CAPTCHA doesn't stop bots, it taxes your real customers
CAPTCHA is the reflex when automated abuse shows up. But it charges the wrong party: every real customer pays the friction continuously, while the attacker it targets pays almost nothing. The fix is a tax the bot pays and the customer never sees.
The abuse shows up, and the reflex is immediate. Declines spike, automated traffic floods the form, and someone bolts a CAPTCHA onto checkout or signup. It feels like a gate: prove you’re human, then proceed. The reasoning is intuitive. Bots can’t solve puzzles meant for people, so make everyone solve a puzzle.
Except the puzzle isn’t a wall the attacker hits. It’s a toll booth your customers line up at. A CAPTCHA charges the wrong party, on every transaction, whether or not an attack is happening — and the one population it’s supposed to stop pays the least of anyone.
CAPTCHA is a tax on the people you want, levied to inconvenience the people you don’t.
Who actually pays the toll
A challenge in the checkout path is a cost. The question is who bears it, and the answer is backwards.
- Your real customers pay it continuously. The friction lands on every legitimate user attempting a protected action, attack or no attack. A study of modern CAPTCHAs across 1,400 participants solving 14,000 challenges measured the solving cost in real seconds per attempt and documented task abandonment when people are confronted with a challenge mid-activity. (arXiv) Every one of those seconds and every one of those abandonments is a paying customer you slowed down or lost.
- A meaningful share simply fail. Checkout research found roughly 8% of users get a CAPTCHA wrong on the first try, rising sharply when the challenge is case-sensitive, with measurable abandonment even in critical funnels. (Baymard) These aren’t bots. They’re buyers who typed what they saw and were told they were wrong.
- The attacker pays close to nothing. Commercial CAPTCHA-solving services clear challenges through automated solvers and human solver pools at roughly $0.50 to $3 per 1,000 solves. For a card-testing operation measuring success in validated cards worth far more than that, the solve cost is a rounding error — a line item, not a deterrent.
Stack those up. The defense imposes real, recurring cost on the customers you’re trying to convert, and a negligible, one-time-priced cost on the attacker you’re trying to stop. You’ve built a toll that the intended target drives through for pennies while your customers queue behind them.
A CAPTCHA asks your best customers to prove they aren’t the one thing it can’t actually catch.
Why “prove you’re human” is the wrong test
The flaw is structural, not a matter of picking a harder puzzle. CAPTCHA asks the user to prove humanity, and humanity is exactly what the solver market sells, cheaply and at scale. Harder challenges raise the cost for your customers faster than they raise it for the attacker, because the attacker outsources the solving and your customer doesn’t.
So invert it. Don’t ask anyone to prove they’re human. Make automated clients pay a cost that humans never feel.
That’s the mechanism behind proof-of-work step-up. Instead of a puzzle for the eyes, the client’s machine is required to perform a small computation before the action completes. For a real customer running one session on one device, the cost is imperceptible — it happens in the background, no images, no typing, nothing to fail. For an operation running thousands of attempts in parallel, that per-attempt computation becomes a CPU tax that scales with the attack. The more attempts they fire, the more compute they burn. The cost lands precisely on volume, which is the one thing a card-testing operation can’t do without.
And the tax is only levied on traffic that already looks wrong. Step-up is conditional, not universal — it’s reserved for sessions that behavioral signal has already flagged as anomalous. A legitimate customer behaving like a customer is never charged at all, because the system has no reason to challenge them. The friction follows suspicion; it doesn’t precede it.
That’s the asymmetry CAPTCHA gets backwards, corrected: the suspicious session pays, the customer base doesn’t, and the cost rises with the attacker’s own volume rather than with your conversion funnel’s length.
Stop asking customers to prove they’re human
Stop asking “can this user prove they’re a person?” and start asking “should this specific session have to pay before it proceeds?” The first question taxes everyone to inconvenience a few, and the few it targets can buy their way out for pennies. The second taxes only what already looks wrong, in a currency — compute at scale — that the attacker actually can’t cheaply spend.
Cardvera dropped CAPTCHA entirely for this reason. Step-up is proof-of-work, triggered by behavior, not a checkbox shown to everyone who reaches the form. The customers you want never see it. The operation you don’t pays for every attempt it makes.