PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

CAPTCHA Security Programs

by Faulkner Staff

Copyright 2021, Faulkner Information Services. All Rights Reserved.

Docid: 00011479

Publication Date: 2101

Report Type: TUTORIAL

Preview

CAPTCHA stands for ‘Completely
Automated Public Turing test to tell Computers and Humans Apart’. This
Web-based form of
user or customer verification is most often seen as blurred words or letters that human users are prompted to
retype in order to protect the site against automated attacks or access.
Although CAPTCHA technology has been employed for years, users have more
recently expressed
doubt as to its effectiveness when compared to newer alternatives. This report looks at
CAPTCHA and compares it to other alternatives.

Report Contents:

• Executive Summary
• Description
• Current View
• Outlook
• Recommendations
• Web Links

Executive
Summary

[return
to top
of this report]

A
CAPTCHA (Completely Automated Public Turing test
to tell Computers
and Humans Apart) offers a Web-based test that humans can pass
but that computers – at least in theory – cannot. CAPTCHAs tend to be familiar to
everyday users in the form of the blurred words that must
be typed to gain access to certain features on Web sites.
Companies
deploy CAPTCHAs to prevent automated software from performing
tasks that degrade a service or an application’s desired
results.

Unfortunately, no CAPTCHA can ever be 100 percent effective. Although the most common type of CAPTCHA is text recognition, other
alternatives, such as simple match problems or video games, also exist. The most
common types of CAPTCHA include:

• Text
  Recognition – Distorted text
  characters that users must type correctly to access a Web site.
  Critics of text
  recognition CAPTCHAs point to accessibility issues for those who are
  visually impaired or dyslexic.
• Images – Image-based option that is often paired with a
  choice, such as asking the user, for example, is this a bird or a fish?
  Another version growing in popularity is a grid with images whereby the user
  must, for example, choose every box that shows a bicycle.
• Audio – Words broadcast over a computer’s speaker with background
  noise to confuse bots. The human user must
  type in the word (often common misspellings and mishearings are
  allowed).
• Math
  Problems – In the form of  simple, text-based arithmetic questions.
• Ads – TYPE-IN
  plugin that replaces
  random letters with paid advertising. When consumers enter a brand
  message in the ad, the company shares revenue with the partner.
• Video / Moving
  Text – Animated
  text to
  make it more difficult for
  non-humans to
  decipher, with an adjustable level of difficulty if suspicious activity is
  identified.
• Mobile
  – Designed to fit the mobile device screen without scrolling.

Regardless of the formula used, however, a common question
remains as to whether a CAPTCHA is more an effective tool for weeding out bots or
annoying the end-user.

Description

[return to top
of this report]

The history of CAPTCHA begins in 1997, when Alta Vista experienced a problem
with bots adding URLs to search engines and skewing its importance-ranking
algorithms. Alta Vista then developed images that optical character recognition
(OCR) software had difficulty interpreting and thereby significantly reduced
the automated URL submission problem. Three years later, Yahoo’s chat rooms had a similar
problem in which rogue computer programs pretended to be users and invaded chat
rooms to collect personal information and post promotional
links to Web sites. At the same time, spam companies were writing programs for
rapidly registering hundreds of Yahoo e-mail accounts for use in bulk mailings.
Yahoo soon contacted researchers at Carnegie Mellon as the CAPTCHA concept took
shape.

The term
“CAPTCHA” was
coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper,
and John Langford of Carnegie Mellon. Von Ahn was the original creator
of the CAPTCHA
challenge screen, which is a program that generates tests
that humans can pass but that likely pose a challenge for computers. CAPTCHAs
are the words presented in unusual and camouflaged fonts that users must type to
prove that they are humans, not bots. Once a user successfully types the
displayed text, the server assumes that the user is human and grants access.

Ironically, a CAPTCHA is a “reverse” Turing test in that it is given by a
computer rather than a person, meaning the roles are reversed. (The Turing
test
is
named after computer scientist Alan Turing and designed to
differentiate between a human and a computer.)

Most often, Web sites deploy CAPTCHAs to
prevent automated software from gaining access to – and exploiting – for example:

• Completing large numbers of online surveys.
• Buying tickets for an event for resale.
• Conducting Spam, phishing schemes, and other types of deceit.
• Offering "Dictionary" attacks against password systems.
• Accessing and / or scraping participant addresses.
• Submitting automated posts and comments.

Current View

[return to top of this
report]

CAPTCHAs can annoy users, who may have trouble solving them, experience
technology blips that prevent their answering, or potentially cause one to leave
the Web site altogether. Overall, the question remains: Are CAPTCAs good for the
Web sites employing them.

Drawbacks

Generally speaking, it can take
anywhere from 10
to almost 30 seconds to solve each CAPTCHA, not
including
the time lost on retries, failures, and tech issues. As can occur, unsuccessful attempts may
potentially lead to users abandoning the site, and, even more troublingly, lost
sales. In spite of its benefits, the end user unfortunately often views CAPTCHA
as a waste of time. Panda Security¹, for example, calls the process
"time-consuming" in that:

Each time you solve a CAPTCHA, you waste 10 seconds of your life.
That’s why CAPTCHA has earned a bad reputation among Internet users, despite
the fact that it was created to guarantee our safety.

