CAPTCHAS — those seemingly simple tests designed to distinguish human traffic from bots have become a cornerstone in online security, and something we encounter almost every day. While CAPTCHAs have previously been seen as foolproof barriers against bots, they are becoming increasingly threatened by new techniques. From human “CAPTCHA farms”, to sophisticated artificial intelligence attacks, and software like ORM’s, cybercriminals have developed various ways of cracking your site’s CAPTCHA. In this blog, we will explore the ways bad actors can bypass CAPTCHAs, and compare some of the most commonly used CAPTCHAs, looking at how they hold up against these rising threats.

Ways Malicious Groups Can Bypass CAPTCHAs

Major means of beating CAPTCHAs include human CAPTCHA farms, artificial intelligence, and specialized software like OCR’s.

CAPTCHA Farms:

CAPTCHA farms are one of the most common CAPTCHA evasion techniques. They work quite simply. The bot responsible for the infiltration of your site will be equipped with an API which, when faced with a CAPTCHA, will send the request to a CAPTCHA farm to be completed by a real human. This approach is very efficient, and almost always leverages the labor from developing countries. Nowadays CAPTCHA farms are virtual, you can sign up on sites like 2Captcha, and get paid based on how many CAPTCHAs you pass. Anyone, anywhere can work in a CAPTCHA farm to make a few bucks at home, but usually poorer countries are exploited by this industry.

Artificial Intelligence:

Using AI to beat CAPTCHAs is a very powerful, and rising way for bots to bypass CAPTCHAs. Previously (when CAPTCHAs were created), AI was not an issue to be taken into consideration, but nowadays, it is an extreme threat and can pass them with ease. Neural networks and machine learning can be leveraged to learn, adapt, and overcome challenges posed by most CAPTCHAs. Because most CAPTCHAs were built before the advent of artificial intelligence, they are not equipped to recognize them, and therefore are vulnerable to them.

Specialized Software (OCR):

Optical Character Recognition (OCR) works by converting different types of documents such as images, scanned documents, and text, into editable and searchable data. OCR was originally a tool used to digitize various physical documents, but can be used to efficiently crack CAPTCHAs. They make quick work of the text recognition CAPTCHAs (the ones with a string of distorted text you have to write out) Though not as effective, they also are adept at the image recognition ones. Hackers can use OCR programs to beat out CAPTCHAs on your site, but anyone can use them. There are various chrome extensions anyone can download if they want to bypass those types of CAPTCHAs.

Google ReCAPTCHA v2:

ReCAPTCHA v2 is the most common bot detection tool, and there is a high chance you have encountered one. It usually comes in the form of a checkbox, or one of the ones where you have to select images of buses or something similar. They use a risk analysis system that relies heavily from google cookies. If the user has been signed in on chrome for a while, they will most likely get a checkbox, however if they are on a fresh browser, or are blocking cookies, they will likely get a more involved challenge.

ReCAPTCHA v2 is the most common bot detection tool, and there is a high chance you have encountered one. It usually comes in the form of a checkbox, or one of the ones where you have to select images of buses or something similar. They use a risk analysis system that relies heavily from google cookies. If the user has been signed in on chrome for a while, they will most likely get a checkbox, however if they are on a fresh browser, or are blocking cookies, they will likely get a more involved challenge.

Pros:

• Widespread. ReCAPTCHA v2 is by far the most common CAPTCHA. Users will be familiar with it.
• Ease of use. For most users, it will only be a checkbox.
• Simple implementation into websites.

Cons:

• User frustration: Sometimes, the image selection test can be difficult.
• Accessibility issues: The Image test can be difficult for users with disabilities.
• Performance: May slow down the site due to the large amount of Javascript loaded.
• Privacy Concerns: Google collects data for bot detection, raising concerns from privacy conscious users. V2 is becoming less secure, especially with AI starting to be able to pass their tests, and the advent of things like CAPTCHA farms aiding cybercriminals in passing CAPTCHA tests.

ReCAPTCHA v3:

ReCAPTCHA v3 uses a behind-the-scenes scoring system to analyze user behavior and determine the likelihood of bot activity. It does not interrupt the user’s experience with challenges or visible widgets.

Pros:

• Works in the background, meaning users don’t have to complete a challenge to pass it.
• Assigns a bot score based on user actions, meaning it does not rely on google cookies.
• Since there is no test, accessibility concerns and user frustrations is a non-issue.

Cons:

• The scoring system may produce false positives or negatives.
• Like v2, it relies heavily on data collection and user tracking through Google services.
• Hard to easily customize the thresholds of acceptable scores, making it less flexible for bot detection.

Cloudflare Turnstyle:

Cloudflare Turnstile is a privacy-focused CAPTCHA alternative that performs non-intrusive browser-based challenges to verify users without requiring interaction. It does not depend on Google’s ecosystem and is designed to minimize user disruption.

Turnstyle uses a combination of techniques to detect bots. Including behavioral analysis (mouse movements and interactions/ touch gestures on mobile). Signals from the browser and device like browser properties and resolution that may hint at automated tools being used. There are other systems at play like their machine learning trained against their global network, and geographical context.

Once the user is confirmed as a human, they are given an anonymous token to validate users without tracking them.

Pros:

• Works entirely in the background, no tests or checkboxes
• Does not rely on tracking or data harvesting, making it ideal for privacy-conscious users who are weary of google.
• Faster to load and less resource-intensive compared to reCAPTCHA options.
• Easy to add to Cloudflare-protected sites, with no need for additional plugins or libraries.
• Performs robust bot detection using Cloudflare’s advanced tools without relying on cookies.

Cons:

• Lacks the long-term track record of reCAPTCHA, making it less established and proven.
• Less customizable than reCAPTCHA v3.
• May not be as effective in blocking advanced bots

Sources:

1. DataDome. (n.d.). reCAPTCHA v2 vs. reCAPTCHA v3: Which is more efficient for bot protection? Retrieved from https://datadome.co/guides/CAPTCHA/reCAPTCHAv2-reCAPTCHAv3-efficient-bot-protection/
2. Timilsina, M. (n.d.). Google reCAPTCHA vs. Cloudflare Turnstile. Retrieved from https://maneshtimilsina.com/google-reCAPTCHA-vs-cloudflare-turnstile/
3. Global Tech. (2023, April 17). What is OCR and how is it used for solving CAPTCHAs? Medium. Retrieved from https://medium.com/@global.tech1918/what-is-ocr-and-how-is-it-used-for-solving-CAPTCHAs-f6b77dae64d9