CAPTCHA and reCAPTCHA: How Fraudsters Bypass It

• What Is CAPTCHA?
• What Is reCAPTCHA?
• The Downsides of CAPTCHA
• What Can You Do about CAPTCHA and reCAPTCHA Bypasses?

If you’ve spent any time on the internet in recent years, you’ve had to check a little box to tell the world, “I’m not a robot.” This little box was invariably accompanied by a small visual or audio test, called CAPTCHA.

Passing the CAPTCHA test proves you are “not a robot” before you can access part of a website. Usually, this occurs at a point where you need to complete a form to sign up, subscribe, or make an online purchase. 

For many users, these have been an annoying and time-consuming necessity of the internet—often leaving them wondering how to avoid CAPTCHA. For the companies using them, however, CAPTCHA tools have been a reassuring security measure. This has given them confidence that the people accessing their website are genuine visitors and not fraudsters.

There is one problem though, they don’t always work. 

Today, it’s easier for every for sophisticated bots to bypass CAPTCHAs. Learn more about why these measures are ineffective and what you can do instead to truly protect yourself from fraudulent users.

What Is a CAPTCHA?

As the internet started gaining traction in the 90s, internet malpractice followed close behind. CAPTCHAs were created in response to this as a way of differentiating genuine users from bad bots merely crawling through websites to perform some form of fraud.

The very name CAPTCHA explains this goal, standing for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. A Turing Test being a creation designed to differentiate between human intelligence and that of a machine.

These early CAPTCHAs took the form of text altered in some way to make it impossible for bots to read. While initially, they were very successful, quick advances in computing meant that bots were able to read what the text said.

What Is reCAPTCHA?

reCAPTCHA is a human verification system developed in 2007 and purchased by Google in 2009. Initially, the tool was developed to help digitize books that couldn’t be scanned by computers. Once enacted to verify users, reCAPTCHA displayed two different distorted words with lines running through them (compared to CAPTCHA’s random sequences of letters and numbers).

By 2012, the project began incorporating images from Google Street View. By now, you’ve almost certainly spent a decent chunk of time clicking all of the images that contain a stoplight just to prove you’re not a bot.

And you’ve probably failed some of these tests, too! As noted by Baymard Institute, “Only 66% of users during our qualitative usability testing successfully entered the CAPTCHA on the first attempt.”

Inevitably, in 2014, Google found that their reCAPTCHA program (a development from the original CAPTCHAs) could be bypassed by bots over 99% of the time. With fraudsters being able to bypass reCAPTCHA, professionals went back to work trying to create an even better solution.

The Next Generation: reCAPTCHA v3

In 2018, Google unveiled reCAPTCHA v3, the latest iteration of the tool to respond to increasing reCAPTCHA bypass by bots.

Even if you’re an incredibly proficient internet user, there’s a good chance you’re scratching your chin and wondering whether you’ve come across reCAPTCHA v3 before.

With reCAPTCHA v3, you don’t have to decipher distorted words, you don’t have to click boxes to indicate you know what a car looks like, and you don’t even have to click the “I’m not a robot” checkbox, either. That’s because reCAPTCHA v3 exists largely in the background—completely invisible to the average user.

As such, reCAPTCHA v3 helps companies detect bots while ostensibly delivering a better user experience—but it hurts user privacy in exchange.

How Does reCAPTCHA v3 Work?

Rather than solving CAPTCHA challenges, this iteration of the tool relies on behavioral analytics to decipher between bots and human users.

1. Google analyzes behavior as users navigate a website
2. They rank that behavior to determine how “risky” the user is (how likely it is that the session is actually a bot and not a human)

While reCAPTCHA v3 can help websites detect bots, it’s only good for that use case.

If you want to protect your website from ad fraud, you’ll need to do more than rely on this type of CAPTCHA. Carefully crafted malware and human fraud will still get past reCAPTCHA v3 and has a high false positive rate in mismarking real people as fraud.

The Downsides of CAPTCHA

As useful as CAPTCHA has been in the past, it’s important to realize that they aren’t without their downsides. These tools leave much to be desired as ad fraud prevention methods. Even beyond the CAPTCHA bypass problem, these solutions can do more harm than good when it comes to fostering good relationships with consumers.

Some key issues with CAPTCHA and reCAPTCHA include:

CAPTCHAs Hurt the User Experience

Imagine you’re heading to a retailer’s website to complete an e-commerce transaction. You just found out about a new product, and you’re eager to buy it as soon as possible. As you begin the process of checking out, you run into a CAPTCHA. Worse yet, you fail the test.

Would such an experience make you more or less likely to complete the purchase?

If the CAPTCHA test is poorly made, it can be failed multiple times. For example, if there’s a requirement to “pick all boxes that have a fire hydrant” and it’s all one big fire hydrant with just the tip of a piece on a few pixels on one box, should it be clicked or not?

This can be extraordinarily frustrating for users—which impacts user engagement and conversions. It’s more than likely that after a failed attempt or two a consumer will go make a purchase or inquiry on a site where they don’t experience this friction.

CAPTCHAs Can Waste Customers’ Time

In more recent news, CAPTCHAs have been shown to eat up extra time for users. For example, the PS5 and Xbox Series X console launches have pitted human buyers against bots owned and operated by scalpers on retailer websites.

