Dealing with bots on e-commerce websites with CAPTCHA

Since the dawn of the Internet, people have tried to abuse websites for both sport and profit – especially e-commerce websites which by definition possess a number of customer data entry points.

As the abuse became profitable, the scale of abuse grew using automated software (sometimes referred to as”bots”). To prevent bots from overrunning sites with spam, fraudulent registrations, fake sweepstakes entries, and other nefarious things, publishers responded by testing users to see if they were human or not. These approaches are typically referred to as CAPTCHA, which per Wikipedia, is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge-response test used in computing to determine whether or not the user is human.

Generally, e-commerce websites would use CAPTCHA to strengthen the security around the most sensitive account access points. Typical access points on an e-commerce website would include:

  • Sign up for a new account or register
  • Contact us
  • Sign up for email newsletters
  • Request a catalogue
  • Login to make a purchase
  • Get a quote

What  happens – if you are unprotected – is that your customer and email databases end up being mass-populated with spam email addresses: it is costly and time-consuming to weed these out.

Google’s definition of the issue reads as follows: “CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of security measure known as challenge-response authentication. CAPTCHA helps protect you from spam and password decryption by asking you to complete a simple test that proves you are human and not a computer trying to break into a password protected account. A CAPTCHA test is made up of two simple parts: a randomly generated sequence of letters and/or numbers that appear as a distorted image, and a text box. To pass a the test and prove your human identity, simply type the characters you see in the image into the text box.”

Rather than use the conventional “old school” approach which produces notoriously difficult-to-read squiggly text, Screen Pages has recently deployed a “choose the correct image” approach which effectively rules out bots (well, until the AI in bots means they can interpret visual content. On Donald Russell for example, you can need to identify the steak (for example, on its email newsletter subscription page:

Or, here’s another example on the RSPB’s shop, where you identify the robin on its request a catalogue page (

Google has also released a new method called “reCAPTCHA”.  “reCAPTCHA is more adaptive and better-equipped to distinguish legitimate users from automated software: this updated system uses advanced risk analysis techniques, actively considering the user’s entire engagement with the CAPTCHA—before, during and after they interact with it. That means that today the distorted letters serve less as a test of humanity and more as a medium of engagement to elicit a broad range of cues that characterize humans and bots.”

Here’s Google’s helpful intro to the subject and it’s new approach in a video:

We’ve already implemented this on one website – on Watco’s B2B “get a quote” facility.

For information, implementing some form of CAPTCHA facility on this important data capture forms is generally less than a day’s work: a small investment compared to the pain of purging all those spam email addresses from your customer databases.