Image default
Guest Articles

Why are CAPTCHAs Still a Thing?

Sam Crowther, Founder and CEO, Kasada talks about the significance of overcoming CAPTCHA Technology’s Challenges for effective cybersecurity and stopping bot attacks

Two of the most common questions I receive when talking about cybersecurity with friends and family who are not in the industry are “Can (insert technology, utility, or site here) be hacked?” and “How can bots get by a CAPTCHA?” My answers are always the same: anything that was built or engineered can be deconstructed or reverse engineered when there’s the correct motivation to do so. It can even be done to technologies that serve up random pictures of crosswalks or taxis and ask you to click the correct boxes.

This got me thinking a bit about the reliance of online businesses on various forms and generations of CAPTCHA technologies. Why do so many businesses still rely on CAPTCHA as a security tool? It’s been shown, again and again, that these tools are nothing more than speed bumps for motivated attackers.

Back when malicious bots were most often spam bots, CAPTCHAs were designed to prevent them from succeeding and using a business’ website to spread spam messages. And it worked. But then came motivated adversaries, CAPTCHA farms, and smarter AI. It didn’t take long for CAPTCHA challenges to become ineffective at stopping automation.

Today, bots are behind automated attacks that steal information, scrape prices, commit fraud, block legitimate customers from using your site, and more.
Bot operators use the latest technologies to build workarounds and appear human to a website. CAPTCHAs are nothing more than the security equivalent of plausible deniability. What online businesses don’t know, can’t hurt them. Or so they think.

Customer Friction

That’s exactly what the problem is with CAPTCHAs, however. As an online business, you have no visibility into what bots or attacks have been stopped with CAPTCHAs and which have gotten through. By accepting the technology as the de-facto approach to stopping bots, you can look the other way and assume that it’s working.

CAPTCHAs slow down very few attackers in reality, but one thing they are successful at is frustrating paying customers. Customers look for a frictionless user experience, one that’s secure and efficient without delaying them from successfully completing a login, a signup or a transaction. CAPTCHAs are not efficient and can delay a transaction, often leading to either dropped customers, or customers that won’t return due to their dissatisfaction with the site.

Beating the CAPTCHA

There are two main philosophies when it comes to evading a CAPTCHA: either be undetectable, or automate the process of solving the CAPTCHA. Well-funded, technologically advanced attackers and bot operators have built bots that can solve CAPTCHAs efficiently and cost-effectively. Financial motivation often breeds innovation, and that is the case here.

Artificial intelligence (AI) and machine learning (ML) technologies have proven they can have an important role in helping attackers get around security technologies like this as well. The application of ML and AI for breaking CAPTCHA security systems is a frequently addressed topic on the underground criminal forums that are used to collaborate on attacks. CAPTCHA images are commonly used on websites to prevent criminals when they attempt to abuse web services — particularly when they try to use malicious automation like Puppeteer to break into a site. Because of this, there continue to be advances in utilizing neural networks to solve picture-based security.

So What’s the Solution?

If CAPTCHAs are equivalent to a speedbump — or pictures of a speedbump if you will — then what can be the stop sign we’re looking for?

The easiest place to start might be in identifying what isn’t needed – in this case, there’s no need for a bigger speedbump. Vendors have created more advanced versions of CAPTCHAs, all which have proven to be driven over just as easily. Motivated attackers simply don’t let something like a CAPTCHA force them to reverse course. We also can’t expect users to provide their own security when they visit a site – there’s just no way that’s a sustainable, reliable solution in reality.

To effectively stop bots, there first needs to be a change in the thinking around security for online businesses. It should no longer be acceptable for online businesses to put the onus of proving they’re human on their customers. Understandably, that’s easier said than done – and an order much more complicated than simply throwing up some images on your site and pretending bots can’t figure it out. But difficult isn’t impossible.

As an online business, you need to invest in new technologies and modern approaches that identify and stop bots without compromising the user experience. Technology exists today that can recognize and stop the malicious automation attacks of today before they get into your system – while at the same time, continuing to evolve as attackers do, so it can stop the attacks of tomorrow. Preventing attackers from even gaining a foothold in the first place means you never have to resort to using a CAPTCHA again.

It’s only by raising the expectations of what should be done to stop bots that online businesses will begin to take on the responsibility of actually doing so.

For more such updates and perspectives around Digital Innovation, IoT, Data Infrastructure, AI & Cybsercurity, go to

Related posts

AI: Friend or Foe for Creative Functions?

Katie King

Segment of One: How the AI-Driven Revolution Is Super-charging Customer Engagement

Mridula Saini

Why Data is the Foundation of Artificial Intelligence

Wilson Pang