Visa’s anti-bot play means it’s time to think beyond the CAPTCHA

By Marc Brown, APJC Director, Sales and Solutions Engineering for multi-cloud security and application delivery company F5.

Most of us are familiar with the experience of having to tick a box and evaluate a few images or write out distorted letters to prove ‘I am not a robot’ when shopping online.

CAPTCHA’s challenge-response technology has become a popular defence for online retailers to separate the bots from the humans, but an unpopular pain point for customers. Research from Stanford University indicates CAPTCHAs can reduce form conversions by up to 40 per cent.

Visa Australia’s new e-commerce anti-bot security requirement in Australia, which mandates that payment processors put in place anti-bot technology to prevent enumeration attacks by October 2022, risks CAPTCHA become a much more common feature in our lives. This is a challenge for payment processors and e-commerce companies to meet Visa’s requirements without damaging the customer experience.

Enumeration attacks involve the use of bots to test payment details such as a primary account number (PAN), card verification value (CVV2 – or – the number on the back), and expiration date. Validated details can be used in fraudulent transactions, against the organisation being attacked, or against a third-party organisation. These attacks are a major contributor to card-not-present (CNP) fraud, which, according to the Australian Payments Network, rose by 12.3 per cent in FY21 to the tune of $442 million.

Visa wants to combat the large increase in enumeration attack fraud it has detected in the past 18 months. Its Security Roadmap states: “These attacks generally lead to compromised accounts and account takeovers. However, the residual aspects of these schemes, while not always conspicuous, have additional negative effects on various ecosystem parties. These impacts include fees, operational inefficiencies, fraud and reputational risk for all parties involved.”

Security versus simplicity

While I applaud Visa’s intention with this regulation, payment processors – such as Eway, SecurePay and recently ASX-listed Block – may struggle to meet this requirement without broad support from e-commerce organisations – such as Woolworths, JB Hi-Fi, and Officeworks – which will be hesitant to further aggravate consumers.

When we send our credit card details online, they are usually collected and processed via one of two model – a payment gateway hosted card form, or an e-commerce company hosted card form sent to a payment gateway via an API. In the first model, the payment processor has visibility of the entire transaction and can use programming language JavaScript to collect various signals to identify bots. In the second, the processor has less visibility as it relies on data sent to them via the e-commerce company’s API, making it harder to detect bots.

CAPTCHA has served as a quick and easy stopgap across these corelated industries to prevent enumeration attacks from taking place. But as attackers become more sophisticated, so too do the puzzles the real humans need to solve to prove their real, building on the already potent frustration they experience.

The unpopularity of these systems will only increase as our need for instant digital gratification rises. Visa even acknowledged users’ discontent with CAPTCHA in its anti-bot requirement announcement. Further, according to a former ‘human CAPTCHA solver’, they are merely a speedbump for motivated attackers anyway.

Visa’s mandate in Australia – likely to be a testing ground for other regions and other financial services giants to follow – marks an opportunity to get more creative and user-friendly about how we screen for humans.

There are many ways in which we act differently to bots. For example, if a human enters incorrect credit card details, they will likely take a few seconds and re-enter correctly, mostly getting it right on the second go for fear of blocking the card. A bot might send tens of thousands of attempts in a matter of seconds.

Modern bot defence needs to incorporate automation and AI tools to identify these anomalies, not force customers to justify their own humanity. Modern consumers won’t tolerate disruption to their security or simplicity – if you want to sell, you’ll have to satisfy both.

This is a Sponsored Feature.