100,000 assessments a month.
This could be an industry with longevity. As criminals devise new methods to evade CAPTCHAs, companies will have to come up with counterattacks.
“AI will continue to improve, and both attackers and defenders will rapidly adopt improved models. This is an eternal cat-and-mouse game,” the hCaptcha spokesperson said.
There’s just too much money at stake for malicious actors who want to ensnare people in financial scams, Wisniewski said.