Unlocking CAPTCHAs: Moving Beyond Deterrence to Detection
2023-12-22 05:46:57 Author: securityboulevard.com(查看原文) 阅读量:12 收藏

Over the last six days alone, Arkose Labs identified and thwarted 189 million attacks for our customers alone. By tracking different classes of biometric inconsistencies, we gain insight into the evolving nature of bot attacks within specific customer traffic and across the platform.

In the digital realm, CAPTCHA has long been viewed as a necessary annoyance, a tool employed to thwart automated bots and ensure that real human users can successfully interact with websites. However, a paradigm shift is underway in how we perceive CAPTCHA. Where it was once a mitigation tool, it is now a potent weapon in the arsenal against online fraud. 

CAPTCHA was initially invented to differentiate between bot and human behavior. However, with the increasing sophistication of off-the-shelf CAPTCHA-solving tools and “solver services,” it grew more complex, and businesses started to see advanced CAPTCHAs as unnecessary friction for good users. However, what if we shift our mindset to looking at CAPTCHAs as a visible detection tool instead of a point of friction? Let’s delve into why your perspective on CAPTCHA is about to change.

Bad Bots and Beyond: 2023 State of the Threat Report

RECOMMENDED RESOURCE

Bad Bots and Beyond: 2023 State of the Threat Report

{{CTA: Bad Bots and Beyond: 2023 State of the Threat}}

CAPTCHA as a Bot/Fraud Detection Tool:

Traditionally, CAPTCHA has been seen as the last line of defense—a mechanism triggered when a detection system flags the probability of incoming traffic being bot-generated. However, a closer look reveals that every CAPTCHA challenge follows a specific, predetermined flow. Users are expected to solve the challenge in a standardized manner, providing a unique opportunity to measure and analyze user behavior.

Several user-behavior attributes such as keystrokes, mouse movements, touchscreen taps, etc. can be converted into a process of understanding the user behavior. This insight, in turn, helps detect bot traffic and fraud farms. Bots love to mimic good user behavior in an attempt to evade detection. Through exact and predicted pattern matching, such bot behaviors can be uncovered.

Most off-the shelf bot detection solutions are unable to distinguish between bot-driven and genuine human traffic. This inability can hamper their efforts to block bad bots from causing harm to their digital platforms and user experience. Furthermore, the inability to tell good bots from malicious bots can impact their visibility on search engines.

The analysis of bot traffic

CAPTCHA as a Behavior Measurement Tool

Same is true for fraud farms, also called click farms. The fraud farm workers become so used to solving the challenges that they don’t hesitate when it comes to solving. They know exactly where to click and how to solve the puzzle challenge. This expertise can be used against them through behavior measurement.

In fact, over the last week, Arkose Labs identified millions of bot attacks that are trying to mimic human users while solving its CAPTCHAs across its network.

Millions of bot attacks mimicking human users while solving CAPTCHAs

This distinctive quality transforms CAPTCHA into a powerful behavior measurement tool. Instead of merely serving as a hurdle for bots, CAPTCHA becomes a means to identify automation by analyzing user interactions. The standardized flow allows for the detection of anomalies, offering a new dimension to the fight against fraudulent activities.

Dynamic Sampling for Enhanced Security

In the evolution of CAPTCHA, dynamic sampling emerges as a game-changer. By introducing pre-canned modifications to certain elements of mouse and keyboard data sampling, CAPTCHA becomes significantly more resistant to automation. Fraudsters attempting to navigate through the system must contend with changing sampling intervals, which is possible only if they run the javascript every time. This makes it  exponentially expensive for them to continue their operations.

The Arkose Labs Approach to CAPTCHAs

One notable example is Arkose Bot Manager, which goes beyond traditional methods by introducing dynamic sampling in various aspects of the product, including the CAPTCHA interaction response of end users. The challenges of Arkose MatchKey, the strongest CAPTCHA in the business, allows us to measure the potential of automation at various stages of the funnel. To avoid detection, fraudsters must manually solve the CAPTCHA each time, creating a formidable obstacle for automated attacks.

Multiple challenge levels, all user-friendly

Real-World Impact of CAPTCHAs

The effectiveness of this approach is evident in the staggering numbers. Over the last six days alone, Arkose Labs identified and thwarted 189 million attacks. By tracking different classes of sampling inconsistencies, we gain insight into the evolving nature of bot attacks within specific customer traffic and across the platform.

CAPTCHAs are no longer just a deterrent for bots; they have become a crucial component of advanced bot and fraud detection strategies. Embracing behavioral biometrics as part of your detection stack can significantly bolster your defenses against evolving threats in the digital landscape. The next time you encounter a CAPTCHA, remember that it’s not just protecting you from bots—it’s actively contributing to the ongoing battle against online fraud. 

*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Ayan Halder. Read the original post at: https://www.arkoselabs.com/blog/unlocking-captchas-moving-beyond-deterrence-to-detection/


文章来源: https://securityboulevard.com/2023/12/unlocking-captchas-moving-beyond-deterrence-to-detection/
如有侵权请联系:admin#unsafe.sh