11 Dec 2020 • 10 min read
11 Dec 2020 • 10 min read
Is this request coming from a real person or an automated computer program? That's the question that led to the development of CAPTCHA technology more than two decades ago to distinguish humans from automated computer programs.
Over the years, human verification has become much more sophisticated than squiggly letters and came to be known as advanced captchas. Today we will take a look into two major advanced captchas: Google's ReCaptcha, the most widely known and used human verification software, and Geetest, the largest enterprise-grade captcha solution, with a network of over 290,000 enterprises.
Let's see how they compare.
There are five major points of consideration for evaluating a captcha solution:
For a quick reference, see ReCaptcha vs Geetest [Infographic]
In order to evaluate the security of an advanced captcha solution, we must first look at the captcha hacking landscape and understand the various threats and angles of attack.
At present, there are three effective ways to bypass an advanced captcha; machine learning & vision, browser automation (simulators), and captcha solving farms.
With the open-source development of machine vision and machine learning tools and technology, any form of challenge-response alone has become obsolete. Regardless of the difficulty, any challenge-response that humans can solve, a machine learning model can be trained to solve it with a higher success rate.
The integration of behavioral analysis into captcha allows challenges to be a way to collect biometric data. Instead of relying on a cognitive challenge, the biometric data is used in the risk analysis engine to determine whether the behavior is human or machine. This is a dramatic change for the logic of bot defense comparing to older generations of captchas.
As a result, merely using ML and OCR to crack the challenge is not enough. An automated program has to not only crack the challenge but also do so while perfectly mimicking human behavior. Generating biometric data that is genuinely human to pass the risk analysis engine introduces sufficient limitations to prevent “a successful bot attack.”
ReCaptcha, similar to Geetest, employs behavioral analysis models, yet different from Geetest, its challenges have much higher friction, thus making it slightly harder to create high accuracy machine learning models. It requires a relatively large dataset to be labeled and used to train a model that can recognize all the objects presented by ReCaptcha with high levels of accuracy. Still, ReCaptcha challenges can be cracked with up to 85% accuracy, which is enough for hackers to scale their operations at a low cost.
Also referred to as headless browsers or simulators, it allows the execution of a full version of the browser while controlling it programmatically. Meaning that these tools can run without the graphical user interface(GUI). Browser automation tools allow bot programs to appear more human-like, and they are extremely difficult to detect and prevent.
The environment detection refers to the information retrieved from the visitors’ computer environment, such as the hardware specification, screen size, browser type, version, etc. Through the sophistication of environment detection techniques, Geetest can accurately identify browser automation tools.
ReCaptcha does not have a mechanism to distinguish or punish popular browser automation tools; therefore, fraudsters can easily scale their operations while cracking Google’s ReCaptcha.
A captcha solving farm refers to automated captcha recognition services where captchas are directed -through an API- to human workers to be remotely solved. This approach exploits captcha's fundamental logic, which is to distinguish automated computer programs from genuine humans.
Geetest adopts a dynamic front-end encryption and a dynamic honeypot, which allows the effective detection of API hacking features. As Geetest’s advanced environment detection is combined with origin detection techniques, Geetest can spot and block captcha solving farms, securing the potency and the integrity of captcha against these powerful hacking tools.
There is no mechanism ReCaptcha adopts to prevent captcha farms, in fact, it has fueled a new industry in the form of sweatshops in third-world countries, where workers are paid between $0.5 to $1 per 1000 captchas solved.
CAPTCHA is an interactive security approach to detecting and mitigating bot threats. In the era of user experience where user-friction directly translates to business operations' success through conversion rates, while the false-positives rates directly impact the revenue, the user experience is a significant differentiating factor for advanced captcha solutions.
The user experience of a captcha can be evaluated by three factors; the pass rate of a captcha without a challenge, the average time to pass a challenge, and UI's customizability.
Pass without challenge rate: ~20%
Average captcha solving time: ~10 seconds
Customizable UI: No
Pass without challenge rate: ~80%
Average captcha solving time: ~2 seconds
Customizable UI: Fully customizable UI
When it comes to captcha technology, privacy concerns are raised whether the data collected by the captcha system can tell which specific human you are and used for tracking the individual across the web.
It is known that Google relies heavily on cookies and user’s identifiable data to ensure you are human. There’s no way to opt-out of reCAPTCHA on a site you need to use, forcing you to either accept being tracked or stop using a given service altogether.
It is shown that clearing cookies or browsing in incognito mode drastically increases the number of reCAPTCHA tests users are asked to complete. Suppose the users are browsing on a Google Chrome competitor, like Firefox. In that case, users require to complete more challenges, which naturally raises a question: Is Google using reCAPTCHA to cement its dominance?
This raises serious privacy concerns, given that Google’s revenue is primarily from its ad business, which relies on tracking data. Some users worry that reCAPTCHA is essentially a secret ad tracker, hiding in plain sight just like the Facebook “like” button embedded on web pages.
Geetest is GDPR compliant and does not rely on users’ historical or personally identifiable information to distinguish bots and humans apart. Instead, Geetest relies on AI and machine learning models to identify bot features within the website traffic. The data collected for its behavioral model is simply insufficient to tell which specific human is behind a request and cannot be used for tracking an individual. Thus, thanks to its advanced usage of artificial intelligence technology, Geetest can detect humans and machines apart with high-accuracy while respecting individual users' privacy.
Geetest is built to serve enterprise-grade customers; therefore, it is equipped with the necessary tools to be integrated into its clients’ existing fraud prevention architecture. Apart from integration support and detailed incident reporting, Geetest also provides a 24/7 service hotline to always deal with customer questions or problems. Geetest also adapts a zero false-positive architecture, maximizing the business imperative of bot defense and fraud prevention.
Google’s enterprise service options are limited for integration into the existing security architectures, mostly due to the lack of direct technical support. Its reporting options are simple, and there is no 24/7 support. Instead, its users have to ask questions in StackOverflow with a ReCaptcha tag.
Google’s Recaptcha Enterprise version charges $1 for 1000 requests.
Geetest is significantly more affordable [Contact Geetest]
Recaptcha, at its core, is incentivized by the labor of end-users who label images, supporting Google's non-cyber security-related branches. Therefore security, user experience, privacy, and enterprise services are not a primary concern for ReCaptcha. Its capabilities on these essential functions are shown to be lackluster, relative to the competition.
ReCaptcha has a static defense structure, and it heavily relies on high-friction challenges to create a sense of security, yet with the help of widely available ML and automation tools, it is easy to crack and exploit ReCaptcha. Moreover, there have been strong doubts that ReCaptcha relies on google cookies to tell humans and machines apart, which raises serious privacy concerns for end-users.
As a free solution, ReCaptcha is suitable for small enterprises or personal websites that have simple form submission, comment function, etc. However, if sensitive gateways carry a significant financial value, a more robust fraud prevention architecture is a must-have to ensure the business's unhindered growth and continuity.
Geetest relies on sophisticated machine learning models and advanced behavioral and environment detection techniques to identify bot features within the traffic and overcomes captcha hacking methods using artificial intelligence technology.
Geetest is built for enterprise use; its services and toolset revolves around increasing the bot detection capabilities of its clients' security and fraud prevention architectures while reducing the impact on user experience to a minimum with absolutely zero false positives.
Subscribe to our newsletter