Rethinking the Captcha
With all technology since the invention of the clock spring, there have been people who use it for good and those who use it to do evil. The web is no different. Pretty well every website uses forms to help capture information. Unprotected forms are a recipe for abuse.
Forms are targets for spambots, which are automated efforts to fill in the form with false information.
WordPress creates new opportunity
The growth of WordPress inadvertently made this a business, due to the default settings that allow people to comment on posts. Spambots fill in these comments with fake text and insert a web link. These links point to sites selling knockoff fake goods and other unsavory products. Having these links referenced on legitimate sites leads to artificially increased search rankings for the sites being referenced as well as pay-per-click payments if people followed those links. Millions of these links would be posted around the world every day as comments were approved. Although only a small percentage would ever be clicked, the sheer volume of cumulative clicks, together with the increased rankings, would lead to substantial income for those who created the bots.
Even as WordPress site owners get smarter, so do the bots, making it harder to tell whether a comment is real or fake. The more sophisticated bots even use AI to refer to content within the post, looking as if a real human read the post and is genuinely commenting on what was written.
Another type of form that has been increasingly targeted has been the feedback form. Although this has offered limited value to the bots because only one person gets the result of the form, these forms are also used to generate fraudulent requests for business.
Worse, they can be used as nuisance tools to disrupt a business. Just last week I heard from one company that was hit by more than 10,000 form responses due to fraudulent form entries using their email address on thousands of websites at the same time. The cost to that business in terms of time and hassle to deal with this onslaught was substantial.
Enter the Captcha
For a number of years, a common approach to dealing with abuse of online forms has been the use of a Captcha. This involves showing a random group of numbers and letters and asking the person filling out the form to enter what is displayed. This has worked fairly well for some time, as bots could not deal with the request. Unfortunately, as spambots become more sophisticated, this is no longer as effective. Code to bypass the more simple Captcha displays is publicly available online. You can get around this with more sophisticated types of Captcha, but these can be so difficult to read that even humans can’t figure out what letters and numbers are being displayed. Studies have shown that when a Captcha request is too challenging, people just click away instead of completing the form.
Google came up with ReCaptcha, a new type of Captcha that forces the user to click on images matching a request. For example, clicking on all the pictures that show a traffic light. Unfortunately, while this effectively stops spambots, it can be frustrating for the user. In addition, every time someone uses Google ReCaptcha, they further improve Google’s AI algorithms at no charge. Google already has more power and data than is healthy, so it can be frustrating to further empower this technology behemoth.
We have been actively concerned about this issue and have taken various steps over the years to help minimize the abuse of forms. Simple Captcha has been our main solution. Although it can be bypassed, the number of bots that have that capability are still very small. It has worked well because it’s very easy for people to read the code being shown. Still, it seems that the use of simple Captcha is coming to an end. We believe that website designers have a responsibility to the web community as a whole to assist in any reasonable way to reduce overall abuse.
For our website clients and those on the ReBoot web maintenance plans, we are updating forms to apply a different method to protect against bots that should be more effective while minimizing the impact on the user. Our approach involves using a hidden field that only bots can see. Since they can’t fill it out, they are unable to process the form. Eventually there is likely to be a workaround for this approach as well, but it minimizes the hassle for people filling out the form.
The next threat: human bots
Of course, we are also aware that there is a growing trend to use actual human beings to fill out website forms. Low-cost labour is already used to bypass the defenses that social media companies use to fight against artificial bot-generated likes on posts. This is also happening with forms. Ultimately, an approach similar to ReCaptcha is likely to be the best solution in the long term. While it doesn’t stop humans, it slows down the process so much that it generally wouldn’t be worth the effort. But since it gets in the way of the user experience, we are holding off on that approach for a while. When we do use it, we are switching from ReCaptcha to hCaptcha which offers technology that is pretty much the same without empowering the global giant.
If you have any questions or concerns, please get in touch.
JustinSeptember 3, 2022
i’m using hcaptcha as well, but it’s still to challenging for human beings, sometimes it’s even more difficult than google’s recaptcha. that being said, i still get spam after using hcapthcha and i think it’s from bots.
Now i’m thinking using contactform7’s built-in simple custom captcha. the best thing is that you can define the question and answer and even give a hint. I think most bots can’t solve it but real human can, simple but effective. the downside is that it might not be able to stop human bots, but recapcha or hcaptha can’t do it, neither.