Compounding that fact, many users feel that companies have put the onus on
humans to distinguish themselves from bots.

New and Alternative Methods

Describing the push to develop these new types of CAPTCHAs, Google’s Jason
Freidenfelds said, "There is an arms race when it comes to CAPTCHA where
machines are getting better and better at understanding them."² Some new approaches have
tried to solve both of the main complaints about CAPTCHAs, making it
harder for bots to circumvent security while improving user
opinions. Examples include tests to identify pictures or logos, as well as
distorted text.

Alternatives to CAPTCHAs also exist.

reCAPTCHA.
For example, CAPTCHA creator Von Ahn introduced reCAPTCHA. Owned
by Google, reCAPTCHA combats bots by using images of words from printed works
that are being digitized and that are unrecognizable to OCR software. In the
case of reCAPTCHA, the equivalent of about 2.5 million books a year are being
digitized.

visualCAPTCHA.
There
are also authentication methods that ask users to solve math problems,
identify the content of a sound clip, answer a trivia question, or play
an easy game. Another alternative is visualCaptcha, which asks users to click on a
particular type of icon.

In the example depicted in Figure 1,
visualCaptcha shows icons
for balloons, a truck, scissors, a clock, and a tag, and it asks users
to click on the tag.

Figure 1. visualCaptcha

Source: demo.visualcaptcha.net

Real-Time CAPTCHA and Other Biometric Hybrids.
It should also be noted that new biometric technological developments could
lead to convergence between the technologies in addition to potentially rendering CAPTCHA moot.
Although the phaseout of the technique altogether will likely take years, if
ever, to come to pass, recent developments have seen the creation of Real-Time CAPTCHA.

This approach³ would require that users "look into their mobile
phone’s built-in camera while answering a randomly-selected question … within
a CAPTCHA on the screens of the devices." Responses must occur within a small
window that is considered "too short for artificial intelligence or machine
learning programs to respond."

This alternative would supplement other techniques regarded as more susceptible to being
spoofed by foreign actors.

Additional Options.
Other methods – which can be stacked and / or combined, yet remain invisible to the human
end-user – include:

• Verification Code – Requires the user to confirm identity by
  responding with a password or pin that is texted, called, or e-mailed.
• NuCaptcha – Presents moving text to make it easier to solve and
  harder to automate.
• Security Approaches – Uses CSS to hide forms from humans.
• JavaScript – Presents elements that bots cannot execute.
• Bayesian Filter – Looks for words commonly found in spam
  messages.
• Akismet – Hosted Web service to detect comment and trackback
  spam.
• Civil Rights Defenders’ CAPTCHA – Asks a question that can only
  be answered based on appropriate emotion.

Outlook

[return to top
of this report]

As a technology, CAPTCHA attempts to address a clear need. Despite this fact,
the security measure has occasionally been defeated, with a glaring example published in 2016 by Columbia University
researchers who developed an automated method to get around the mechanisms
used by Facebook and Google.⁴

To remain relevant, therefore, CAPTCHA needs to constantly evolve to keep pace with
the emerging, clever ways being devised to circumvent it. The technology must also, at the same
time, continue to improve in order to stand out from some comparable options
that are available.

Recommendations

[return to top
of this report]

Companies that do business
on the Web – and especially those organizations that appeal to
the general public – should consider CAPTCHA and its alternatives to
protect
against spam and other attacks. At the same time, an organization does need to keep
its customer needs at the forefront. For companies to use CAPTCHAs (and keep customers happy), primary considerations
need to include accessibility,
experience, and striking a security / convenience balance. General deployment recommendations include:

• Accessibility – Any
  implementation of CAPTCHA should offer an alternative.
  For example, audio clips that allow visually impaired users to access Web
  sites are now available. This consideration also includes addressing language and
  pronunciation issues.
• User Experience – If a less complicated technology can be used,
  such as a hidden form, this is advisable.
• Balance – Struck between Web site security and visitor
  convenience.

References

¹ "It’s easy to fool CAPTCHA."
Panda Security
. April 27,
2016.
² Lazzaro, Sage. “These New CAPTCHAs Are Making Me Hungry (and
Confused).”
The Observer. August 18, 2015.
³ Toon, John. "Real-Time Captcha Technique Improves Biometric
Authentication."
Georgia Institute of Technology
. February 19, 2018.
⁴ Pauli, Darren. “Google, Facebook’s CAPTCHAs Vanquished by
Security Researchers.” The Register. April 7, 2016.

Web Links

[return to top
of this report]

• Akismet: http://akismet.com/
• NuCaptcha: http://www.nucaptcha.com/
• Official CAPTCHA Site: http://www.captcha.net/
• reCAPTCHA: http://www.google.com/recaptcha
• W3C: http://www.w3.org/

[return to top
of this report]