23 Apr 2020 • 10 min read
23 Apr 2020 • 10 min read
Bots are a two-decade-old problem, and today, over 50% of the internet is estimated to be bot traffic, but why should you care? If you are not prepared, bad bots can be extremely damaging to your online business operations as well as your reputation.
In 2018, HSBC Bank, one of the largest financial services organizations in the world, has been the victim of a bot attack, confirming the data breach affecting its U.S. customers’ private information. Cybercriminals used a credential stuffing attack to gain unauthorized access to thousands of user accounts through large-scale automated login requests. In the aftermath of the attack, HSBC enhanced its authentication for online banking by deploying a captcha on its login page, limiting access to genuine humans only.
Account takeover attacks, endless spam comments and emails, ticket scalping, abusive website traffic, scraping of your valuable website data and content are just some of the damages bots can cause. For underprepared online businesses, it can take months before a breach is identified, causing $3.9 million losses per breach on average. Would you know if sophisticated bots were already abusing your online business?
CAPTCHA, also referred as a reverse Turing test, is originally developed as an automated test to distinguish whether an online visitor behind a request is a genuine human or an automated computer program a.k.a., a bot. Deployed at operational gateways such as login, sign up or form submission processes, captchas stop automated programs from accessing and abusing your website. However, not all captchas are equal, as the bot threats became more sophisticated, captchas have evolved as well.
In order to bypass captcha, a computer program has to do what a human can do; therefore, as AI technology improves, captcha challenges as we know become ineffective.
The idea behind the traditional captchas was that the machines were simply incapable of recognizing distorted texts. As the OCR (Optical Character Recognition) technology improved over the years, machine programs became better at recognizing distorted texts than humans, and text-based captcha became obsolete. Even though more innovative captcha challenges that are based on recognizing images, numbers, or various objects became more popular in recent years, these methods still rely on a one-dimensional logic and are static in nature.
At present, using machine learning technology, creating a computer program that can bypass these challenges is rather easy, which makes the captchas you know obsolete at preventing modern bot threats.
The third generation captchas, also known as no-knowledge or advanced captchas distinguish themselves from the rest by introducing advanced risk analysis into the equation. By analyzing the behavioral characteristics and the environmental information of a visitor, advanced captchas are able to distinguish genuine human behavior from computer-generated human behavior. When the comprehensive decision-making system detects a risk, a challenge-response is presented to collect further data about the visitors' operation and make a final judgment. This approach has two significant benefits.
Security: The integrity of the system relies on the sophistication of its back-end operations where the risk analysis engine runs. Merely answering the challenge will not grant access to a bot, it has to perfectly mimic the human behavior and deceive the risk analysis engine which can be observed over a hundred different parameters. This is not a possible task for modern computer programs to run at scales that would be required for “a successful bot attack”.
User Experience: For an Advanced CAPTCHA, it is not about completing the challenge correctly; it’s all about the process of completing a challenge. Therefore the challenge-response only presents an opportunity to collect further data about the visitor behavior, which allows the challenge to be more straightforward and user-friendly. Of course, there are significant differences in user experience between different advanced captcha solutions. For example, it can take more than 10 seconds to pass a ReCaptcha challenge while GeeTest captcha takes 1.6 seconds on average.
When it comes to fighting modern bot threats, the goal for all advanced solutions is the same; to distinguish genuine human behavior from automated human behavior. While CAPTCHA achieves this goal through interaction on operational gateways, some systems detect bots by analyzing the entire website traffic.
Even though these expensive bot detection systems are deployed network-wide and provide security for the whole website -instead of just essential operational gateways- they still encounter large numbers of suspicious traffic.
Directly blocking them runs the risk of a high rate of false positives and reduced conversion rates for the website while allowing the suspicious traffic makes the system vulnerable to bot attacks. This is where advanced captcha solutions come into play, making the final judgment on the suspicious traffic and reducing the rate of false positives to the minimum. The Defence-in-depth approach is crucial for maximizing security, and advanced captcha is the first line of defense against automated attacks.
As online business operations remain to be valuable, the potential financial gains will continue to attract criminals. Empowered by the advancing AI and machine learning technology, cyber-criminals are utilizing increasingly sophisticated bots more and more.
Advanced captchas are vital against the increasing number of sophisticated bot attacks and a necessity to keep the internet ecosystem as we know today safe and trusted.
Towards the mission to keep the internet genuine-human only, user friction is an often overlooked part of the equation. At GeeTest, we believe a great security solution should be excellent in not only security but user experience as well.
Learn how the world’s leading enterprise-grade captcha solution, GeeTest, ensures excellent security and utmost usability.
Subscribe to our newsletter