Veracity Blog

Why reCAPTCHA isn’t a failsafe against all click fraud

Why reCAPTCHA isn’t a failsafe against all click fraud

Google’s reCAPTCHA is hailed as a simple solution against bots, spam and other internet abuse but it’s not a failsafe. It can easily be defeated.

Bad bots continue to consume resources and overwhelm organisations, accounting for at least a quarter of all internet traffic and disrupting processes. 

To highlight the size of the problem, there were in excess of 57 billion bot-initiated attacks in human-initiated financial services processes in 2021 (this is believed to be an underestimate. Source: Help Net Security), growing at 41% per year.

If it were measured as a country, cybercrime — which was predicted to inflict damages totalling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the US and China.

Many businesses are vulnerable to bot fraud

According to Forrester Consulting’s State Of Online Fraud And Bot Management, 78% of organisations are using denial-of-service (DDoS) protection, web application firewall (WAF), and/or content delivery networks (CDNs) to manage bots but only 19% have a full bot management system in place.

This approach leaves them woefully vulnerable to attacks. Unfortunately many businesses don’t protect themselves against many of the different attacks that they are likely to be prone to.

For example, while only 15% of businesses are protecting against web scraping attacks, 73% are facing those types of attacks on a weekly basis with 63% losing between 1% and 10% of their revenue to those attacks alone.

IMAGE: Forrester Consulting’s State Of Online Fraud And Bot Management


What does ad fraud mean for business?

During the past two years the COVID-19 pandemic caused huge changes in how the world did business, with many companies being forced to operate online whether they were ready or not.

Moving quickly without preparation can sometimes leave business vulnerable to security weaknesses and some of today’s online threats, carried out by armies of automated bots simulating human activity, can post a greater risk than management may have considered.

“Many businesses focus on the types of attacks that are commonly in the news, rather than the attacks that can cause the most damage to their bottom lines.” – Forrester Consulting.

According to Forrester, 83% of respondents agreed their organisation believed bot attacks were a problem and nearly two-thirds noted there was more awareness of the need to manage it.

Allowing bad bots into your business processes can be very expensive for organisations in many ways, including:

  • Loss of revenue associated with account takeover, credential stuffing, content scraping, fake account creation, inventory denial, website downtime and performance degradation;
  • Increased operational expense including infrastructure costs, authentication expenses, and the people cost of the time spent on bot mitigation;
  • Regulatory penalties such as the huge fines imposed on organisations for breaches of, for example, GDPR or AML regulations;
  • The intangible (and sometimes tangible) damage to brand reputation resulting from negative publicity and loss of customer confidence.

The growth in internet malpractice

The rise of the internet in the 1990s also brought with it malpractice and CAPTCHAs were created as a way of identifying genuine users from bad bots crawling through websites to perform some kind of fraud or phishing scams.

Image: An old version of reCaptcha from Google.

Its very name explains what a CAPTCHA is – Completely Automated Public Turing test to tell Computers and Humans Apart.

Using a basic Turing test to tell humans and bots apart, reCAPTURE v2 uses a visual puzzle that is easy for humans to solve but harder, in theory, for bots and other malicious software to figure out. 

IMAGE: Google’s V2 of reCAPTCHA

It displays as either a simple tick box or it can have a more complex pattern where the user has to identify certain objects within a number of connected images (see above).

Unfortunately, by 2014 Google found that their reCAPTCHA program, itself a development from the earliest ones, could be bypassed by bots more than 99% of the time.

The current version reCAPTCHA v3, was unveiled in 2018 and works behind the scenes using an advanced risk analysis engine and adaptive challenges to prevent malicious software from engaging in fraudulent or abusive activities on a website. 

But there are also concerns about privacy issues as Google collects more and more data from websites. One study found that, across one million of the world’s top websites that employ CAPTCHA, Google reCAPTCHA was deployed by 94% of them.

Shortfalls and issues with CAPTCHA programs

Poorly designed tests can be failed multiple times, leading to customer frustration. When a human encounters a CAPTCHA test, they need to spend time working it out and this can lead to visitors leaving your business’ website and going elsewhere. It can be a barrier to good user experience.

Also, and of greater concern, a bot can bypass the test—acting like a CAPTCHA skipper and proceeding almost directly through in moments and a study by researchers at Stanford found they reduce form conversions by up to 40 percent.

In addition, fraudsters and criminal gangs also use “human farms” – people being paid miniscule amounts to log onto the internet and act as genuine buyers or users – to bypass CAPTCHA protocols, as was shown during the recent PS5 and Xbox Series X console launches which pitted human buyers against bots owned and operated by scalpers on retailer websites.

Existing bot detection solutions use a mix of methods to determine whether a digital transaction is from a bot. Current tools work after-the-event; the bot has to strike first before detection and the subsequent mitigation is then deployed. 

Bot networks are also highly sophisticated and run counter-detection measures making this process difficult to maintain, leading to a never-ending war of attrition with the bad actors often being ahead.

To level up their bot management, businesses must look to a complete bot management solution, rather than piecemeal approaches.

Veracity offers a solution for business

Beaconsoft has developed Veracity, a Deep Tech ML-based in-process solution to overcome the weaknesses of CAPTCHA technologies and assure only humans in internet transactions.

Veracity provides the ability to detect and defend against sophisticated bot attacks, reduce friction and improve customer experience, and provide visibility across an organisation and their close partners. 

Importantly, Veracity checks for bots a step before the usual identity validation process. Built on several years of research and innovation it has already been deployed it into one sector – successfully reducing ad fraud in Digital Marketing under the brand Veracity. It is now being deployed into sectors that include Financial Services, Retail, Travel, Gaming, Healthcare, eCommerce, Legal, Payment systems, Crypto, Advertising, government and others.

Available as a plug-in service, Veracity is designed to be deployed in minutes and will easily integrate with other core tools that are used by organisations in the security, financial crime, crypto, and e-commerce market sectors.

The innovative approach behind Veracity was recognised in 2020 by Tech Nation as one of the 16 innovative AI companies in the UK to watch and has recently won the Tech Nation Rising Stars 3.0 Cyber Award 2021.

You can find out more about the Veracity Trust Network and the project on our website: 

, , , , , , , , ,

Award-winning malicious bot protection.

Cyber Award Winner 2021

AI-Enabled Data Solution of the Year – DataIQ Awards 2023 Finalist

Tech Innovation of the Year Winner – Leeds Digital Festival Awards

Cyber Security Company of the Year – UK Business Tech Awards 2023 Finalist

Tech Leader of the Year – Tech Awards 2023 Finalist

Best Use of AI – Tech Awards 2023 Highly Commended