Stop Bots From Bypassing Captcha With Distil Networks

 

Introducing Distil CAPTCHA-- Easy for Humans, Hard for Bots

CAPTCHA has been at the forefront of anti-bot technology since the late ‘90s. Most CAPTCHA technologies, however, haven’t really evolved much from their progenitors. Meanwhile, OCR techniques, machine learning algorithms, and human-based click farms have drastically advanced in that same time period. Now, with the launch of Distil CAPTCHA, Distil customers have access to a modern CAPTCHA that’s harder for bots and easier for humans.

The History of CAPTCHA

CAPTCHA technology—a form of Turing test—has been around since 1997, with two teams of people laying claim to its invention. Back then the AltaVista team used it to prevent bots from gaining leverage on its search indexing system. Their CAPTCHA required bots to do some minor computation before being permitted to push URLs to the AltaVista search engine. Machines couldn’t perform such computation at the time, as the internet was very basic.

Human CAPTCHA Solution Rate

The typical text-based CAPTCHA has an appallingly low 65% solution rate by humans. This means that many potential customers were failing such a test on their way to making a purchase. Frustrated, they would quickly give up and go elsewhere.

Google CAPTCHA and reCAPTCHA

reCAPTCHA v2 uses a Google.com cookie to let users bypass google captcha challenge. But a 2016 Black Hat Asia paper exposed this method, showing how bots can easily collect the cookies and bypass the challenge.

Being nothing more than a slightly different integration, Google’s so-called Invisible reCAPTCHA is the same as its checkbox reCAPTCHA version 2. It’s not a new form of security; it simply presents a new user experience. Furthermore, reCAPTCHA depends on highly intrusive user activity snooping, which raises privacy and trade secret concerns.

Invisible reCAPTCHA has all the deficiencies of reCAPTCHA; it’s easy for an attacker to automatically be presented with the checkbox—or in this case the invisible mode. Even the grid puzzle has been proven to be crackable, should an attacker be presented with one of these.

Automated CAPTCHA Solution Rate

Since the 1997 AltaVista days, the technology for machines to solve CAPTCHA puzzles has rapidly evolved. Modern OCR and machine learning algorithms, coupled with human click farms, can solve CAPTCHAs at scale and for as low as $.001 each. Essentially, they’re taking CAPTCHA screenshots and then having computers translate them into usable text. Pricing per thousand can range from two to forty dollars.

That same text CAPTCHA now has a 98.8% accuracy level when interpreted by bots using OCR. So as CAPTCHA becomes more advanced, so do the tools for solving them.

Bypass recaptcha

Many Distil customers have complained that most attackers could easily get past reCAPTCHA in great numbers. The bottom line is that solving CAPTCHA and reCAPTCHA can still be automated more than 80% of the time.

Introducing Distil CAPTCHA-- Easy for Humans, Hard for Bots

Gamification is at the core of Distil CAPTCHA—we make it very easy for humans to quickly solve the challenge and continue on. At the same time, we alter some of the displayed items in a way that makes it very difficult for machines to correctly evaluate.

Why is Distil CAPTCHA difficult for machines to solve? First, we create our own images—they don’t exist outside of the company. Use of multiple camera angles in 3D models defeat traditional image mapping techniques. A human would have to tell a machine, "Hey, this image is that of a dog."

  • Distil CAPTCHA uses 100% custom-generated, 3D models
  • Each model has millions of unique images
  • None of the images can be found by search engines or matched to existing images
  • Should all variants of a model be custom-mapped using automation, the model is changed

Distil CAPTCHA

Distil CAPTCHA defeats machine learning by making each training action cost something:

  • Distil CAPTCHA keeps a running history of user attempts; brute force guessing only spawns more puzzles—not validation
  • Timed challenges in response to attacks only increase sweatshop operational costs; using humans to manually verify puzzle solutions costs money per image trained
  • Models are frequently changed to make the above two methods impractical

Additionally, multiple camera angles used in the 3D images makes pixel mapping impractical. And images can be superimposed in such a way that humans can still easily decipher them—but not machines.

Distil CAPTCHA offers a wide toolkit of available game types, with new games continually under development. And if a customer doesn’t care for a specific game—due to internal policies, for example—we offer Distil CAPTCHA customizations to answer that need. (Contrast this with reCAPTCHA, which doesn’t offer any type of customization.)

 

 

 

About the Author

Engin Akyol

Engin Akyol, our Co-Founder and CTO, came to Distil Networks from Cisco systems where he had five years of experience providing networking and network testing consulting for core enterprise customers as part of Cisco’s ECATS group. Engin’s responsibilities included creating and executing test plan’s based on customers’ requirements, interacting with developers to provide quick resolution to issues, and providing recommendations for deploying new networking equipment and software.

More Content by Engin Akyol
Previous Article
Rami Essaid CEO of Distil Networks Interviewed on BizTalkRadio’s “The Big Biz Show”
Rami Essaid CEO of Distil Networks Interviewed on BizTalkRadio’s “The Big Biz Show”

Rami Essaid CEO of Distil Networks Interviewed on BizTalkRadio’s “The Big Biz Show”.

Next Article
Five Rules of Exceptional Customer Support
Five Rules of Exceptional Customer Support

If you run a support team, at some point in your career you will encounter a critical customer impacting ev...