How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Support FAQ
A CAPTCHA is a challenge-response test used to decide whether a request is likely to come from a human or automated software. The name comes from "Completely Automated Public Turing test to tell Computers and Humans Apart." Traditional CAPTCHAs ask a person to read distorted text, choose images, solve a puzzle, tick a box, or complete a small interaction. Newer systems may score browser, device, interaction, and traffic signals before deciding whether to show a visible challenge.
CAPTCHAs are usually placed in front of actions that attackers want to automate: signup, login, password reset, comments, voting, checkout, contact forms, free trials, coupon use, or account recovery. The goal is not to prove with certainty that a user is human. The goal is to add evidence and cost so abusive automation becomes harder or less profitable.
Most integrations follow a similar pattern. The page asks a CAPTCHA provider to create a challenge or risk assessment. The user or browser completes the required step. The provider returns a token. The application sends that token to the provider from the server side and receives a verification result. Only then should the application allow the protected action.
The server-side verification step is essential. If an application only checks that a browser displayed a widget, attackers can bypass the control by calling the backend directly. The application should also verify that the token is fresh, intended for the expected site or action, and not reused beyond the provider's rules. Protected API paths, mobile endpoints, and alternate form handlers need the same enforcement as the visible web page; otherwise attackers can route around the challenge.
Text CAPTCHAs ask users to read distorted letters or numbers. Image CAPTCHAs ask users to identify objects, signs, vehicles, or patterns. Audio CAPTCHAs provide a spoken alternative. Checkbox challenges may combine a visible click with background analysis. Puzzle or interaction challenges ask users to drag, rotate, or select an element. Invisible or risk-based systems may avoid a visible challenge unless signals indicate suspicious automation.
Each type has tradeoffs. Text and image challenges can be hard for people with visual impairments, users on small screens, or users facing language and cultural differences. Audio alternatives can be difficult in noisy environments and may introduce privacy or accessibility issues. Invisible systems reduce friction but require careful governance because they evaluate client and behavioral signals that users may not see.
CAPTCHAs can block basic scripts that do not run browsers, do not handle tokens, or cannot complete a challenge. They can reduce low-effort form spam and force attackers to spend more time or money. They can also provide a useful step-up control when traffic looks risky but the team does not want to block it outright.
They are not a complete bot defense. Attackers can use CAPTCHA-solving services, machine learning, real browser automation, stolen session cookies, malware on human devices, or low-paid human workers. Some attacks do not need to solve the challenge if another endpoint lacks enforcement. Others solve challenges successfully but still create abuse, such as fake account creation, credential testing, or spam submissions that pass the gate.
Common implementation failures include trusting client-side completion without server verification, accepting expired tokens, allowing token replay, protecting the web form but not the API endpoint, failing open when the CAPTCHA service is unavailable, and applying the same challenge rule to every user regardless of risk. Another failure is measuring only challenge volume. A high solve rate may look positive, but if solved challenges lead to fraudulent accounts or spam, the control is not doing enough.
Operational failures matter too. A CAPTCHA that is too aggressive can train users to abandon the workflow. A challenge that works on desktop may fail on mobile. A third-party script can affect page performance or privacy reviews. A provider outage can block critical actions if the fallback behavior is not planned. Teams should treat CAPTCHAs as production dependencies, not decorative widgets.
CAPTCHA impact should be measured at the protected action, not only at the challenge. Track challenge rate, solve rate, error rate, time to complete, abandonment, retries, accessibility complaints, browser or device skew, and final conversion. Segment by route, region, device class, authentication state, and risk level. A challenge on a newsletter form has a different cost from a challenge on account recovery or checkout.
Security metrics should be paired with user metrics. Did spam submissions fall? Did credential stuffing attempts decline? Did fake signups become less common? Did successful account recovery remain stable? Did support tickets rise after enforcement? Without these outcome metrics, a team may celebrate blocked requests while missing lost customers or ongoing abuse behind solved challenges.
CAPTCHAs work best as one layer in a broader control set. Server-side validation, CSRF protection, rate limits, account risk scoring, password attack defenses, email or phone verification, device and session signals, moderation queues, and API authentication can all reduce dependence on visible puzzles. For some workflows, delaying publication, limiting links for new accounts, or requiring stronger authentication may be more effective and less frustrating than repeated challenges.
Placement should be selective. Low-risk browsing usually should not require a visible challenge. High-risk actions may justify a step-up challenge when traffic is suspicious, especially after repeated failures, unusual speed, proxy concentration, or known abuse patterns. Teams should define what happens when the CAPTCHA service is unavailable: fail closed for high-risk actions, fail open for low-risk actions, or provide an alternate verification path.
CAPTCHA policy should have clear ownership because it affects security, accessibility, privacy, conversion, and customer support. Teams should document why a challenge exists, what abuse it is intended to reduce, which routes it protects, which users are exempt, and which metrics trigger review. Exceptions for partners, testing tools, or internal users should be narrow and time-bound.
The central governance question is whether the challenge is still worth the friction. If attackers are solving it cheaply and real users are abandoning the workflow, the policy needs to change. If a challenge reduces high-risk automation with low user impact, it may be a useful step-up control. CAPTCHAs are most defensible when they are targeted, measured, accessible, and combined with controls that address the abuse after the challenge is passed.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2025 ABN 76 619 930 826 All rights reserved.