Don't Get Burned by CAPTCHAs: A Recipe for Accurate Bot Protection

By Benjamin Fabre, CEO, DataDome

One of the more pervasive online threats comes from cybercriminals programming bots to roam the Internet looking for ways to manipulate online pages, access databases, and steal data.

Enter CAPTCHA, or Completely Automated Public Turing Test to Tell Computers and Humans Apart. It is meant to do just as it says — differentiate malicious bots from legitimate humans. As the sophistication of bots continually increases, can this conventional method of detection keep up?

Mise en Place: Gathering Ingredients of Traditional CAPTCHA

The original CAPTCHA tests, which first appeared in the late 1990s, were made up of distorted images containing a combination of random letters and numbers. There are many nefarious reasons why bots would want to access certain Web pages. For example, bad bots can:

While CAPTCHAs developed back in the '90s were once enough to address many of these negative effects of bots, today's threat landscape has become far too sophisticated. Before bots could read distorted letters and numbers to solve the challenges, this was a solid security posture.

The Chopping Block: Recent Bypasses Are Proof of CAPTCHA's Dark Side

Proof of growth in bots' sophistication is outlined in a recent crackdown where police arrested nearly 70 people leveraging bots to book and resell immigration appointments by using tactics including methods to bypass various CAPTCHA tests.

This highlights why CAPTCHAs should never be your only line of defense. They are outdated, easily manipulated, and insecure. If organizations opt to use CAPTCHAs to challenge bots, they need to rely on ones that prioritize security and ensure new bot techniques are identified in real time, rendering CAPTCHA farms and CAPTCHA-solve bots useless.

Another security concern is that threat groups use cheap labor in these CAPTCHA farms to solve significant quantities of CAPTCHA puzzles. This is because it is costly for an attacker to conduct large-scale crawling or credential-stuffing attacks using real, automated browsers or automated headless browsers.

Simmer Down on Outdated CAPTCHAs

To effectively stay ahead of malicious actors' capabilities, the secret ingredient is finding the balance of security, user experience, and user privacy. Adding a single layer of security no longer grants companies or their security tools carte blanche to handle user data as they see fit.

It's clear they must go beyond single-layer, traditional CAPTCHA defenses and develop a security stack that combines this technology. To develop an effective CAPTCHA solution, consider these key concepts:

Anyone Can Be a Chef With the Right Utensils

As threats evolve, so do CAPTCHAs, and with the right security posture, organizations can still outwit the bots. To do this, businesses should look for a solution with a dedicated team that can help tailor their protection strategy (including their CAPTCHA) and that leverages both client-side (device details and event tracking) and server-side (reputation, behavior, and fingerprints) capabilities.

While CAPTCHAs are not sufficient bot protection on their own, they can be a useful tool when properly integrated with a complete bot and online fraud protection program.

About the Author

Benjamin Fabre is the CEO of DataDome, a company he co-founded in 2015. A cybersecurity visionary, Benjamin foresaw the rise of bot-driven fraud. He understood early on that the race to block automated online threats would require an instantaneous response at the edge; static rules, no matter how quickly updated, would always be a step behind. Leveraging his deep expertise as a technologist, Benjamin set out to build a transparent and easy-to-deploy anti-bot solution that is a true force multiplier for IT security teams.