CEO, Kevin Gosschalk

Co-Founder & CEO, Kevin Gosschalk, live at the Brisbane AWS Group.

Last night, I had the pleasure of presenting at the Brisbane AWS Group in partnership with our excellent AWS support company, ITOC.

I spoke about a few of the core values behind why we chose Amazon Web Services and how we utilize it to create a system that is highly available, responsive and capable of handling network and system failures at very high scale. AWS excels at empowering companies to focus on the thing they do best — code their app, even when it comes to massive scale.

Excerpts taken directly from the presentation.

For a product like FunCaptcha, a key security asset for so many companies, we simply cannot have downtime. AWS provides a large range of products like Route53 and ELB to ensure the service is always functional, even if an entire region such as Singapore were to go down. We work directly with Amazon to ensure our system is using the world’s leading practices and their latest and best tools for the job.

Through a solid working foundation via ITOC and Amazon, I’m confident in FunCaptcha‘s ability to scale up and maintain the high level of quality we strive for across all facets of our product.

Thanks for reading,
Kevin Gosschalk
Co-Founder & CEO


comScore recently released a report exploring the issue of “NHT” aka “Non-Human Traffic”. It outlines the wide ranging negative effects of bot fuelled traffic on many parties involved in online advertising. Media buyers, sellers, agencies, web hosts and big brands – any business that utilizes online advertising has, at one time or another, been affected by “Non-Human Traffic”. The overall concept is simple: NHT is a detriment to online businesses as it “contaminates” metrics, giving an inaccurate representation of how a digital asset is performing. What has this got to do with FunCaptcha?

Well, everything. Our purpose is to block automated systems from accessing web domains and contaminating them; and the processes by which an automated system can contaminate a website varies greatly.

  • It can riddle forums and inboxes with spam.
  • It can open a domain to web-scraping.
  • It can falsely inflate a website’s traffic, skewing budgets for various projects, causing irreparable damage to an owner’s ability to manage their page effectively.

The potential for damage is great, so websites need a CAPTCHA that is effective at preventing NHT, which is where we step in. We provide the shield necessary to fight against NHT while welcoming real human users across the line.

Our priority is ensuring clean, measurable traffic for our clients, as it is an essential component in ensuring ongoing strength for a website.

Screen Shot 2015-04-10 at 2.17.18 pm

On your website, you want to make things smooth for your users. When your users encounter FunCaptcha on your site, you can make it a seamless experience. We give you the tools to dive in and customize FunCaptcha on your site with our new admin dashboard, explained in this video. This dashboard is the nexus for all things FunCaptcha, for all your domains.

You can alter various options on the fly with your dashboard:

  • Pick any color for each element
  • Turn features on or off that tweak the security level and earning potential
  • Pick which activities you want your users to play with

The dashboard will help you make FunCaptcha look right, optimize its security level, and maximize your earnings, with many more features coming soon. Go to your dashboard to check it out!

Brian Rexroad is the Executive Director of Technology Security at AT&T. He leads a series of informative video discussions called ThreatTraq on AT&T’s Tech Channel.

It was great to see ThreatTraq recently talk about FunCaptcha with technology security analyst Matt Keyser and special guest Brian Foster, CTO with security company, Damballa.

Take a look at the segment for yourself!

We’re ecstatic that FunCaptcha is being appreciated by the online security community, and that these tech gurus appreciate the effectiveness of our unique approach to authenticating human users.

It demonstrates that innovative leaders understand that other CAPTCHAs currently in use are disliked by many users and are simply not effective as a security solution.

Hopefully in the future, we’ll be able to share our thoughts with ThreatTraq on some of the points raised; such as the issues with biometric scanning possibly replacing CAPTCHAs and how we envisage human authentication evolving.

In other news, Security Asia is also reporting our bot stopping exploits. Click through for a piece published yesterday that highlights FunCaptcha’s success as a security solution.

Matthew Ford
Design Director & COO

“Our team tested a number of spam filtering services, including reCAPTCHA, and found that none could stop the tide of bots—until we discovered FunCaptcha.”

—John Pålsson,


Situation is a global community dedicated to aggregating and promoting online gaming servers. The website, which generates more than 600,000 page views each day, is driven by user votes to rank private servers across a variety of consoles and categories.

Over the course of months, site creator John Pålsson took notice of a troubling pattern: overnight, certain servers were mysteriously flying up the rankings. With some quick research, it became clear that some server owners were paying their way to the top through fraudulent, bot-based voting.

“The quality of our service depends on real votes, by real people. Unfortunately, we discovered that bots were abusing our site, to the tune of tens of thousands of attacks getting through our system each day,” said John.


