Automated and Human Solvers Available in Plenty Make Bypassing CAPTCHAs Easy

Bad Actors take the path of least resistance to attack digital channels and with their diminishing ability to fight even the basic bots, CAPTCHAs are readily offering this path. Off-the-shelf automated and human solvers are making it ridiculously easy for attackers to bypass CAPTCHAs

CAPTCHA stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’ and these challenges were originally designed to stop bots from exploiting websites. With rapid advancements in technologies, however, bots have gained advanced capabilities and, in some cases, even human-like capabilities.

On the other hand, CAPTCHAs continue to rely on the same old challenges, leading to subpar defenses that are vulnerable to exploitation. Today, even basic bots can clear legacy CAPTCHAs with ease and at scale, defeating the very purpose CAPTCHAs were created for in the first place.

CAPTCHAs are frustrating to consumers

Due to the repeated need for consumers to confirm they are not spambots and introducing unnecessary friction, CAPTCHAs have become frustrating for genuine users. In fact, a study by Stanford University found that humans achieved only about an 85% success rate when translating a CAPTCHA image.

The study further reveals that at an average solve rate of 10 seconds for certain CAPTCHAs – which can go up to 30 seconds for audio CAPTCHAs – businesses risk their websites becoming less accessible to legitimate consumers, as it breaks the flow of a consumer’s browsing experience.

Several ways to solve CAPTCHAs

To make matters worse, CAPTCHAs are not fool-proof. Attackers can use Optical Character Recognition (OCR) software to easily crack CAPTCHA challenges. They can use intelligent bots that use a simple API call to query a CAPTCHA farm every time they encounter a CAPTCHA and solve the challenge in no time. More enterprising attackers can save the effort and cost by outsourcing the activity to human click-farms.

Despite Google introducing newer versions of reCAPTCHA, intelligent bots clear these without much hassle. In fact, using technology to “solve” CAPTCHAs has become a business in and of itself, as one can quickly find both free –and paid– CAPTCHA solvers with a quick online search. 

Using automated solvers that make use of cookies and token harvesting, attackers can clear CAPTCHA challenges at scale. For instance, when Google’s ‘No CAPTCHA reCAPTCHA’ was reverse engineered, developers found that cookies recorded user’s past behavior and CAPTCHA solves to detect them in future for reCAPTCHA challenges. This led to consumers that were ‘seen’ as genuine getting a ‘No CAPTCHA experience’, while the others would face the same old reCAPTCHA challenges.

This ‘cookie whitelisting’ of consumers makes reCAPTCHA even more vulnerable as it replaces the challenge-response mechanism with a ‘g-captcha-response’ token. Attackers can obtain a valid ‘g-recaptcha-response’ token to match the credentials of the targeted website. To do this, attackers replicate the target website’s reCAPTCHA and get an unsuspecting user to complete this fake variant. Bots use the ‘g-recaptcha-response’ generated in the process to break the reCAPTCHA and access the target’s original website.

Automated CAPTCHA solvers are available in plenty

There are many tools – both automated and human-powered – such as Death by CAPTCHA, Anti CAPTCHA, AZcaptcha, ProxyCrawl, Solve Recaptcha, 2Captcha, and many more that are easily available on the market and can enable even a novice attacker to bypass CAPTCHAs at scale.

Recently, researchers from the Universities of Arizona, Georgia, and South Florida, came together to develop a machine-learning-based CAPTCHA solver that can apparently overcome 94.4% of real challenges on dark websites. This solver can “distinguish between letters and numbers, denoise the image, identify the borders between letters, and segment the content into individual characters.” The system relies on interpreting rasterized images, unlike other studies that also use generative adversarial network-based approaches.

In another instance of an automated CAPTCHA solver, three researchers from the University of Columbia created a low-cost CAPTCHA solver. This solver can automatically solve nearly 71% of all presented reCAPTCHA challenges and 83.5% of all Facebook image CAPTCHAs. 

These experiments and developments underscore the vulnerability of CAPTCHAs and the ease with which attackers can create solutions to circumvent them.

Adopt a defense-in-depth approach for long-term protection

With a thriving cybercrime ecosystem to tap into, tech-savvy attackers share intelligence and expertise to create workarounds that can help them bypass any new developments in reCAPTCHAs. Therefore, to ensure efficient fraud prevention in the long-run, digital businesses must rethink their fraud defense strategies. They need a defense-in-depth approach coupled with smart anti-fraud solutions to fight advanced bots.

Arkose Labs helps global businesses safeguard their business and consumer interests from the rising scourge of bots. Using targeted friction, the Arkose Labs platform stops bots – of all levels – and malicious human click farms. Our proprietary 3D challenges are extensively trained against machine vision technology to make them resilient to bots of varied capabilities. For persistent human attackers, the challenges keep increasing in volume and complexity, which wastes the time and resources of the attackers, and eventually renders the attack financially non-viable. In the absence of any potential returns, the attackers abandon the attack and move on to the next unprotected target.

To learn more about Arkose Labs’ defense-in-depth approach to long-term fraud prevention, book a demo now.

*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Richard Dufty. Read the original post at: https://www.arkoselabs.com/blog/automated-human-solvers-available-in-plenty-make-bypassing-captchas-easy/