DataDome

50% of passed reCAPTCHAs are completed by bots?

Table of contents
Credential stuffing Bot management
Paige Tester, Director of Content Marketing
18 Jul, 2022
|
min

Traditional CAPTCHAs are not ideal for the user experience, but do they (at least) keep bad bots away?

Unfortunately, not really. According to our aggregate customer data: 50% of “users” that pass reCAPTCHAs are actually botsAnd it’s not all that surprising…

CAPTCHAs are not intended to be the first line of defense against malicious bots. Launched in 2000 as a general purpose authentication technique for humans, the CAPTCHA began as a Carnegie Mellon research project. The traditional CAPTCHAs we know and (sometimes) tolerate are easily completed by bots because they were never coupled with sophisticated security logic for advanced and evolving threats.

The Appropriate Use of a CAPTCHA:

Just because CAPTCHAs are not sufficient bot protection on their own, that doesn’t mean a CAPTCHA can’t be a useful tool (among many) when properly integrated with a complete bot and online fraud protection solution. For a better understanding of how CAPTCHAs can be used effectively, this post will cover the following:

Once you have a good idea of what a traditional CAPTCHA is, what it is not, and what an ideal, full-circle CAPTCHA can do for your protection, you will be best equipped to optimize your security strategy.

What We Mean by “Traditional” CAPTCHAs

Any CAPTCHA that is not built based on advanced, scalable security logic is what we consider a traditional CAPTCHA, including reCAPTCHA v1 and v2, among others.

Traditional CAPTCHAs do not provide a feedback loop that constantly informs and enhances bot protection for all your endpoints across your mobile app, website, and APIs. Nor do they apply information about a threat on one site to block the same attacker on all other protected platforms.

Pros & Cons of Traditional CAPTCHAs

Pros – Traditional CAPTCHAs:

  • Provide one signal that can be used effectively, when combined with many other signals, for bot detection.
  • Are easy to implement.
  • Typically offer a free option (e.g. reCAPTCHA is free up to 1 million API calls/month, then users must upgrade to Enterprise, which costs $1 every thousand calls up to 10k).

 

Cons – Traditional CAPTCHAs:

  • Are completed by bots as often as they are by humans.
  • Do not provide a feedback loop to platform operators or bot management solutions beyond a pass/fail signal, not enough to improve security.
  • Do not flag failed “users”/bots or monitor them more closely on future requests.
  • Lack transparency around the use of end-user data, which can lead to compliance issues.
  • Create a slow, frustrating user experience.
  • Are often considered inaccessible to people with disabilities.

Integration of Traditional & 3rd-Party CAPTCHAs in Bot Management

DataDome has historically integrated our bot management solution with third-party CAPTCHAs, such as GeeTest and reCAPTCHA, to support our customers. That was when third-party CAPTCHA integrations were the best option we could provide, but at DataDome, we wanted better for our customers. To further enhance security for our customers, there were a few aspects we wanted to improve:

  1. When relying on third-party CAPTCHA integrations, we had no control over a session/request during the challenge handled by the third party.
  2. The only signal we (and our customers) received from the third-party CAPTCHA providers was a pass/fail signal, with no further context on users’ interactions with the challenge.
  3. Due to the limited signals DataDome received from third-party CAPTCHAs, even users with a pass signal could not be allow-listed for the remainder of their session. 

DataDome already had to continuously monitor each session closely to invalidate the pass signal if the session became misused or hijacked by bots.

Ultimately, based on the number of “pass” signals from third-party CAPTCHAs that our solution later invalidated as false negatives (actual bots), 50% of requests that pass the traditional and third-party CAPTCHA providers are actually bots.

Examining the Ideal CAPTCHA

Our new standard for CAPTCHAs is to balance the trifecta of a good user experience (including accessibility), data privacy compliance, and 100% security focus. There are several technical requirements for an ideal, full-circle CAPTCHA:

 

Before CAPTCHA

Before the CAPTCHA – Solution prerequisites to be active before a user ever faces a CAPTCHA:

  1. High number of diverse signals processed in deciding whether to show a CAPTCHA.
  2. Machine learning (ML) detection models to process signals and scale new decisions in real time.
  3. Dedicated SOC team to monitor threats and maintain ML models for accuracy.
  4. Consistent 360° full-endpoint protection across mobile apps, websites, and APIs.
  5. Low and transparent false positive and false negative rates to confirm only bots see the CAPTCHA.

