CAPTCHA’s Top Level Security

2nd May, 2017 by

Google has recently rolled out a new means of verifying whether a visitor is human or a robot. This new tool is looking to bring to an end the necessary evil that was CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).

CAPTCHA has done a noble job of being the resolute first line of defence against robot cyber attacks. It deserves our respect, but that’s not to say that it has always been the most amicable of relationships. Attempting to type in the wavy words has not always been a straightforward experience.

But now after about 20 years of service, Google has developed this new means of cyber security that will slowly see CAPTCHA and its more advanced younger equivalent reCAPTCHA put out to pasture.

What is CAPTCHA?

The origins of CAPTCHA are contested but it was first used as a means for websites to filter out real human visitors from malicious bot attempts at logging in. They worked by taking an image of a word and asking the user to type this in. Robots then found, and notoriously still to this day, find it very hard to decipher the meaning of an image. It can only read pixels and shade, but struggles to understand the grander meaning of that image.

This meant that in the early days the internet was well protected by CAPTCHA. It was deployed primarily as a way to defend sites from being brought down in a DDoS attack, or as a way to stop ticket touts from using bots to bulk buy tickets to events.

However, in 2014 Google launched reCAPTCHA (or to give it its full title No CAPTCHA reCAPTCHA) as tests had shown that as many as 99.8% of text completion tests were now readable by the bots.

reCAPTCHA is as simple as ticking a box. But Google uses the entirety of the visitor’s behavior to assess whether they are a bot or actually human. This comes down to behaviors such as how the mouse is moved over the tick box or how long it takes the visitor to find the tick box. Google is unsurprisingly pretty guarded about exactly how it works. With good reason they fear revealing too much, as it will play directly into the hands of the hackers.

But it seems likely that Google is tracking your actions across all of its real estate. So if your IP address carries out normal actions, such as checking emails, editing a Google Sheet and then watching some YouTube videos, it is fairly safe to say you are a human. But if the IP address registers no human interaction then there may be good reason to suspect this visitor as being a bot.

In early 2017, Google took the step of doing away with the need to even tick the box, believing its systems are so efficient at weeding out malicious bots that the tick box is no longer necessary.

But what will Google be losing by doing away with CAPTCHA?


Benefiting from CAPTCHA

Google has learnt a lot form CAPTCHA. Google figured out that it could use the legions of people that are constantly having to decipher and type in words to their advantage. Google realized it could start figuring out house numbers, business names and road names by placing them into the CAPTCHA system and having them worked out by eager and willing humans, desperate to get to their content. All this has worked in the favor of Google as it has meant they can offer an even more precise version of Google Maps.

They have also used a similar tactic for the vast banks of journals and papers they have in store that they are trying to digitize. This is a thankless and slow process for anyone employed to actually undertake it. But using everyday people means the company can once again kill two birds with just the one stone. The security function has also been used to improve Google’s image recognition software. Some forms of CAPTCHA provide the user with a multitude of images of, for example, cats. The user is asked to pick out each one that is or shows a cat. Over multiple times of carrying out this affirmative function, the machine learning system tasked with better understanding imagery will become better at identifying a cat.

So while the advancement of CAPTCHA is undoubtedly a benefit, keeping our websites safer and at less inconvenience to the everyday user. Google is clearly losing something that has served its auxiliary services extremely effectively, allowing it to become the service it is today. These greater levels of security go to show how advanced the technology of sniffing out bots has become. But you can be sure that this isn’t the last to be heard from the bots, they’ll be working to bypass these systems.

(Visited 10 times, 1 visits today)