The XtremeTop100 team set out to find a more reliable solution to safeguard its site than offered by traditional CAPTCHAs. While they found temporary relief from a well-known CAPTCHA alternative, hackers quickly identified and exploited vulnerabilities in this program as well. Finally, the XtremeTop100 team turned to FunCaptcha for support.


Deployed in February 2015, FunCaptcha’s unique approach to web security has delivered exceptional protection for XtremeTop100. With a few simple clicks, Pålsson put an end to the bot-based pay-per-vote business model undermining his site, and has sustained a 100-percent drop in bot activity. Despite the gripes—and attempted bribes—from would-be fraudsters, FunCaptcha has effectively returned XtremeTop100 to the meritocracy it was designed to be.

“The immediate results of incorporating FunCaptcha were staggering, and we’ve seen the program hold up against a number of new attacks by determined hackers,” continued Pålsson. “Today, we can confidently reward the servers players love most, rather than those who fork over the most cash to exploit the system through bot-based votes.”




New default themes that fit into more sites with a sophisticated and seamless look.

Aesthetic appeal is crucial to us here at FunCaptcha, so it was with that in mind that we gave our default themes an upgrade. We take all feedback we get very seriously and many of our users felt it was time for our default themes a makeover to bring them more up-to-date – so that’s exactly what we did!



More options available to administrators for easier custom theming, including a choice of graphics and games.

One of our main motivations here at FunCaptcha is to allow our clients the ability to express their own unique identity as well as catering to their users in as many ways as they can. This was the key factor in deciding to provide more options for custom themes and even more excitingly, even allowing our clients to choose which game their users saw when completing FunCaptcha.



We will be upgrading all the images of faces and animals, improving the FunCaptcha experience for users.

We brought in premier graphic artist talent to give our 3D facial construction processes only the best treatment. We’re very excited with what’s being produced so far and we’re sure our clients (and their users) will be too.


The overall motivation behind these visual upgrades is simple: visual clarity is the most crucial element in the success of a CAPTCHA. Simply put, if a person cannot easily and intuitively complete the “Turing test”, by definition, the test is useless.

So while our use of mini-games is indeed innovative and fresh, we felt the time had come to update our aesthetic to mirror that. It not only streamlines the process for humans, but also allows our clients the freedom to alter and customize their packages without having to compromise the integrity of their security.

You earn stars as you complete FunCaptchas anywhere on the web. The faster you complete the CAPTCHA challenge, the more stars you get. Getting 5 stars means you play the games as well as we, the creators, do – and we have lots of practice!

For now, we are experimenting with the star system, so to be honest, don’t pay too much attention to your star count yet. The long-term plan is that your star count will increase each time you play anywhere on the web. Once you reach enough stars, you will get special rewards.


Interested in FunCaptcha for your domain(s)? Head to our demo page.

“CAPTCHA” is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”. That’s a bit of a mouthful and for those of us who don’t know what a “Turing test” is – still a bit confusing. It refers to the test proposed by Alan Turing in 1950 that attempted to determine if a computer could “think”. Turing quickly realized that the term “think”, in this context, was a bit ambiguous so he refined the focus and further elaborated: the test aimed to evaluate how well a computer could emulate or exhibit behaviour indistinguishable from that of a human user by having a human judge engage in conversation with both a human participant and a computer participant. But enough history! What are CAPTCHA’s doing today and why are they so hard?


Well, as the name CAPTCHA implies, the general principle behind the “Turing test” has been adopted into a more automated approach that is being completed almost 300,000,000 times per day. That is a LOT of testing. But why? Protection from malicious software is obviously of high importance for those responsible for online services so (unfortunately) the twisty and hard to read CAPTCHAs were initially chosen for the task. For the last few years, it’s been the only way to engage users in the “Turing test”.


However, as the sophistication of the recognition software increased, so too did the difficulty of these distorted text/image CAPTCHAs. This revealed a fundamental flaw in the traditional text/image method: the only way to make the test harder for bots was to make the text/images warped and distorted to the point where even humans could barely understand what they were being presented with.


This is why FunCaptcha exists: we realized that for CAPTCHAs to remain a relevant and effective web security asset, they needed innovation or the problem would only get worse. Considering the necessity, annoyance and sheer volume of traditional CAPTCHAs, you can see why we’re so focused on reinvigorating the process with something that’s fun and engaging – hence, FunCaptcha was born. Give us a try, if you haven’t already.