When a human encounters a CAPTCHA test, they have to spend precious seconds looking at it and responding. A bot can bypass the test—acting like a CAPTCHA skipper and proceeding almost directly to purchase in milliseconds.

The result? The bot buys dozens of consoles and the human gets an “out of stock” error message by the time they finish the test.

The same is true for things like concert tickets. As CBS News reports, bots have become a major problem for concert tours. Even though the BOTS Acts of 2016 made it illegal for ticket buyers to use bots to work around online ticket restrictions, or to sell tickets purchased using bots on the secondary market, there is little to no enforcement in this space.

So, while fraudsters hoard tickets and resell them for as much as 70x worth the original price, fans are left frustrated.

Killing Conversion Rates

Taken together, it comes as no surprise that annoying experiences and more time required to complete actions translate into a 40% lower conversion rate with CAPTCHA.

This isn't just about immediate effects; the repercussions extend far beyond the point of interaction. CAPTCHAs often enhance security at the expense of user convenience and satisfaction. This disruption can lead to immediate abandonment of the purchase or sign-up process, but the implications are even more far-reaching.

Since consumers are likely to stop supporting brands after a bad experience, they may very well prevent you from racking up sales in the future, too. Over time, this can result in a significant loss of revenue and damage to the brand's reputation. Frustrated customers might even share their negative experiences with others, amplifying the detrimental impact on the brand’s image.

Businesses need to carefully consider the trade-offs between security measures like CAPTCHAs and the overall customer experience they deliver.

CAPTCHA Bypass Is Too Easy with Modern Bots

If hurting the user experience wasn’t enough to cause you to think about ditching CAPTCHAs, here’s something else to consider: Due to the evolution of technology, artificial intelligence (AI) has gotten to the point where a modern “CAPTCHA bot” or “block reCAPTCHA tool” can bypass the test with ease—defeating their purpose entirely.

Since CAPTCHAs don’t offer any kind of support or analytics, you can’t zero in on where fraud is coming from. Even if your CAPTCHAs somehow prevented bots from getting around them, you’d still have to deal with malware and human fraud.

Unfortunately, despite attempts to outrun malicious users in digital advertising, just a quick Google search will provide you with an abundance of sites telling you exactly how to get around even the most complex tests.

How Bots Bypass CAPTCHA

Even when it comes to reCAPTCHA v3, it is shockingly easy for fraudsters to gain a high score using a carefully crafted CAPTCHA bot or by employing human fraud farms. These sophisticated fraudsters can easily bypass the CAPTCHAs they face thanks to:

• Optical Character Recognition (OCR): Advanced OCR technology can interpret the text presented in CAPTCHA images with high accuracy, allowing bots to decode and respond correctly.

• Machine Learning Algorithms: Some bots utilize machine learning models that have been trained on numerous CAPTCHA samples to predict the correct answers, even for image-based CAPTCHAs or complex pattern recognitions.

• Session Replay: Bots can mimic human behavior by replaying the actions of a real user during a CAPTCHA interaction, using previously recorded human activity to pass the test.

• AI-Powered Tools: There are dedicated AI tools that are specifically designed to solve CAPTCHAs by mimicking human cognitive abilities more closely than ever before, effectively fooling the CAPTCHA system into thinking a human is interacting with it.

What Can You Do about CAPTCHA and reCAPTCHA Bypasses?

Thankfully, there are ways to block fraudulent traffic that are better at identifying malicious bots, malware, and human fraud that do not ruin the user experience and don’t leave the decision-making in your hands.

1. Biometrics

You could verify users are real humans and not bots by using biometrics. For example, you might ask people on smartphones to prove their identity with their fingerprints. There are other kinds of biometrics to consider, too—including typing biometrics, speech recognition, and facial recognition.

Depending on your use case, however, biometrics might not be the best option. These systems tend to be pretty pricey and aren’t always practical. Similarly, not too many consumers are keen on giving away their biometric data to a company that sells socks, for example.

2. Multi-Factor Authentication

You can also implement multi-factor authentication (MFA) method to make sure actual humans are accessing your systems. For example, you might have someone log into their account and then send them a text message with a one-time passcode they need to input on your website to get to the next step.

While this method can be helpful in secure environments—like banking and brokerage accounting apps—it will likely create far too much user friction for the average company. No one wants to go through multiple steps just to make a simple purchase or fill out a form.

There is always a balance between making the online consumer experience seamless yet secure.

3. Ad Fraud Solutions

An ad fraud solution like Anura enables you to stop bots in their tracks while also protecting you from malware and human fraud. The solution sits entirely in the background of your website, with no effect on the user experience at all.

Have Questions about Ad Fraud Detection? Get the eBook with everything you need to know!

Anura detects fraud with precision via a robust, fine-tuned solution that delivers virtually no false positives. Get the peace of mind that comes with knowing you’re never blocking real visitors. This definitive and accurate approach gives you the freedom to run your business without the worries of fraudulent visitors. 

With Anura, you’re able to sell more, generate more leads, and optimize your campaigns with the peace of mind that comes with knowing your data is accurate and that fraudsters haven’t taken advantage of you. It’s the easiest way to stop bot traffic—and several other kinds of ad fraud, too—without hurting the user experience.