 

During CAPTCHA

The CAPTCHA itself – What the CAPTCHA should be like when it is presented:

  1. Easy for humans to pass, but cannot easily be completed by bots.
  2. Specifically designed to prevent CAPTCHA farms from being able to bypass the challenge.
  3. Quick to load and to complete for human users (who typically wait no longer than 3 seconds for a page to load).
  4. Accessible in multiple languages to human users with disabilities.
  5. Data privacy compliant—collects minimal personal data from end-users and processes data for security purposes only with zero third-party involvement.

 

CAPTCHA Feedback

Feedback from the CAPTCHA – How CAPTCHA signals can come full circle to improve ongoing security:

  1. Detailed reporting and user-friendly dashboard for easy threat and traffic analysis.
  2. Signals beyond pass/fail should be combined with various other behavioral, statistical, and technical signals and applied across all protected platforms and endpoints in real time.
  3. Data privacy compliant—all data safely stored for an adjustable retention period to ensure compliance with local laws.

Creating Our Own Full-Circle CAPTCHA

Our team dedicated time and resources to eliminating the need for any third-party involvement in bot protection by creating our own DataDome CAPTCHA.

Developing our CAPTCHA allowed us to unlock key security benefits for DataDome customers, compared to tools like reCAPTCHA:

  1. We can guarantee the most complete security with 100% control over/visibility into the bot protection process.
  2. With our AI detection monitoring each session and request from the moment the page starts loading (before a user even reaches a CAPTCHA), we ensure a user only sees the CAPTCHA if other signals (behavioral, statistical, etc.) indicate it is a bot.
  3. Our bot management solution has complete integration with our built-in CAPTCHA, and combines signals from the CAPTCHA with over 5 trillion other signals processed each day to inform and improve our bot detection engine.
  4. Data is processed at the edge, locally with flexible, adaptable data retention options to fit with your local legal requirements.
  5. Our solution includes CAPTCHA farm prevention, enhanced signal detection, and built-in replay detection.

 

In addition to the new security benefits, our CAPTCHA also gives our customers:

  1. More transparency and visibility to analyze the CAPTCHA’s impact on conversions, user experience (UX), and other business outcomes through our dashboard.
  2. An audio CAPTCHA available in 13 languages for enhanced accessibility.
  3. A consistent, stable UX for end-users across web and mobile devices.
  4. Data privacy compliance with GDPR, CCPA, and other regulations around the globe.

The new DataDome CAPTCHA is superb. It renders much faster and interactions with it are more responsive than our previous third-party CAPTCHA. Bots can’t solve it, and humans can with minimal hassle. It’s just what a CAPTCHA should be.

Matthew Niehues, Product Engineer, Fidelity Solutions

Bot Protection With 99.99% Accurate Security Meets a User Friendly & Privacy Compliant CAPTCHA

Advanced cybercriminals and sophisticated bots adapt every day to find ways into your online ecosystem. Automated attacks target any and every endpoint—account creation, login, checkout, etc.—across your mobile app, website, and APIs. 

Traditional CAPTCHAs are not sophisticated and are powerless against advanced threats. With a traditional CAPTCHA as your first line of defense, ~50% of traffic that successfully reaches your platform will be bots while the other, human half of your traffic faces unnecessary friction. 

DataDome, the only online fraud and bot management that promises to protect 99.99% of your users without showing them a CAPTCHA, now proudly offers our own integrated CAPTCHA. DataDome CAPTCHA is the first bot challenge of its kind—balancing our laser focus on security with a user-friendly experience and global data privacy compliance.

Schedule an demo to see it for yourself.

DataDome
Paige Tester
Director of Content Marketing
Paige is the Director of Content Marketing for DataDome. With over a decade of expertise in content creation, she leads the development of in-depth, strategic content that highlights advanced bot detection and online fraud prevention techniques. Her work empowers cybersecurity professionals with actionable insights and cutting-edge knowledge, ensuring they stay ahead of emerging threats.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo