A Completely Automated Public Turing test to all Computers and Humans Apart (CAPTCHA), is a test designed to distinguish human users from bots, to reduce the amount of bot traffic hitting a website.
Where CAPTCHA is used
CAPTCHA tests are often used on email login pages, forums and comment sections of a blog or news site to specifically prevent spam bots and automated brute force attacks. As threat actors have become increasingly sophisticated, CAPTCHAs have in turn needed to adapt to remain effective.
How CAPTCHA works
While traditionally, CAPTCHAs required a user to copy a jumbled sequence of numbers and letters. However, users are now more likely to see a grid of images from which they must, for example, select all images with bridges or all images with a set of traffic lights.
Types of CAPTCHA
What are the different types of CAPTCHAs? They are defined as follows:
- Text-based CAPTCHAs. These tests are designed to verify that you are human by requiring you to identify letters in a distorted format. For example, the image may appear as a bunch of vertical or horizontal lines. You must type the word or number presented in the boxes above each line. In some cases, this exercise is made more difficult if there are several words appearing in one line instead of one word at a time.
- Digital CAPTCHAs. Digital tests use symbols rather than text characters for verification, but they all follow the same basic principles – test your intelligence against an automated system. Solutions include shapes, colours, sounds and pictures (for example users have to select all images containing a cat).
- Image manipulation CAPTCHAs. Image manipulation tests are designed to identify the presence of real human users by looking for certain imperfections and inconsistencies in uploaded images. A common test is where an image is divided into 25 separate segments, and then each segment is warped slightly (up to 10 degrees). Humans can successfully identify the original image while automated programs cannot as they do not have enough information within each segment to correctly predict or recreate the whole image.
- Cryptographic CAPTCHAs. Cryptographic tests are designed to verify that a user is human based on the answer to a question which must be solved using mathematical methods – for example, calculating 1+1. The back end system uses an algorithm such as a hash function to generate the correct response that then needs to be deciphered by a user. Cryptographic CAPTCHAs are also combined with image manipulation tests in some cases.
Most popular CAPTCHAs
- reCAPTCHA – this is a free tool from Google that helps websites fight spam and abuse. When you type a word in the box, it asks you to verify that you’re human by clicking on all the images that have a predefined symbol in them.
- No CAPTCHA reCAPTCHA – No CAPTCHA is an advanced type of reCAPTCHA that allows you to create a seamless experience for anyone filling out forms on your site. It sends the data from each form directly to Google, so it’s difficult for attackers to defeat No CAPTCHA and bot detection protections.
- Math CAPTCHA – a friendly CAPTCHA that asks you to enter the result of a math equation.
- hCAPTCHA – A CAPTCHA service that complies with the EU’s General Data Protection Regulation (GDPR), which means user data is encrypted, and human rights are protected.
The problem with CAPTCHAs
CAPTCHA tests are problematic from both a usability and accessibility perspective. Because CAPTCHA’s rely on a distorted text that is difficult for an automated program to recognize, users often find them impossible or extremely frustrating to complete. In order to overcome this challenge, users may employ various workarounds by asking a friend, colleague or family member for help.
CAPTCHA’s also impede accessibility for the elderly and other users with vision or dexterity impairments. In particular, people who are blind or living with failing eyesight often struggle to read distorted text on web forms which render CAPTCHAs unreadable. This in turn bars these users from registering on a website, posting comments, voting, reading news articles and even checking their email.
CAPTCHA evasion techniques
- CAPTCHA forms are fundamental to the web/sec admin’s detection and response arsenal, significantly reducing the number of spambots to a website and mitigating the effects of a brute force attack. Due to their ongoing usage, threat actors continue their attempts to defeat their tests using a variety of automated evasion techniques. Amongst the most common evasion strategies are CAPTCHA farms.
- CAPTCHA farms bridge the gap between threat actors and the site they want to access via a CAPTCHA form. A bot is integrated via a third-party API and when faced with a CAPTCHA form, a request is sent to a real human on a farm, who will solve the challenge. The human-generated response is sent to the bot, who solves the challenge via the web application and their “human” status is verified.
Blocking CAPTCHA evasion techniques
CAPTCHA continues to play a critical role in most cybersecurity solutions however, they are not enough on its own.
Netacea takes a smarter approach to bot management. Our Intent AnalyticsTM powered by machine learning quickly and accurately distinguishes bots from humans to protect websites, mobile apps and APIs from automated threats while prioritising genuine users. Actionable intelligence with data-rich visualisations empowers you to make informed decisions about your traffic.
Talk to our team of cyber-security experts today to discover more about our pioneering approach to bot management to help you detect unwanted bot activity and defend against it.
Frequently asked questions about CAPTCHAs
Why do I have to solve CAPTCHA?
