Bots are autonomous programs on the internet. In the hands of fraudsters, they have become a serious menace, as they are capable of creating fake accounts, signing into existing accounts using stolen credentials, leaving comments on social media posing as an actual human, and much more — all at frightening speed and scale.
Businesses use a variety of methods to keep bots off their platforms. At best, these technologies can stop bots while letting humans through with very little friction. At worst, they create a significant burden for legitimate users while leaving loopholes for bots to exploit.
Let’s look at five popular bot-detection technologies and the pros and cons of each one.
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a challenge-response type of technology that uses simple tests that are difficult for bots to solve while being relatively easy for humans. A CAPTCHA might display distorted letters and numbers and prompt you to type in what you see, or it might display an array of images and ask you to click all that contain fire hydrants or other objects.
The advantage of this technology is that it provides a low-cost way to block simple bots and is well understood by users. However, it does add friction to the process, and many people find it inconvenient and frustrating, especially if their vision is impaired. Furthermore, advances in machine learning have enabled more sophisticated bots and even Bing Chat to bypass CAPTCHAs with a high success rate. Even worse, some fraudsters use sweatshops of forced human labor to solve CAPTCHAs.
Behavioral Analysis
To address the shortcomings in CAPTCHA, behavioral analysis technologies such as reCAPTCHA emerged. Behavioral analysis monitors user behavior patterns such as mouse movements, keystrokes and page navigation to identify and block malicious bots. The NoCAPTCHA reCAPTCHA approach just requires the user to click a check box and can detect from the mouse movement whether the user is a human or a bot. And “invisible” reCAPTCHA uses behavioral analysis to provide a completely frictionless way of detecting bots in the background without any extra steps from users.
As with CAPTCHA, highly sophisticated bots and forced human labor can be used to get around reCAPTCHA and other tools that use behavioral analysis.
Machine Learning Algorithms
Whereas CAPTCHA and behavioral analysis are aimed at identifying humans, machine learning algorithms focus on identifying patterns and characteristics associated with bots. When these automated programs are trained on vast amounts of data, they can achieve a very high level of accuracy, detect subtle patterns that are challenging for humans to spot, adapt quickly to new types of bot activity, and run entirely in the background to create zero friction for users.
The biggest drawback to this approach is that it requires sophisticated technologists who understand how to properly develop and train the machine learning algorithms. If a company uses poor data sets that have too little data and from a limited population, or if the data has been manipulated, the algorithms will be ineffective.
Device Fingerprinting
Another approach for detecting bots is to gather information about the device that’s being used to access a website or application in order to create a “fingerprint” that uniquely identifies that device. This can be especially helpful for identifying bots. For example, if a device has been used to open accounts for many different users in a short period of time, it’s likely that the device is using bots to automatically create accounts. It’s also helpful for identifying a possible account takeover if the user is suddenly logging in from a new device.
Device fingerprinting is not foolproof. Sophisticated bots using spoofed or virtual devices can bypass it. Furthermore, device fingerprints can change over time due to hardware and software updates and other factors. And because of privacy concerns, mobile operating systems are making it harder to track users through their device. However, when used as a frictionless risk signal combined with other identity verification methods, it can be a powerful tool.
Liveness Detection
Arguably the gold standard of bot prevention is liveness detection. By simply analyzing the user’s selfie, this technology can determine that the user is a person who is physically present and awake.
Advanced liveness detection technology can spot video injection attacks (where the bot hijacks the camera feed and uses video of a person, often a deepfake, for the basis of the selfie) or when the camera is pointed at a computer screen, not a live person. When combined with verification of the user’s ID to ensure it’s legitimate, and comparing the selfie with the photo on the ID, liveness detection is an extremely powerful way to stop bots from opening accounts.
Even better, when the user wants to complete a potentially high-risk activity such as changing their password or transferring large sums of money from their account, you can prompt them to simply take another selfie to make sure it’s still the same user who opened the account. This helps protect users from bots that have been deployed using stolen credentials to take over legitimate accounts, which is when a lot of the greatest damage occurs.
Best Practices for Using Liveness Detection
Because liveness detection can be more expensive than other methods, the best practice is to use other risk signals like device check first to weed out as many bots as possible. And even though taking a selfie is simple and familiar to almost everyone who transacts online, it is an extra step. For this reason, some businesses opt not to use it during account opening and only require it during higher-risk activities. For example, an online gambling site might prioritize onboarding as many users as possible and only require further verification once the user is ready to play or before depositing any promotional tokens in their account or allowing them to make any transfers.
What to Look for in a Liveness Detection Solution
When selecting a liveness detection solution, be sure to choose a vendor with rigorous security practices that help safeguard the user’s biometric data. The vendor should also provide transparent information to users on how their data will be used and retained. And for the highest level of security against bots, be sure the solution offers a mobile SDK that fully controls the camera during selfie capture to prevent bots from hijacking the camera pipeline.
Some liveness solutions require the user to perform specific actions like turning their head a certain way or repeating words. Because this adds a lot more friction and can be difficult for people with physical limitations, the best approach is to use a solution that simply has the user fill the screen with their face (either by moving closer to the screen or moving the device closer to their face) and automatically captures the selfie for them.
Jumio’s liveness detection solution is exceptional at preventing bots and protecting your users’ accounts with minimal friction. To learn more about how we can help your business, just fill out this form, and one of our solution experts will be in touch shortly to start a conversation about your specific needs.