Why CAPTCHA’s have become too difficult for humans
If you have any type of form on your website, chances are you’ve experienced form spam at one stage or another. Simply put, form spam occurs when spam bots – automated bot programs – flood form submissions with junk entries such as advertisements, links, phishing or abusive content.
Blocking spammers from infiltrating your web forms saves you from having to manually sort through and delete spam submissions, and helps keep your website comment section (if you have one) from looking spammy. But how do you stop the bots?
Enter CAPTCHA
To date, the most common and accepted method to block spam bots has been the CAPTCHA. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and it refers to the process of blocking spam bots with a security exercise that, theoretically, only a human could successfully complete.
CAPTCHAs have become increasingly difficult to bypass in recent years as a result of spam bots developing more intelligent, AI-led capabilities. When spam bots first came about in the early 2000s, CAPTCHAs were simple image text, where the user passed the test if they were able to recognise what was shown on the image. The bots quickly caught on to this, and by 2010, the images of text had to be warped and obscured so they weren’t as easily recognisable by bots.
Soon enough, the bots had learned to recognise these images with a shocking level of accuracy, while it was becoming increasingly difficult (and frustrating) for humans to pass the test. By 2014, computers were able to bypass these CAPTCHAS 99.8% of the time, while humans were only able to pass 33% of the time*.
The problem we’re facing today is that machines are too quick to overcome these new security hurdles, which are simultaneously providing a frustrating user experience for humans.
So, how can we effectively distinguish humans from bots?
There have already been other attempts at screening out bots using methods other than CAPTCHA, including exercises like classifying images of people by facial expression, gender and race, answering trivia questions and solving math problems or puzzles. However, many of these methods have failed due to being too hard, inappropriate or discriminating.
One alternative to CAPTCHA and other similar approaches is called the honeypot method. The ‘honeypot’ is an additional field that exists on a form that is visually hidden from the user. Valid users i.e. humans can’t see the field, so they won’t fill it in. Spam bots, however, will ‘see’ the field in the form’s code, auto-populate it with something, and submit it with the rest of the form. This means any time that particular field is filled in, it indicates a spam form submission that can automatically be deleted.
Although this method provides a much better experience for the vast majority of users, it’s not without its flaws. For instance, it could potentially have negative implications for visually-impaired users using screen readers, which could pick up on the honeypot field. Some smarter bots are also learning to recognise the coding and differentiate between a honeypot field and a regular field.
Another alternative is Google’s Invisible reCAPTCHA, which was rolled out in 2016. reCAPTCHA works by tracking user behaviour such as cursor movements and typing patterns to detect signs of automation. While robots can move quickly through a form and complete it in minimal time, humans tend to click and scroll with slower speed and imperfect motor skills when moving the mouse. If reCAPTCHA detects automation based on these factors, it asks the user to check a box to verify that they’re not a robot.
Like the honeypot, this method provides a much smoother experience than having to solve problems or answer questions – but it may only be a matter of time before bots learn to circumvent these obstacles as well.
To be human is to be imperfect. Can we win the race against the machines, or will they take over by learning how to be ‘human’? Only time will tell.
* https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence
