Understanding ReCAPTCHA: Its Mechanisms and Impact on Internet Security

Photo of author
Written By David Jay
A future med student, I write to learn.
Examples of ReCAPTCHA prompts to deter bots (Source: NopeCHA)

The Internet has been subjected to many kinds of attacks from malicious figures all across the World Wide Web since its creation. This is because the Internet provides valuable data, anonymity, and exploitable elements that allow malicious figures to rampage all over cyberspace. As a consequence, cybercrimes, especially those involving bots, were rampant. However, Google’s development of CAPTCHA, otherwise known as “Completely Automated Public Turing Test to tell Computers and Humans Apart,” allows websites to improve their security.

Despite Google’s attempts to deter bots, newer autonomous programs became more sophisticated, weakening CAPTCHA’s defenses. Furthermore, online users often consider CAPTCHA as “annoying” due to its puzzling nature, and it is not supported for the disabled. To solve this problem, Google conceived a new version of the anti-botting measure in 2020. It is called ReCAPTCHA.

What is ReCAPTCHA?

Newer renditions of ReCAPTCHA prompt (Source: Google)

According to Google, ReCAPTCHA is an “advanced risk analysis machine” that prevents malicious software from abusing websites. The system will employ methods that restrict bot access, preventing any exploitation or data leakage. Furthermore, the system “learns” from each user and bot interaction to improve its operations in later accesses.

ReCAPTCHA is mainly used to protect against scraping, fraudulent payments, account takeovers, fake accounts, misinformation, and money laundering.

Web developers need to choose the right system for many reasons, mainly to deter abusive bots and make the system less intrusive to the users’ experience. Therefore, webmasters should select the machine wisely depending on what kind of website they are building. According to DataDome, there are two remaining versions of ReCAPTCHA developed by Google, including V2 and V3. 

V2 requires the user to tick a checkbox or complete an image or audio recognition test to access the site. Since the majority of bots cannot decipher puzzles, only human users can enter the site. While this system requires users to solve a task which can be inconvenient, it does not require the web administrator to constantly monitor their activities and is consistent in quality. However, hackers have been attempting to develop new software to complete the puzzle, so choosing this system can be outdated.

On the other hand, V3 involves the system passively monitoring the users’ activity by using a scoring system that determines who is a bot or a human. The systems’ quality can be further improved by the web administrators’ interactions with the user (e.g. friend requests, chat boxes, etc.) The method is very effective in detecting bots with the algorithm, but webmasters must be constantly on duty to ensure safety.

How Does ReCAPTCHA Impact the Economy?

(Source: CNBC)

Many websites require a substantial amount of security and maintenance as cyberattacks become more frequent since the 2010s when cyber crimes were becoming rampant. According to Crowdstrike, some of the most common types of attacks are malware, DDOS, phishing, and spoofing which can be conducted by malicious bots. To subdue the rate, Google released the ReCAPTCHA program to the public to curb the issue by preventing bots from operating. By employing the system in a website, the website can deter most of the attacks performed by bots, preventing damage to the site’s integrity and reputation. 

The site’s security is considered one of the most important aspects of web design in the modern era. E-commerce websites such as Amazon, eBay, or Etsy, prioritize cybersecurity since buyers and sellers are required to provide confidential information (e.g. banking details) for the site to function smoothly. Should an attack be successful, the site will lose a proportion of its customer base due to the decrease in trust, resulting in the loss of revenue. Investors who are the backbone of some companies are likely to pull out if there is a cyberattack to prevent monetary loss, which can further damage the company’s value and funds. Furthermore, the addition of ReCAPTCHA makes users feel more secure while on the site.

(Source: CNBC)

On the contrary, customers are also bothered by frequent security checks which end with them abandoning their activities. According to Forbes, this is because the machine relies on behavioral analysis of bots and human users with each puzzle completed by a bot will make future ones more challenging, which can result in customers leaving the site to look elsewhere. With lower sales and traffic, investors and advertisers are less willing to invest in the website, resulting in decreased revenue. 

In the end, ReCAPTCHA is a two-edged sword. Without it, websites are completely compromised during cyberattacks; but with it, clients are unlikely to use the website at all.

A War Between Robots

ReCAPTCHA’s evolution since 2007 (Source: Google Cloud Blog)

As a consequence of ReCAPTCHA development, many hackers have been finding ways to improve the bots’ intelligence in puzzle-solving. This is because website hacking is still a profitable, automatable, and less risky venture for malicious figures. Furthermore, improved malicious bots net higher profits than ordinary outdated bots. Therefore, many hackers are still motivated to update their automated accounts’ intelligence.

Understandably, Google and other web security developers have been fighting off these attempts by improving the algorithm to make puzzle harders, suspect accounts with certain behaviors, and understand the behavior of human and robot users. However, their improvements resulted in more human users failing these puzzles while robots can still solve them. According to the Baymard Institute, between 8-29% of human users failed the CAPTCHA test in 2018. 

On the contrary, the Verge revealed that the reason why ReCAPTCHA became harder to solve is not that bots become smarter, but human users are simply unable to solve the problems. The basis is that as puzzles become harder, the algorithm understands the behavior patterns of users and creates the puzzles based on what they have not considered, for example, hidden objects, signs in foreign languages, and unusual items. As a result, human users are confused by the prompts and find sites with lower security.

By David Jay

Receive the latest articles in your inbox

Want more brain stimulating stories about Business & Tech?

Join to receive new insights on the latest trends