Cybercriminals’ use of AI means CAPTCHA prompts are annoying everybody but the bots they are designed to stop – and they could soon be a thing of the past, thanks to new priority passes being introduced by the likes of Apple, Google, and Cloudflare.
Privacy Access Tokens (PATs) – which are stored within your browser and also work for APIs called within the web apps you use – are cryptographic tokens that prove you’re not a bot.
PATs prove your humanity to the websites you visit – allowing you to bypass the CAPTCHA prompts that present maths problems or a grid of photos, asking you to choose the photos with certain items in them.
CAPTCHA is an acronym for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’.
The anonymous PATs are based on Privacy Pass, a web browser extension that was first published in 2018 and gives successfully authenticated users cryptographic tokens that can be redeemed to bypass the CAPTCHAs during future visits.
The technology is now hitting the mainstream after Apple incorporated it into its upcoming iOS16 and macOS ‘Ventura’ operating systems, due to be widely deployed within months.
Apple’s anonymous PATs use a range of factors to prove your identity, such as the fact that you’re already logged into Apple iCloud, have unlocked your device using facial or fingerprint recognition, and have launched a legitimately signed app.
“Even if someone is interacting with your website for the first time, if they are loading it through an app or a browser like Safari, they have already performed many actions that are hard for a bot to imitate,” Apple Internet technologies engineer Tommy Pauly explained during Apple’s recent WorldWide Developers Conference (WWDC).
Despite their value in preventing fraudulent activity, Pauly noted, CAPTCHAs “often lead to a slower and more complex user experience [and] can pose a serious problem for accessibility, [blocking] real humans who have disabilities or language barriers.”
“By trying to prevent attacks, you may also lose valuable customers,” he said. “Finding the right balance between a good experience and preventing fraud is a challenge.”
PATs from Apple and other devices will be accepted by firms like Cloudflare, which uses CAPTCHA to prevent fraud and distributed denial of service (DDoS) attacks but will allow valid PATs as proof of identity to bypass them.
Apple will call the technology Automatic Verification when it’s rolled out in iOS 16 and Ventura, and broad industry support should see many CAPTCHAs completely eliminated in short measure.
This cat-and-mouse game ended long ago
Vendors may finally be backing technology to bypass CAPTCHAs, but cybercriminals figured out how to circumvent them years ago – developing automated image recognition engines capable of identifying CAPTCHAs and, in many cases, solving them.
Each time a particular type of CAPTCHA was compromised, vendors came up with another one – posing an intellectual challenge for cybercriminals and an increasing nuisance for legitimate users.
Entire CAPTCHA-solving ‘click farms’ evolved to help bypass the tests en masse, with reports long suggesting that bots – whether with the assistance of humans or, more recently, backed by artificial intelligence and machine learning algorithms – had become better at solving many CAPTCHAS than humans are.
“Attackers are leveraging bots and automation to get assets” using freely-available tools, noted James Tin, F5 Labs senior director for security and fraud solutions in a recent webinar. “Unfortunately, the defenders are on the back foot.”
With cybercriminal organisations selling CAPTCHA solving as a service, anyone can buy 1,000 CAPTCHA solves for $2.32 ($US1.65), Tin said, recalling one attack on an Australian bank that saw 60,000 bots pummelling the site simultaneously.
“There is nothing malicious in the requests they send,” he explained. “What is malicious is the sending of millions and millions of requests that inundate authentication platforms and cause problems with the databases, web servers, and API gateways.
“It’s very, very straightforward and low cost, but the impact is huge.”
Relying on CAPTCHAs is already damaging customer loyalty and costing companies new customers, Forrester senior analyst Meng Liu noted.
“Authentication steps such as frequent password reCAPTCHA, multi-factor authentication or frequent password updating will lead to a lot of customer shopping carts being abandoned, and customer churn,” he said.
“Organisations should make sure they give the customers the least steps of authentication possible to ensure a very seamless digital experience.”