As cybersecurity experts, it’s been fascinating to watch the evolution of CAPTCHA. While you are probably familiar with the acronym, you may not know that CAPTCHA stands for “Completely Automated Public Turing Test To Tell Computers and Humans Apart,” coined by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University in 2000.
The Evolution of CAPTCHA
When first developed, CAPTCHA asked users to read distorted text and type the letters into a box prior to registering for accounts, posting blog comments, purchasing products and services, etc. Since bots and other computer programs were incapable of performing that task, CAPTCHA helped prevent fraud by keeping some scammers out of the system.There are numerous companies offering CAPTCHAs as fraud prevention tools, including Google, which acquired reCAPTCHA in 2009.
Security Issues
After Artificial Intelligence (AI) reached the point at which it could solve distorted text at 99.8% accuracy, Google introduced the No CAPTCHA reCAPTCHA in 2014. Rather than solving a CAPTCHA, individuals are asked to check a box that says, “I’m not a robot” to validate that they were truly a human. Other CAPTCHA providers also developed alternative forms of CAPTCHAs to deal with the AI fraud issue, such as math-solving and image-solving scenarios. Despite these improvements, there are still many ways for bad actors to get around CAPTCHA systems. CAPTCHA bots and CAPTCHA farms even exist where low-skilled workers are utilized to mass solve CAPTCHAs for rates as low as 80 cents for 1,000 solved codes. Recent CAPTCHA attack systems presented at Black Hat Asia in Singapore showed a more than 70% CAPTCHA-cracking success rate with an average running time of just 19.2 seconds.
The CAPTCHA User Experience
In a 2015 study by the Ponemon Institute and sponsored by Telesign, “The Fraud Report: How Fake Users Are Impacting Business,” 58% of respondents stated convenience was most important to their fraud prevention strategy, and 42% of respondents said ease of use was critical. User experience is definitely an area in which CAPTCHA often falls short.CAPTCHA requires users to solve a problem prior to completing a desired action during their account experience. This disrupts the flow and can lead to customer abandonment. Frequent failures at entering the correct CAPTCHA solution can result in a negative impact on conversions and therefore on revenue. While new versions of CAPTCHAs that use images instead of text are easier for humans to solve, they can be near impossible for individuals with eyesight challenges or disabilities. Different studies conducted by Stanford University, Webnographer and Animoto, showed that there is an approximately 15% abandonment rate when the users are faced with CAPTCHA challenge.
The Bottom Line: Are CAPTCHAs Effective or Not?
CAPTCHAs can be effective, but in terms of security and user experience, they are not the best option. Asking people to spend time solving a CAPTCHA word or image challenge is unnecessary, and typically frustrating to users. Beyond that, it doesn’t do very much to increase security.
Phone Verification: The Best Solution
Phone verification, as opposed to CAPTCHA, ensures that real and legitimate humans are creating and accessing accounts – without disrupting user experience. The process is easier for businesses to integrate and for end-users to complete. Telesign offers phone verification through SMS or voice one-time passcodes. The valid end-user verifies that they are who they say they are by entering their phone number, receiving an SMS or voice verification code to their mobile device and then re-entering that code where prompted on the website or mobile application.For mobile apps, it’s even easier. Developers can easily embed frictionless phone number verification on iOS and Android using SMS and voice capabilities This process not only serves as a verification that they are a real human, but it also connects a valid phone number to their account – something no fraudster wants to do. There is no complicated problem solving involved at any stage of the process and yet it is extremely difficult for any type of AI to pass this test.Authenticating users through their valid phone numbers – at account registration and throughout the account lifecycle – is a far more secure and end-user-friendly process than CAPTCHA. Learn more about how Telesign helps reduce fake accounts, streamline the registration process and prevent account takeovers by checking out our typical use cases or signing up today.”
