Evolution of Ctrip's Graphical Captcha Service: From 1.0 to 2.0

Min Jie, a product manager in Ctrip's Information Security department since 2015, is responsible for anti‑fraud, captcha, anti‑scraping, and UGC product design, focusing on low‑cost solutions for real‑world problems.

Captchas serve as the web gatekeeper, needing to ensure both security and user experience. This article shares the changes made to Ctrip's graphical captcha service over several years, offering a practical guide for building captcha solutions.

1.0 Era

The initial solution was a .NET‑based graphical captcha used for login, registration, SMS sending, reviews, password reset, and other scenarios, aiming simply to block non‑human requests. Design focused solely on defense without considering user experience or post‑deployment data analysis.

Key features included:

Single‑use image verification

Image generation timeout

Support for 4‑digit and 6‑digit alphanumeric codes

Configurable noise such as character adhesion, interference lines/dots, fonts, size, and distortion

While the system was simple and easy to integrate, it suffered from several problems:

Uniform difficulty across all business units, causing either too easy or too hard challenges depending on the page.

Insufficient logging; only operational fields were recorded, making it impossible to identify malicious IPs or devices.

Limited character set (English letters and numbers) and simple distortion, making it vulnerable to OCR attacks.

Common cracking methods included bypassing risk control, OCR processing, manual solving platforms, and CNN‑based recognition.

1.5 Era

After analyzing the shortcomings, new requirements emerged:

Introduce Chinese characters to diversify the character set.

Retain business‑side data to identify threat sources.

Automatically adjust difficulty in response to large‑scale OCR or brute‑force attempts.

Allow per‑business difficulty configuration.

Following a year of development and rollout across business units, the upgraded captcha addressed many issues:

Difficulty can be manually or automatically tuned per application, avoiding the previous “one‑size‑fits‑all” problem.

Threat source (IP/device) is recorded, enabling targeted blocking.

Adaptive difficulty (global or per‑IP) doubles defensive effectiveness against OCR‑assisted scraping.

Chinese captchas reduce OCR success rates from ~50% (English) to below 20%.

However, new challenges remained:

Poor user experience—entering a four‑character Chinese captcha takes 15‑20 seconds, hurting conversion rates.

Complex integration requiring separate risk‑control and captcha services.

Lack of internationalization—Chinese captchas are unusable for overseas users.

Visual mismatch with page UI, making the captcha look out of place.

2.0 Era

Further requirements emphasized simple integration, mobile‑friendly UX, security with internationalization, and aesthetic harmony.

The new version introduced a “slider + character selection” mechanism. When risk is detected, a slider appears; if the slider alone is insufficient, a character‑selection challenge follows. Average slider interaction takes 0.5 seconds, and character selection adds about 7 seconds, resulting in an overall average verification time of ~1.7 seconds.

Integration is reduced to a single JavaScript SDK (or an app SDK) that obtains a token, which the backend validates with the security service—no additional logic is required from the business side.

Internationalization is supported with multiple Southeast Asian languages for both selection prompts and instructions.

The new service saves an estimated 500 hours of user verification time per day, raises the overall success rate from 88‑90% to 96%, and leverages front‑end data for model training to handle edge cases.

Remaining issues include:

Slider can be bypassed; external tests report a ~60% crack rate.

OCR on character selection still possible despite added difficulty.

iOS slider may cause page back‑navigation for users with long nails, mitigated only by enlarging the slider.

In conclusion, no single captcha solves all scenarios. Continuous innovation and a balanced trade‑off between security and usability are essential to keep pace with evolving malicious tactics and diverse business needs.