SPAM has always been a big problem since the internet started to be widely used.
Bots (automated scripts) would insert information in the various forms that existed in most sites, trying to either spread malware or get passwords through Brute-Force attacks (like it happened in a larger scale back in April 2013 to many WordPress websites — http://threatpost.com/hackers-using-brute-force-attacks-harvest-wordpress-sites-041513/), and basically abuse any form that could be submitted.
Note that no WordPress website with the visualCaptcha plugin was compromised ( the DDoS happened, but the hackers got no access to the authentication functionality, to try out random passwords ), though many were attacked.
The solution, and a new problem
The solution currently and widely used is a form of CAPTCHA that has an image with distorted text characters, requiring you to insert those characters correctly in a form field, which makes it near-impossible for bots to decipher it.
While the letters weren’t too hard to understand, it wasn’t too bad. Bots would not be able to abuse the forms, and humans could submit the forms without much effort.
Sadly, as bots became better at OCR and deciphering the images, the images got more complex and distorted, ultimately making it extremely difficult for humans to decipher the same distorted characters.
A wild paradox appears
The forms are meant to facilitate communication between customers (visitors/clients/users) and the vendor (owner of the site), but he current CAPTCHAs actually started acting like communication complicators.
People can’t get the characters right at their first attempt (if you’re persistent, it can happen that you take several attempts trying to go through different options shown to you), and it frustrates them.
Ultimately, your desire to communicate fades, or you try to find an alternative, easier way to communicate.
Your form, that’s meant to help your customers communicate, is not letting them do it. Your form has failed.
The kind of problem we like
This is the kind of problem I (and we at Clevertech) like. A problem that affects millions of users, which does not have an apparently easy solution.
I started thinking and figuring out a solution for this problem years ago, before joining Clevertech.
It has improved a lot since then, and will definitely improve more, with the help of everyone here.
Back to the basics
The best way to figure out a solution, is thinking of the problem at its most basic form.
The basic questions of why do we need it, and why is it a problem now.
Also, what’s the simplest, feasible solution?
Why do we need CAPTCHAs?
Sadly, we can’t stop the bots from trying to abuse forms.
We still need a way to make it impossible (or at least difficult to the point it makes it unfeasible) to submit forms automatically, to prevent abuse.
Bot abuse takes up server and human resources (when things go through, someone has to clean it up), which basically translates to time (which ultimately means money to some).
It can also cause server problems, resulting in service downtime.
Companies and people lose lots of time. It’s a big problem.
Why is the current solution a problem?
Like I’ve explained above, it’s making communication more difficult, instead of making it easier, in the attempt to solve a problem not related to communication, but resources/management (handling SPAM and abuse).
What’s the simplest, feasible solution?
One solution is to get rid of the forms. The problem with this is that you’re also removing the means of communication for your customers, and while that’s acceptable for a contact form (to be replaced by an email), it’s not possible for a registration or login form, for example.
So we need to make CAPTCHAs easier to solve (as in not even letting people think too much about them), while still making it impossible or extremely difficult for Bots to override them.
I believe I’ve found a great solution with visualCaptcha.
Yes, the idea of identifying an image is not new, but a lot of the CAPTCHAs that use that system have lots of flaws that make them very easy to bypass by a bot. Being it a small set of static/immutable choices, easy to find and mimic solutions, and a big problem that all of them have, which is Accessibility. We’ll get back to that later.
The proposal
I went back to the whiteboard, and wrote the most important features this new CAPTCHA would have to have:
- Quick to understand and solve
- Simple images
- Clear instructions
- Short solution names
- Customizable
- Let people have their own answer possibilities
- Let people have their own field naming, form naming, etc.
This actually makes it more difficult for a bot that can solve one visualCaptcha to solve another.
- Safe
- Use JavaScript to increase Bot resource usage
- Don’t have the solution field in the DOM until the CAPTCHA is actually used, triggered by JavaScript usage
- The solution should be known ONLY in the server
Solve only problems you have
The implementation of these features was phased. I believe tackling all your projects, even “personal” ones, with an “MVP-mindset” and Lean/Agile methodologies are always a good idea.
The first visualCaptcha (actually called wCaptcha) was fairly easy to solve writing some JS code after analyzing (only the right image was allowed to be dragged), but it served its purpose. At the time, JS-enabled bots were not being used to abuse forms, so it wasn’t a problem.
Also, very few people knew about visualCaptcha, so who was going to try to crack it? :)
This allowed for visualCaptcha to grow sustainably, letting me fix problems I didn’t even think about (like what if someone gets it wrong the first time? Let people drag back and forth!), implement features as they were requested, and fix problems as they appeared.
Once it got a few more users, a new problem came up in my doorstep. Accessibility.
Accessibility Matters. A lot.
Imagine you were not able to access your bank account online. You’d be pretty pissed, right? Well, that actually happens a lot ( This Guardian article from October 2012 shows all big banks failing to be usable by visually impaired people ).
I had thought about Accessibility before, and I knew it was going to be a difficult problem to solve.
Due to time constraints, I postponed for whenever the first person complained about it. And soon enough, it happened.
An Italian municipality wanted to implement visualCaptcha in their website, but they had to comply with Accessibility standards, and visualCaptcha was not Accessible. It had no solution for visually impaired people.
I looked for several solutions, and was amazed at how even regular CAPTCHAs made their “Accessible” versions so hard to understand, even for non-impaired people!
The normal Accessibility solution nowadays is to pronounce the letters that are in the image, which would be ok, if the sound wasn’t distorted so that bots can’t try to decipher the letters by “listening” to that sound clip. Even for people that aren’t visually impaired, it’s very complicated to understand these spoken letters.
I knew I had to do something different.
visualCaptcha was known to be easy to use, and that was the first and most important feature it had. The sound had to be crystal-clear.
I then remembered some other types of CAPTCHAs that I’ve seen before, asking questions like “4 + 2 = ?”, which, given the appropriate context, can be hard for a bot to decipher (they don’t like having to have to read and understand everything in a page to fill in an input field).
That was the solution I came up with.
Having a voice asking a simple question (not related to the image you’d have to drag without using the Accessibility option) would make it easy and quick to understand and solve, while making it difficult for bots to override that.
Not perfect, and that’s ok.
Yes, it’s not a perfect solution, there are systems nowadays that can interpret spoken/written questions, but that takes the bot’s resource usage to a whole new level. Regarding the “Solve only problems you have” section above, there still isn’t a problem where visualCaptcha’s Accessibility is being cracked, so this is the solution that will continue to be used, until we (need to) come up with something better.
Give it a try, and contribute
With thousands of websites using it, it’s solved SPAM problems to millions of people, and that number continues to rise.
You can learn more about visualCaptcha, download it, and contribute to its GitHub repos at http://visualcaptcha.net
We’ve written a blog post for developers that want to try out visualCaptcha (note in the meanwhile we launched a new version, and will be coming up with a new blog post for it).