Google is launching a new reCAPTCHA system that’s capable of detecting malicious or abusive traffic on sites without any interaction from users.
Like other CAPTCHA systems, reCAPTCHA v3 is designed to prevent bots, attackers, or other types of abusive traffic from interacting with a protected site. The original reCAPTCHA was the classical construct in which a user had to read some text that was in a distorted form and then enter it into a box. The second iteration usually involved a user clicking a box or performing some other action, all in the name of proving that she was a human and not a bot.
Both of those systems work relatively well, but they require positive user interaction and can be annoying and slow down users’ experiences on a site. The reCAPTCHA v3 system is Google’s attempt to remove the user interaction from the equation, using a variety of different signals in the background that combine to give site owners a score that assesses how likely a user is to be a bot.
“Now with reCAPTCHA v3, we are fundamentally changing how sites can test for human vs. bot activities by returning a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all. reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site,” said Wei Liu, a product manager at Google.
Attackers, spammers, and other threat actors have developed various tactics to bypass CAPTCHAs over the years and continue to update them as defenses evolve. There are tools designed specifically to allow attackers to defeat CAPTCHA systems, and analysts at Flashpoint recently saw discussions in blackhat SEO forums of a couple such tools being offered for sale.
“The first tool appears to be a stolen copy of a social-media marketing software that automates adding friends, while the second is a type of SEO software frequently abused by threat actors in order to spam internet forums and comments sections. The second tool claims to be able to “decode” more than 400 types of CAPTCHA in its default form, and can purportedly decode even more types with the use of a separately sold plugin,” Ian W. Gray and Tim Lehey of Flashpoint said in a recent analysis.
"reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic."
Because the reCAPTCHA v3 scheme doesn’t need user interaction, site owners can use it in a variety of different ways. Liu said the system can perform its analysis across the different pages of a site as a user interacts with different elements.
“In reCAPTCHA v3, we are introducing a new concept called ‘Action’—a tag that you can use to define the key steps of your user journey and enable reCAPTCHA to run its risk analysis in context. Since reCAPTCHA v3 doesn't interrupt users, we recommend adding reCAPTCHA v3 to multiple pages. In this way, the reCAPTCHA adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities across different pages on your website,” Liu said.
The score that reCAPTCHA v3 develops will tell a site owner how suspicious the analyzed traffic is, but then the site owner needs to decide how to use that information. Part of that decision likely will depend on what the site’s functionality is and where the reCAPTCHA v3 tags are placed on it. Some sites may use it as part of the authentication flow, while others may use it in elsewhere.
“There are three potential ways you can use the score. First, you can set a threshold that determines when a user is let through or when further verification needs to be done, for example, using two-factor authentication and phone verification. Second, you can combine the score with your own signals that reCAPTCHA can’t access—such as user profiles or transaction histories. Third, you can use the reCAPTCHA score as one of the signals to train your machine learning model to fight abuse,” Liu said.