You have seen them when you try to login to an online account or submit some information to a website. In order to proceed, you have to identify and type some squiggly letters in an image, check boxes that represent part of an image or just simply check a box to prove you are human.
Click on a checkbox seems simple enough for a bot to do. So how does that help to filter them out?
The following are the best answers found online to this question.
How long after page load did the user find the box? Too quickly is obviously a red flag, but taking too long is also. It usually doesn’t take a legitimate human 5 minutes to answer a few questions about 9 images. If you take too long, they’ll make you do another image check challenge.
Basically, it’s really, really difficult to make a bot move the mouse, scroll, and react naturally to a page load. And even if you do manage to fool reCAPTCHA, you’ll be thrown to a few image tasks which may serve to block you out from the website completely, due to the reasons mentioned above.
This type of stuff is only part of what reCAPTCHA relies on to determine human/non-human – particularly, your referring information & whether or not you have a logged in Google account.
First, captchas aren’t there to make it impossible to overcome – that is not possible to do. It’s to make it difficult for a bot, i.e. to either make it impossible for it to do at all by itself or only very slowly. This is to make it impossible for a bot to e.g. try a password 1000 times per second, or to let it log in automatically without the help of a human.
Secondly – one must also know that the images used in Google captchas – where you e.g. have to push every image that has a street sign on it – are made completely automatically as well. We have algorithms that can detect practically everything on images. But while Google has massive serverfarms, the average hacker doesn’t have similar resources, especially not if it’s only about a stupid thing like hacking into a random board or something (to risky to expose such resources for to little gain).
As far as I’ve heard, Google is able to replace an actual CAPTCHA with this simple textbox only if they know enough stuff about you – This little checkbox is basically a plugin from google, thus (via cookies, sessions, knowing your IP etc) Google knows on what pages you surfed in the time before arriving at that CAPTCHA. Knowing that you surfed for denim jeans for the past 3 hours, Google can be pretty sure you’re not a robot – having to actually click on that box is basically only for “enabling” that plugin.
If google doesn’t know enough about you, they will by the way simply show the original reCAPTCHA, where you solve Optical Character Recognition (or street number recognition) tasks for Google. You can simply test that by restarting your router, using incognito mode and going to a website that uses reCAPTCHA.
Google is great at keeping its algorithms a secret, so we’ll probably never know for sure, but we can make some guesses.
One thought is to track a users mouse and keyboard actions and see if that is consistent with a human, but I’m not entirely sure this is the system that it uses since it would be easy to replicate such actions with a simple bot.
I’m partial to the idea that Google is taking advantage of it’s massive database of what you’ve been doing on the web the last few minutes. Have you checked your Gmail? Made some Google searches for a new cat sweater? That’s all stuff a human would do, so they are able to associate your captcha request with your previous internet requests and see you’re probably human.
Of course, if this is a brand new computer connecting from an IP that has just been assigned, you probably don’t have the sufficient background for Google to think you’re human, so you’ll receive a more difficult captcha to solve.
This means that if a bot was to check off that box, it wouldn’t follow the history pattern we associate with a human and Google would return a further captcha check which the bot would fail. Usually these secondary captchas are going to be some sort of computer vision problems that would involve far too much resource intensive computing to solve.