Can Google's ReCAPTCHA Swat The Bots?

8 Facebook Privacy Settings To Check

When we talk about robots taking over, we tend to think of science fiction scenarios of gleaming cyborgs wiping out mankind with high-powered weapons. But there is a very real battle going on today where robots are constantly working against the interests of businesses and individuals.

These robots of destruction are actually easy to find. Just look at the comments section of some of your favorite blogs, or notice how the online channels quickly fill up when you try to buy tickets for a major event. The enemy here are bots that are trying to spread comment spam, access e-commerce servers, and generally make life miserable for people who do business online.

For a while now, the main weapon against these bots has been CAPTCHA, also known as everyone's least favorite thing that websites constantly ask them to do. While opinions differ about nearly everything on the web, one area where most can agree is that everyone hates trying to decipher a nearly illegible series of characters in order to make a comment, purchase a ticket, or do nearly anything online. "Is that an l or a 1? Is that c lowercase or uppercase?" To make things even worse, your customers are enduring these headaches for no good reason, as many bots can easily defeat classic CAPTCHAs.

[Want more ideas on reducing risk? See Security Armchair Quarterbacks: Go Away.]

However, this week, Google announced a new system designed to replace classic CAPTCHA with something a little more user friendly. Called No CAPTCHA reCAPTCHA, the new Google system replaces those hard to read text boxes with one simple question: "Are you a robot?" Click "No" and you're good to go.

Image: Google

Of course, it's more complicated on the backend. After all, if that was all there was to it, then No CAPTCHA reCAPTCHA would be trivially easy for bots to defeat. What makes this new system potentially effective is its implementation of risk analysis. That's because, while in a single moment it can be hard to tell a person from a robot online, over time people and robots behave very differently, and these patterns can be very easy to detect. So an entity that's been rapid-fire hitting many sites and logging in with the same comment on Louboutin shoes may be a robot. If you've been casually browsing the web, reading articles, checking mail, and mooning over those shoes, there's a good chance you're a human (or a "meatbag" as Bender on Futurama would say).

But what if you've just logged in and there's no history to scan? Or if the system isn't really sure? Then it can implement an improved alternative to classic CAPTCHA texts. For example, the site can show a picture of a cat, followed by a set of other pictures and ask you to select the ones that don't fit. Still annoying, but hopefully less so than traditional text CAPTCHAs.

How soon will we see this new scheme? Many major sites, including Wordpress, already use the new Google API. According to Google's Security blog, early adopters are seeing good majorities of their traffic being able to be quickly identified as not robots. And since this is a Google API, I expect other sites to implement it quickly.

But will it work? Only time will tell. The makers of these annoying robots won't give up easily. They'll work on ways to defeat risk scans and try to fool reCAPTCHA into thinking they are humans.

However, fooling this system won't be easy and until then, while the bots aren't quite terminated yet, they are definitely poised to take a beating.

Want proof that your IT team is special? Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.