BNMC Blog
What Makes CAPTCHA So Complex (and Consistently Chafing)?
“To confirm you’re a human being, select all of the images that include traffic signals.”
Chances are good that you’ve seen such a requirement before as you’ve spent time online, whether you were filling out a form or logging into a website. Whether it was an evaluation like the one above, or simply one where you needed to identify a highly distorted series of alphanumeric characters, you probably have also noticed these tests getting more difficult as time has passed. The reason for this is simple: computers are getting better at beating them.
Let’s take a few minutes to examine the ramifications of this improvement, and how it will impact how users can identify themselves as legitimate in the future.
What is CAPTCHA?
CAPTCHA, or Completely Automated Public Turing Test to tell Computers and Humans Apart, is what Google uses to catch automated spam before it assaults the Internet. The idea is that there are certain ways that humans will interact with content differently than automated spam can. Therefore, by requiring a certain task to be completed in a certain way, the legitimacy of a user can theoretically be verified.
At the turn of the century, CAPTCHA was highly effective against spambots by simply requiring the user to identify the text shared in an image. Alas, this was not to remain the case.
Why CAPTCHA Has Gotten More Challenging
The trouble really started after Google was able to take possession of CAPTCHA and—more importantly—utilize it to help digitize Google Books. The issue here was that, by doing so, the text used to verify users needed to become much more distorted to fool the optical character recognition programs available. No easy feat, especially as human beings were also giving the optical recognition programs the data needed to improve their capabilities as they solved them.
The creators of CAPTCHA saw this coming, predicting that machine intelligence would overtake human capability when it came to passing these tests. Adding to the issue, these tests need to be universally approachable, free of any cultural influence or bias.
This eventually led to CAPTCHA being replaced by NoCAPTCHA ReCAPTCHA in 94 percent of websites that implemented it. Focusing more on user behavior, the implementation of NoCAPTCHA ReCAPTCHA has not stopped the development of even more secure methods, seeing as many threats are now focused on replicating how a user would interact with the system.
The fact of the matter is that automated tools and bots are now more effective than most people when it comes to solving CAPTCHA prompts. In 2014, a machine learning algorithm went head to head against users to test how accurately the traditional distorted-text variety could be bypassed.
The bot was successful 99.8 percent of the time. The humans were successful 33 percent of the time.
Making things worse, CAPTCHA-solving programs and services are also available, providing a cost-effective way to undermine the security measure.
How Can CAPTCHA Be Made Secure Again?
While CAPTCHA has the potential to still be effective, there undoubtedly needs to be some way to make it easier for a human being to complete but confounding to a machine. To accomplish this, various tactics have been considered, some more likely than others to be implemented:
- Requiring users to classify faces based on various guidelines, like their expression, gender, and ethnicity. This method is least likely, considering today’s amplified social awareness.
- CAPTCHAs that rely on regionalized trivia and nursery rhymes, with these targeted questions helping to prevent bots and distant hackers from succeeding.
- Image-based CAPTCHAs that use more subjective content like cartoons and optical illusions.
- Gamified CAPTCHAS with contextual hints for instructions that a computer wouldn’t pick up on.
- Cameras and augmented reality being used to enable physical authentication.
Of course, there is also the continued research into behavior-based authentication that uses metrics like cursor accuracy and other traffic patterns. Google has started testing some of these variables on a case-by-case basis.
The way things are shaping up, it’s somewhat likely that these security Turing tests will only be passable in the future by incorrectly performing a task or answering a question.
If there’s anything that this tells us, it’s that account and data security is only going to grow in importance. BNMC is here to help you do everything you can to secure your business, its data, and by extension, its future. Find out more by calling our team at (978) 482-2020 today.
Comments