CAPTCHAs have become an unavoidable part of being online, and users are constantly being asked whether they are human.
Why? Because bots have become an ever present reality of our economy. London’s top restaurants are adopting mandatory minimum spends to stop bots from stealing top reservations, while exclusive shoe drops and concerts are implementing increasingly convoluted pre-sales. Bots have even increased the wait time to book your driving test. Their reach into everyday life seems endless.
It’s incredibly important for businesses to know which of their users are real, and which are bots. When a customer has to pay 5 times more to get a ticket for their favourite artist because a bot got there first, it can do permanent damage to a business’s reputation. Not only that, but bots can present significant cybersecurity threats.
CAPTCHAs were still so crucial to the operation of the internet a couple of years / months ago, functioning like a protective wall around a website’s core functionality. The trouble is, like with any wall, you can always build a longer ladder.
From reading distorted numbers, to the exercises that combine puzzles with behavioural analysis, every time the technology has advanced meaningfully, so have fraudsters.
Newer generations of multi-modal AI, which can perform advanced pattern recognition, have formed the backbone of supercharged bots. These are capable of forging fingerprints, mimicking human behaviour using machine learning, and fooling traditional CAPTCHAs up to 100% of the time. Fraudsters and broader fraud networks have the potential to be deploying thousands or more of these bots at any given time.
This is the CAPTCHA trap – if businesses rely on CAPTCHAs, they will always be at the mercy of the development of new technologies and methods that current methods cannot defend against. So, the question remains, how can businesses get out of it?
CAPTCHAs – a lose/lose deal
As we’ve established, many CAPTCHAs are not only ineffective at deterring fraudsters, but have become a very poor metric for determining whether a user is human or not. Worse, poorly designed CAPTCHAs can have a direct impact on a business’s bottom line by creating a slow, inefficient and frustrating process for the customer.
As CAPTCHAs have become increasingly complex and convoluted, we’ve entered what some have called ‘CAPTCHA hell’ that creates a worse customer experience over time. In fact, a Stanford study showed that websites with CAPTCHAs reduced their sales conversion by up to 40% compared to those that didn’t. That frustration rings especially true for users with visual impairments, dyslexia, dyspraxia and other disabilities, finding many CAPTCHAs more difficult to use, especially as they grow more complex.
While some users have been shown to feel more secure when seeing the test, it is a slippery slope from procedures that reassure and those that frustrate, and the data bears out that clunky and annoying CAPTCHAs alienate many users. For websites such as e-commerce that demand a steady pipeline of online transactions, turning away users at this rate could have severe consequences on their revenue stream.
Moving on from the CAPTCHA model
Thankfully, a more effective alternative to the current model already exists. This uses methods called ‘Invisible challenges’, sparing the website visitors additional friction and enabling businesses to focus on delivering the customer experience they would like to. Instead, this approach relies upon AI-powered behavioural analysis that can identify suspicious activity quickly and deploy measures on detection.
Programs like these collect thousands of data points such as the device and location of the device of a user and their behaviour through the website, deploying secondary security measures if it identifies suspicious behaviour. This method ensures that only a fractional amount of your customer base will ever see any kind of security measure like a CAPTCHA
These advanced solutions can deploy countermeasures adaptively, responding to low-level bots with honey-trapping, intentionally limiting their speed and ability to navigate the internet quickly in the hopes of causing a malicious user to abort their attack, or by simply locking suspicious users from the website.
Significantly, the fact that these challenges are “invisible” makes it much harder for bots to learn how to counter these measures, given the fact that these work on the back-end of a website and don’t allow it to perform A/B testing. This allows businesses to take the edge back over the fast development of bots and fraudsters.
While bots will remain a serious and significant risk to websites across the internet that requires dedicated resources to stop, an approach that balances the need for security with an optimised customer experience has to be the way forward.
