We speak with PerimeterX expert Deepak Patel on the state of CAPTCHA, where it’s been, and where it’s going.
CAPTCHA technology hasn’t exactly aged gracefully, and digital businesses and their customers deserve better. We sat down with PerimeterX Cybersecurity Evangelist Deepak Patel and discussed how this bot verification solution has overstayed its welcome—and what’s next. Listen to the corresponding PerimeterX podcast here.
CAPTCHA technology was developed quite some time ago, but it seems to have taken a turn for the worse. Why haven’t people gotten it right yet?
Deepak: Just like everything on the internet, CAPTCHA was built for openness when the challenge of bots showed up. It's a quick fix to a problem, trying to figure out whether the user that's coming onto your website or mobile app is a bot or not. It was done with good intent initially, and then as bots got better at solving it, the CAPTCHAs got more complex. But in the process, they made it much harder for people to solve. And it's driving frustration among users, especially on e-commerce sites.
A few months ago, PerimeterX CTO Ido Safruti put out a blog about CAPTCHA. He wrote about how A/B testing month over month can help clarify whether CAPTCHAs help or hurt your website. What A/B testing might you recommend?
Deepak: What Ido was referring to is the cure becoming worse than the problem. On a website, you have to measure user engagement and shopping cart abandonment with and without CAPTCHA. Yes, some bots will get through. But the point here is that you want to know if CAPTCHA is hurting user experience and user conversion. And that's the A/B test that we have seen that many of our customers vouch for and run. If you read the blog, you'll see that there's a 3-4% difference in users abandoning shopping carts and abandoning the site when they're presented with CAPTCHAs at that time. I’ll give you an analogy: the U.S. resisted adopting the chip and pin credit cards that are common in the E.U. As soon as you have 10 people waiting in line at your local Target or Walmart, you'll see that the 11th customer is not going to stand there. They are going to abandon that line. CAPTCHA creates a similar problem wherein the users are not getting instant gratification, so you’ve got to be extremely careful when you introduce what we call user interruptions. CAPTCHA is a form of user interruption.
What are CAPTCHA solvers and how do they get around CAPTCHA challenges?
Deepak: There are different forms of CAPTCHA solvers today in the market that bad actors use to circumvent CAPTCHA challenges. Some of them use automated tools involving AI technologies that help us innovate in other markets today. For example, AI is used in autonomous cars that you see on the streets. These perform image recognition using the same technology. A subset of that is also used by CAPTCHA solvers.
I also have an interesting story about CAPTCHA solvers that happened about eight years ago. We were seeing human farms being used to solve CAPTCHAs on behalf of bad actors, and these human farms were incentivized with free codes to adult entertainment sites. Cybercriminals would link other humans to these CAPTCHAs to solve them in real time. Once these individuals completed the given CAPTCHA, they were given a coupon code for an hour-long session to view adult content. This is just one tactic in an ever-evolving industry.
We’re all familiar with the CAPTCHA formats of the past, including picking out stoplights or buses or crosswalks from a series of pictures. Going further back, there were warped words or numbers that you had to type out. More recently, we’ve seen the checkbox that verifies you’re human. Where do you see it going from here?
Deepak: It will continue to evolve. I feel that we will come to a point when no one will see a visual challenge at all. Nobody wants to see these. In the future, end users will be accustomed to life without CAPTCHA. Detection technologies will improve to the point that we can detect whether users are a bot or not without having any user interruption at all.
E-commerce websites are typically the most common use case for CAPTCHA solvers. Besides weeding out bot traffic, what do you see as the biggest benefits of implementing improved CAPTCHAs to those types of sites?
Deepak: E-commerce sites are the biggest beneficiaries of CAPTCHAs because, like I mentioned early on, most consumers want instant gratification. They don't want to be interrupted on their path to purchase. Effective use of bot mitigation technology and CAPTCHAs will minimize the time to conversion.
Bots are also skewing a lot of analytics, which creates various problems in business logic. Weeding out bot traffic will lead to more clarity in your data. CAPTCHAs seem like the easy way to solve this, but it’s not so simple. You have to think completely differently and see how to implement a bot solution that doesn't actually bring CAPTCHA into play. I encourage business leaders to think through and solve this problem with more accurate bot management solutions that collect anonymized user behavior signals. We currently gather behavioral data such as the speed of one’s mouse movements, the battery life of their device, and other parameters of behavior that eliminate the need for a CAPTCHA to figure out bot-or-not traffic.