At the start of December, a rather large update to the traditional reCAPTCHA technology was announced, dubbed the “No CAPTCHA reCAPTCHA” experience. For many, it came as a pleasant surprise – no more squiggly letters and hard-to-read numbers and images? What has been a frustrating experience for millions of internet users the world over looked to be getting a big injection of convenience.

The old ReCAPTCHA.

But when the mechanics behind the “new” technology were broken down via reverse engineering, many developers asserted that this newly developed convenience is merely the addition of a “whitelist”. To put it simply: user’s past behavior and previous CAPTCHA solves are recorded in their cookies, which are then detected by future reCAPTCHA challenges. Those that are seen as being genuine users get the “No CAPTCHA experience”, while those that aren’t get reverted back to the usual distorted text reCAPTCHA.

The new ReCAPTCHA.

The existing mechanics (and thus, flaws) behind the reCAPTCHA system are still there but with the introduction of this cookie “whitelist”, perhaps reCAPTCHA could be made easier for users, without simultaneously making it easier for bots. However – this looks to have backfired because of two main issues.

Easier for humans, easier for bots

The manner by which reCAPTCHA uses their new whitelist system has actually made it more easily exploited for no gain, according to consultant, Egor Homakov. In a blog post from December 4th, he eloquently sums up his findings (namely the whitelist and the consequences) but we wanted to break his findings down further and relate them to readers who may not have the experience necessary to fully grasp the conclusions Egor is coming to.

His first main concern is how relying on cookies for extra convenience doesn’t add any extra security at all. If the sole goal was to simply make it easier for humans without amplifying the existing security, then technically, it was a success. Egor declares this is important because the “No CAPTCHA reCAPTCHA Experience” doesn’t make it harder for botsjust easier for humans.

This is a problem, Egor says, due to the way the whitelist is implemented, allowing exploitation because “the legacy flow is still available and old OCR bots can keep recognizing” the old CAPTCHA.

For those making alternate CAPTCHAs, this was an interesting point of difference raised by Egor. For example, the FunCaptcha uses an approach opposite to how reCAPTCHA now does it. Instead of making it easier after repeated completions, FunCaptcha becomes harder after repeated mistakes. This is for two reasons:

1) To make a CAPTCHA that is inherently fast and easy for humans even easier would compromise its security against bots for no real gain.

2) A major vulnerability for visual CAPTCHAs with a small number of discrete answers is a brute-force attack by a bot, which performs automated guessing over and over until it breaks through. By tracking the history of the IP and making the CAPTCHA’s string of challenges longer after each failed attempt, a brute-force attack quickly becomes impractical.

Furthermore, many developers are puzzled by these changes – as explained by Egor’s findings, by trying to make the reCAPTCHA process more convenient, the latest changes have arguably compromised its security.

Removing Challenge/Response has removed the challenge – for bots

Egor further goes on to explain that by introducing the cookie whitelist as a replacement to the traditional “challenge/response” method, the service has become even more vulnerable to malicious attack via a process called “clickjacking”. If a valid cookie whitelist has been accumulated (known as “g-recaptcha-response”), then the user gets the “free pass”. How is this abused? Simply click the video below to get a look at the exploit in action.

Keep in mind: we are NOT providing the technical step-by-step recipe on HOW to do this – simply the result of the exploit being implemented.

To reword Egor’s assertion and explain the above video as simply as possible: the person wanting to spam a certain website needs to obtain a valid “g-recaptcha-response” that matches the required credentials of the targeted website via an unsuspecting user. This is done by creating a fake variant of the target website’s reCAPTCHA, having an unsuspected user complete this fake variant and then using the generated “g-recaptcha-response” to give bots access to the original target’s website through the now breakable reCAPTCHA. This is made possible due to the “g-recaptcha-response” token being made available before submission to the CAPTCHA.


The conclusion that can be drawn from Egor’s findings? While the convenience of reCAPTCHA has somewhat increased for some users, so has the vulnerability. He proposes that the implementation of the cookie whitelist has not only opened the service to exploitation in and of itself, it has also opened a gateway into the existing technology by replacing challenge/response with “g-captcha-response” token.

CAPTCHA innovation has started to occur around the globe so there certainly are more options now. For developers of secure alternative types of CAPTCHA, the goal is to provide a method that, at its core, is already so quickly solvable that it makes room for the challenge to become lengthier in response to brute-force attacks, while still staying reasonable for humans accidentally caught in the net. Forcing it to become trivially solvable after building a whitelist of “human” behavior would be both pointless and potentially damaging – resulting in the position that Egor believes reCAPTCHA now finds itself in.

Our Clients