CAPTCHA has been at the forefront of anti-bot technology since the late ‘90s. Most CAPTCHA technologies, however, haven’t really evolved much from their progenitors. Meanwhile, OCR techniques, machine learning algorithms, and human-based click farms have drastically advanced in that same time period. Now, with our new partnership with FunCaptcha, Distil customers have access to a modern CAPTCHA that’s harder for bots and easier for humans.
The History of CAPTCHA
CAPTCHA technology—a form of Turing test—has been around since 1997, with two teams of people laying claim to its invention. Back then the AltaVista team used it to prevent bots from gaining leverage on its search indexing system. Their CAPTCHA required bots to do some minor computation before being permitted to push URLs to the AltaVista search engine. Machines couldn’t perform such computation at the time, as the internet was very basic.
Human CAPTCHA Solution Rate
The typical text-based CAPTCHA has an appallingly low 65% solution rate by humans. This means that many potential customers were failing such a test on their way to making a purchase. Frustrated, they would quickly give up and go elsewhere.
Google CAPTCHA and reCAPTCHA
reCAPTCHA v2 uses a Google.com cookie to let users bypass google captcha challenge. But a 2016 Black Hat Asia paper exposed this method, showing how bots can easily collect the cookies and bypass the challenge.
Being nothing more than a slightly different integration, Google’s so-called Invisible reCAPTCHA is the same as its checkbox reCAPTCHA version 2. It’s not a new form of security; it simply presents a new user experience. Furthermore, reCAPTCHA depends on highly intrusive user activity snooping, which raises privacy and trade secret concerns.
Invisible reCAPTCHA has all the deficiencies of reCAPTCHA; it’s easy for an attacker to automatically be presented with the checkbox—or in this case the invisible mode. Even the grid puzzle has been proven to be crackable, should an attacker be presented with one of these.
Automated CAPTCHA Solution Rate
Since the 1997 AltaVista days, the technology for machines to solve CAPTCHA puzzles has rapidly evolved. Modern OCR and machine learning algorithms, coupled with human click farms, can solve CAPTCHAs at scale and for as low as $.001 each. Essentially, they’re taking CAPTCHA screenshots and then having computers translate them into usable text. Pricing per thousand can range from two to forty dollars.
That same text CAPTCHA now has a 98.8% accuracy level when interpreted by bots using OCR. So as CAPTCHA becomes more advanced, so do the tools for solving them.
Many Distil customers have complained that most attackers could easily get past reCAPTCHA in great numbers. The bottom line is that solving CAPTCHA and reCAPTCHA can still be automated more than 80% of the time.
a New Partnership with FunCaptcha -- Easy for Humans, Hard for Bots
Gamification is at the core of FunCaptcha—it makes it very easy for humans to quickly solve the challenge and continue on. At the same time, some of the displayed items are altered in a way that makes it very difficult for machines to correctly evaluate.
Why is FunCaptcha difficult for machines to solve? First, it creates unique images—they don’t exist outside of the company. They use multiple camera angles in 3D models to defeat traditional image mapping techniques. A human would have to tell a machine, "Hey, this image is that of a dog."
- FunCaptcha uses 100% custom-generated, 3D models
- Each model has millions of unique images
- None of the images can be found by search engines or matched to existing images
- Should all variants of a model be custom-mapped using automation, the model is changed
FunCaptcha defeats machine learning by making each training action cost something:
- FunCaptcha keeps a running history of user attempts; brute force guessing only spawns more puzzles—not validation
- Timed challenges in response to attacks only increase sweatshop operational costs; using humans to manually verify puzzle solutions costs money per image trained
- Models are frequently changed to make the above two methods impractical
Additionally, multiple camera angles used in the 3D images makes pixel mapping impractical. And images can be superimposed in such a way that humans can still easily decipher them—but not machines.
FunCaptcha offers a wide toolkit of available game types, with new games continually under development. And if a customer doesn’t care for a specific game—due to internal policies, for example—we offer FunCaptcha customizations to answer that need. (Contrast this with reCAPTCHA, which doesn’t offer any type of customization.)
About the Author
Engin Akyol, our Co-Founder and CTO, came to Distil Networks from Cisco systems where he had five years of experience providing networking and network testing consulting for core enterprise customers as part of Cisco’s ECATS group. Engin’s responsibilities included creating and executing test plan’s based on customers’ requirements, interacting with developers to provide quick resolution to issues, and providing recommendations for deploying new networking equipment and software.More Content by Engin Akyol