CAPTCHAs Don’t Stop Bots—They Stop Customers

CAPTCHAs Don’t Stop Bots—They Stop Customers

October 4, 2018

[Editor’s note: October is Frictionless Fraud Prevention Month at Card Not Present (sponsored by Shape Security). Traditionally, online fraud prevention and an engaging user experience have been at odds with each other. But, online merchants have emerging technologies available to them today that can begin to attenuate that tension.]

The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) was originally designed to prevent bots, malware and artificial intelligence (AI) from interacting with a web page. In the 1990s, the main use for CAPTCHAs was to prevent spam bots. These days, e-commerce companies use CAPTCHAs in an attempt to prevent fraud at scale, such as credential stuffing (testing stolen passwords in order to commit account takeover) and carding (testing stolen credit cards numbers online in order to commit credit card fraud).

Except...they don’t actually work.

There are multiple ways fraudsters get around CAPTCHA. A common method is to use a CAPTCHA-solving service, which rely on low-cost human labor in developing countries to solve CAPTCHA challenges on demand. Cybercriminals subscribe to these services, streamlining the answers into their automated programs via an API. These shady services are so ubiquitous that many can be found with a quick Google search, including:

  • DeathbyCAPTCHA
  • 2Captcha
  • Kolotibablo
  • ProTypers
  • Antigate

So, putting a CAPTCHA on your website or mobile app won’t stop fraud. But that’s not even the worst part.

CAPTCHAs actually cause harm to an e-commerce business. A Stanford study found that a CAPTCHA typically takes 7-12 seconds for a consumer to successfully complete. As every marketing and e-commerce professional knows, the more time it takes to make a transaction, cart abandonment and site bounces become more likely.

Yet the fraud problem still persists. Is the answer to develop a new, “hardened” CAPTCHA? Well, we have had many iterations, from Google’s reCAPTCHA, to FunCAPTCHA, to Invisible CAPTCHA, but the result remains the same: the test that attempts to stop automation is circumvented with automation.

To understand how CAPTCHA-solving services work and the fundamental requirements for an effective fraud-prevention measure, read this post, How Cybercriminals Bypass CAPTCHA.


  • Share this Article:

Lastest Fraud News