CAPTCHA is used to ensure that the actions you are about to perform (such as posting a comment on an article) are performed by humans and not programs.
What does a CAPTCHA look like?
A CAPTCHA is usually a box with distorted text in it. The distorted letters sound either like gibberish or make no sense at all. You have to type those letters into the box correctly before you can complete your action, such as posting a comment on an article.
How do I report the abuse of CAPTCHAs?
You can report the abuse of the CAPTCHA form to the site administrator.
What if I can’t solve the CAPTCHA?
If you are unable to solve a CAPTCHA, the best suggestion would be to contact an administrator of that specific website. The site administrator might have provided instructions on how you can report the abuse and request assistance.
What are SMS captchas?
Some websites use phone numbers instead of emails for people who prefer not to register accounts on sites before logging in and using their services; these are referred to as “SMS” (short message service) CAPTCHAs. These accounts usually require a verification code sent via SMS to the phone number you used when registering for the account.
What is Google reCAPTCHA?
Google reCAPTCHA is a free CAPTCHA service that helps defend websites against spam and abuse. It uses advanced risk analysis technology to distinguish human from malicious traffic, allowing sites to ensure their users are bona fide people. Additionally, it implements the latest in privacy protection as it does not require data collection of any kind such as IP addresses or email address/names that could be used for tracking purposes.
How can I configure my forms with reCAPTCHA?
There are two easy ways to get started using reCAPTCHA: basic setup and advanced mode. With a basic setup, a developer can manually add the reCAPTCHA widget to their website or blog form via a snippet of code. Advanced mode is more suitable for professionals who do not wish to change their platform, as it allows you to integrate Google’s API into your own plugins. For help with these options and more visit https://www.google.com/recaptcha.
How can I create my own CAPTCHAs?
You can create your own CAPTCHAs using different tools and services which allow you to design them according to your needs and preferences. It is recommended that you contact cybersecurity professionals in this case.
Who invented CAPTCHA?
The CAPTCHA was invented by Luis von Ahn and his team at Carnegie Mellon University in 2000.
When was CAPTCHA first used?
The first time CAPTCHA was used on the web was in 2000 when it was used to help digitise books.
How many websites use CAPTCHA?
There are over 200,000 major sites worldwide using Google’s reCAPTCHA service. Other services like No CAPTCHA also offer free anti-bot solutions for website owners of all sizes who do not require any further information from their users apart from an email address, which is never required for registration but will only be used to send a code via email should the user forget his or hers password.
Does CAPTCHA really work?
There have been reports that a computer will develop the ability to solve these tests within 5 years. However, such studies are highly disputed and they show results with little confidence levels due to various statistical issues in their processes. There are also many assumptions about it such as whether you remember your previous passwords or data but this is not confirmed because there is no way to track this information. This may be possible to happen in the future however we can safely say that for now, digital solutions can mitigate security risks posed from hacking mechanisms of bots and malicious programs through additional measures such as machine learning, cybersecurity best practices network monitoring and data encryption.
What is the purpose of CAPTCHA?
CAPTCHA serves as a barrier to automated computer programs or scripts known as bots from accessing secure web pages by humans alone; this helps reduce or eliminate abuse, fraud, identity theft etc. For instance, it can help prevent someone from using a robot program to create an account on a website by automatically submitting information to the web page.
How are WebCAPTCHA and No CAPTCHA reCAPTCHA used?
WebCAPTCHA is used to collect information from users in order to create a key for the reCAPTCHA system. No CAPTCHA reCAPTCHA is used when users do not need to be authenticated and instead only want to verify if they are humans or not. They both use statistical analysis of user inputs such as mouse movements, mouse clicks, typing speed etc.
Which browsers support WebCAPTCHA and No CAPTCHA reCAPTCHA?
WebCAPTCHA is compatible with all popular browsers like Edge, Firefox, IE, Chrome and Safari. A few minor issues may arise on Android and some versions of iOS due to WebGL support so it is recommended that you test your website using the most up-to-date browser versions available to ensure maximum compatibility. No CAPTCHA reCAPTCHA is supported by every latest version of major browsers but only works on desktops.
What are some examples of uses for CAPTCHAs?
CAPTCHA technologies can be used in many ways such as: verification, registration, notification or authorization purposes. One example would be an email service provider which requires users to prove they are human before signing up for their services through some type
What happens if my site uses an older version of Google’s reCAPTCHA?
What happens if my site uses WebCAPTCHA?
Users with modern browsers that support WebGL will be able to see WebCAPTCHA on your website. Users without compatible browsers will not be able to view CAPTCHAs at all.
Is it possible to block bots through CAPTCHA?
CAPTCHA is not meant to be used as a sole security measure for preventing online abuse. It can however help reduce the occurrence of abusive behavior on your website by increasing the time it takes for automated bots to submit information or fill out forms.
