By - reCAPTCHA tests are not particularly effective at blocking security threats, research claims
- Security tests are also costing millions of hours in lost time for users
- New ‘invisible challenges’ could be an alternative for businesses
There won’t be many internet users who aren’t familiar with CAPTCHAs, or ‘Completely Automated Public Turing test to tell Computers and Humans Apart’ – the commonly-used tests giving you access to websites, often via asking users to ‘click the image with a traffic light’ or such.
Well, it turns out that everyone’s favorite slight inconvenience isn’t even effective at preventing bot traffic, as a study called “Dazed and Confused: A Large-Scale Real-World User Study of reCAPTCHAv2” has discovered the tests have wasted millions of hours of time for internet users -but also generated an estimated $888 billion in tracking cookie data for Google.
The tests are virtually unavoidable, and are so widespread that users have spent roughly 819 million hours solving them, despite each test taking researchers an average of only 3.53 seconds to complete. Bots are increasingly able to solve CAPTCHAs, and the tests may become obsolete – here’s what we know so far.
A for-profit cookie farm?
The report notes there are two common types of test, CAPTCHA and reCAPTCHA – the first is the text-based challenges where users decipher scrambled characters, and the second is a more advanced image-based approach which sources pictures from Google street view, and in which users are asked to select the image including a bicycle, for example.
When Google acquired reCAPTCHA in 2009, it used the technology to improve Google Street View by processing photos of house numbers and street signs, and to digitize Google Books.
But the CAPTCHAs are no longer fit for purpose, or at least, not in the way they used to be. The development of new AI tools means that CAPTCHA’s tests can be solved by bots, making them almost entirely obsolete – but only for the ostensible purpose of the tech.
By just 2010, there were automated services that could solve image labeling challenges with 100% accuracy, so reCAPTCHA tests are inadequate as a security challenge.
What this study reveals, is that reCAPTCHA ‘extensively monitors’ user cookies, browser history, and browser environments – which can all be used to track users and for advertising.
The study goes on to explain the tests, “wouldn’t make sense as a security service, yet it would make sense given that obtaining labeled image data is highly valuable and is even sold by Google.”
Not only do the legitimate challenges fall short of protecting users, but researchers have observed fake CAPTCHA pages used to spread infostealer malware, presenting serious risk for unsuspecting surfers,
“Given the blatant vulnerability, ease of implementing largescale automation, and usage of privacy invasive tracking cookies reCAPTCHAv2 checkbox presents itself as a complete vulnerability disguised as a security tool” the study confirmed.
It’s not just about wasted time though, and as with all internet activity, the CAPTCHAs use energy – 7.5 million kWhs, or 7.5 million lbs of CO2 to be precise,
This leads us to the ‘true purpose’ of CAPTCHA tests. These tests could be garnering huge profits for Google, which has potentially gained $8.75-32.3 billion USD per each sale of its total labeled data set;
“The conclusion can be extended that the true purpose of reCAPTCHAv2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service”.
An ‘invisible’ alternative
It is undeniably important for businesses to verify whether users are humans or bots – to protect against DDoS attacks, data-scrapers, scalpers, and more. So if CAPTCHA isn’t an effective security measure (and is pretty annoying for users), then what are the alternatives?
Well for now, CAPTCHA is virtually inevitable for anyone surfing the internet. However, there are alternatives for businesses, who can move on from the tests to something more secure and user-friendly.
There are now ‘invisible challenges’ which provide a much more user-friendly security solution for websites, with improved data accuracy and adaptability. These work by using complex algorithms and behavioral analysis to distinguish between humans and bots, all without needing explicit user interaction.
Whilst these invisible challenges don’t necessarily spell the end for a need for CAPTCHA, they can combine with the traditional CAPTCHA tests to deliver a much more seamless experience whilst providing more robust security for business websites.
To help keep your networks safe against bot attacks, we’ve also featured the best firewall software – which will help you by acting as a shield around your network infrastructure, and many will block harmful files before they can install and damage your system.