Can No CAPTCHA be cracked by bots?
No CAPTCHA reCAPTCHA is well protected from malicious bots through various mechanisms. However, it is possible for a determined attacker to find ways to bypass the security protections. In such cases, you might need to consider additional layers of security on your site and/or use other Google services that address potential threats like DDoS.
Why does Google not provide support for No CAPTCHA?
What is the recommended way of implementing CAPTCHA on a WordPress website?
WordPress offers various plugins for CAPTCHA such as WP Greet Box, Protect Content Pro etc. However, it is recommended that you test each plugin and choose one based on your security needs instead of solely relying on them just to have a CAPTCHA in place.
What is Google’s reCAPTCHA API?
Google’s reCAPTCHA API is a simple and powerful API that allows you to incorporate different forms of reCAPTCHAs into your website without having to use any specialised skills or technologies.
How does Google’s reCAPTCHA API work?
The API provides two main functions for using CAPTCHAs: creating the CAPTCHA image on the fly when the user attempts to submit data (challenge) along with a token to identify themselves as human, and verifying whether the token matches the value submitted by the user. If they match, users pass and are sent to their destination; if not, an error response is generated.
What programming languages can I use Google’s reCAPTCHA in?
What is the difference between a challenge-response and an image-based CAPTCHA?
A challenge-response type of CAPTCHA requires a user to decode a hidden message or some simple arithmetic problems before they can submit data. Image-based CAPTCHAs use pictures that are more readable by humans but which automated processes find difficult to interpret correctly. This is why image-based reCAPTCHAs will often try different approaches from several angles and/or have users solve puzzles rather than just decipher something in the image.
When should I use a challenge-response type CAPTCHA?
In order to verify the authenticity of an online interaction, especially when sensitive information is being transmitted such as with financial transactions, it is useful to know if there is a person behind that transaction: what are their intentions; how much time or effort are they willing to expend; and what information can be relied upon.
When should I use a visual-based CAPTCHA?
Visual-based reCAPTCHAs are used for cases where challenge-response type CAPTCHA does not fit. This can include login forms on forums, which often have multiple instances of the same username/password combination to prevent automated harvesting.
How do I make optimum use of CAPTCHA?
CAPTCHAs are most effective when they offer a user experience that is similar to other authentication mechanisms you may already be using. The factors that determine whether a user will pass or fail should also relate to the security threats you are trying to mitigate through CAPTCHA. A potential attacker who sees easy targets on your site would simply go after those instead of attacking them head-on.
Why do I have to solve CAPTCHA on certain forms (such as those in forums)?
Web forms are a common target for automated spam generation. Spammers use stolen identities and address books to generate large quantities of fake users which they then program to selectively attack websites that have popular services such as web forums (as spammers can more easily direct their spammer bots to understand the CAPTCHA on these pages). This is why it has become necessary in certain cases to limit access to sensitive features on sites like forums, blogs, e-commerce etc.
How does reCAPTCHA help prevent abuse with new accounts?
New account creation is another common spam target as spammers try to sign up new users who can then be programmed to do their bidding. reCAPTCHA provides a degree of assurance that new accounts are created by humans rather than bulk generated bots.
Which browsers support the Turing Test CAPTCHA type?
All current browsers support the Turing test CAPTCHA. However, if you want to show images in text format, you will need to use a browser that supports the canvas tag (such as Firefox 3).
What does using CAPTCHAs cost me?
Using Google’s reCAPTCHA service is free – there are no costs associated with creating your own implementation.
What does invalid CAPTCHA mean?
A CAPTCHA is considered invalid if it has failed the automated quality assurance tests. For example, it might be too blurry or contain text that is not from a known language. There may also be a server-side error causing reCAPTCHA to automatically disregard the response.
How do I add CAPTCHA to my website?
There are two ways to integrate reCAPTCHA into your website: through an API or a widget.
Can I use CAPTCHAs in my app on iOS and Android?
Yes. You can use reCAPTCHA in apps built with App Maker, as well as any other web-enabled app.
Why am I getting CAPTCHA on every site?
CAPTCHA is a security measure to deter automated systems from abusing a service. If you are seeing CAPTCHAs on a number of sites, it might be because you have been flagged by our spam team as being suspicious, or your account may have been compromised by an attacker using auto-generated accounts.
Does CAPTCHA stop bots?
While CAPTCHA is most effective in reducing automated activity, it is not a complete solution for preventing spam or other abuse. We recommend that you use other security measures to supplement CAPTCHA.
What do I need to consider when implementing CAPTCHAs?
Use CAPTCHA when you need to verify that a human is using your service. This might be when you:
- Require users to sign up for an account
- Limit access to feature-rich parts of your website to registered users
- Block unregistered visitors from accessing content on public websites