Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
IT

Captchas Are Getting Harder (wsj.com) 88

Captchas that aim to distinguish humans from nefarious bots are demanding more brain power. WSJ: The companies and cybersecurity experts who design Captchas have been doing all they can to stay one step ahead of the bad actors figuring out how to crack them. A cottage industry of third-party Captcha-solving firms -- essentially, humans hired to solve the puzzles all day -- has emerged. More alarmingly, so has technology that can automatically solve the more rudimentary tests, such as identifying photos of motorcycles and reading distorted text. "Software has gotten really good at labeling photos," said Kevin Gosschalk, the founder and CEO of Arkose Labs, which designs what it calls "fraud and abuse prevention solutions," including Captchas. "So now enters a new era of Captcha -- logic based."

That shift explains why Captchas have started to both annoy and perplex. Users no longer have to simply identify things. They need to identify things and do something with that information -- move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape. Compounding this bewilderment is the addition to the mix of generative AI images, which creates new objects difficult for robots to identify but baffles humans who just want to log in. "Things are going to get even stranger, to be honest, because now you have to do something that's nonsensical," Gosschalk said. "Otherwise, large multimodal models will be able to understand."

This discussion has been archived. No new comments can be posted.

Captchas Are Getting Harder

Comments Filter:
  • Enough to deter. Perhaps they should evaluate the lost traffic in comparison to letting some bots through. The day of the captcha is about done anyway.

    • They don't deter, AI can beat humans at solving many of them and sometimes better than humans. The humans are stuck waiting and randomly clicking.
      • Re:Ads and captchas (Score:4, Interesting)

        by Baron_Yam ( 643147 ) on Friday April 26, 2024 @01:54PM (#64428090)

        In fact, smarter people may have to start playing dumb, as solving a captcha too quickly can be a sign it is being done by a bot.

        Of course, the counter is adding in a human response profile, applying the correct delay and randomization to match what bot-detectors are using to determine 'humanness'.

        • solving a captcha too quickly can be a sign it is being done by a bot.

          Yeah I've run into this issue. In the captchas where you have to identify crosswalks but they fade out each picture and fade in a new one once you click one. Not sure if it was triggered by clicking before it fully faded in, or submitting before the next one had fully faded in, but I knew I was done and it failed me. Super annoying. Now I sit here wasting three seconds waiting for their slow-ass-fade so I can click the image I already know needs to be clicked. Takes ten seconds for a captcha rather tha

          • by allo ( 1728082 )

            No, it is not triggered by clicking too fast. People can configure how hard the captcha is. Every wondered why some sign up don't show a captcha when Google can track you well enough, but filehosters even show recaptchas when you're logged in to your google account? They just tell recaptcha, that the user has to be annoyed for 2-5 captchas, because they want to sell you premium without captchas.

      • by pjt33 ( 739471 )

        I think you may have replied too fast. It's clear from the second sentence of HBI's post that they're talking about captchas deterring human users. Personally I can think of one recent instance where I aborted an interaction on a website after the 5th screen of "Select the squares with X".

    • Re:Ads and captchas (Score:5, Interesting)

      by pz ( 113803 ) on Friday April 26, 2024 @01:56PM (#64428100) Journal

      I run a small web site with a decent level of human traffic for what it is. I haven't run the figures recently, but last time I did, about 90% of the page accesses were from bots. Fortunately, most of the bots are dumb and measures like captchas block them from the pages that need protection, as a first layer of security.

      So it isn't a question of letting some bots through, it's a question of letting a hoard of bots through that will dominate traffic to the site.

      • I run a small web site with a decent level of human traffic for what it is. I haven't run the figures recently, but last time I did, about 90% of the page accesses were from bots.

        How do you know you're not just terrible at what you do? Those 90% were just a small fraction of what got blocked and the rest were just running wild on your "small web site".

      • The more sophisticated bots have a real computational cost to them. A really boring CAPTCHA will keep your web site contact form safe, because there's not enough financial incentive. Anything being used to bypass the more complex CAPTCHAs are going to be targeting high profile web sites with a well defined return value.

      • Fortunately, most of the bots are dumb and measures like captchas block them from the pages that need protection, as a first layer of security

        Exactly. If bots stop being dumb, we're doomed, lol.

        2nd level is honeypot - a hidden field that humans don't even see and leave blank, but that stupid bots just fill in with their link spam or whatever. But smart bots - think googlebot, or even screen readers - do process JS and CSS to figure out what is visible.

        When all the bots get smart, we're screwed, lol

      • How do you know they were bots? It's probably just the lower half of the bell curve.
  • half the time I can't even read the captcha. what a pain the ass.
  • by Plumpaquatsch ( 2701653 ) on Friday April 26, 2024 @01:50PM (#64428074) Journal
    "AI makes it harder to prove you are not a robot."
    • by Registered Coward v2 ( 447531 ) on Friday April 26, 2024 @01:54PM (#64428086)

      "AI makes it harder to prove you are not a robot."

      or a dog..

    • Maybe the tests need to get ridiculously hard. I'm already feeling bad that I'm personally failing a Turing Test with some of the Captchas. Maybe that becomes the test. If it's figured out too accurately and too quickly, it's not a human.
    • by yobjob ( 942868 )
      Sadly, half the problem is the humans making it harder to prove they're not a robot. See: customer service...
    • Being completely serious, that really is the story here. AI has gotten good enough that it's hard to tell computers from humans. Captchas were created based on the idea that some tasks were easy for humans and hard for computers. Then computers got better at those tasks and they had to look for new ones. Now they're running out. Anything that's easy for a human is also easy for a computer. Anything that's hard for a computer is at least some hard for a human.

      Philip K. Dick predicted this a long time a

  • by sjames ( 1099 ) on Friday April 26, 2024 @01:51PM (#64428078) Homepage Journal

    Users no longer have to simply identify things. They need to identify things and do something with that information -- move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape...

    Hit the back button and browse elsewhere

    • by ebunga ( 95613 )

      I do that every time I go to a website and it has a must-click popup. Eventually some marketing taintstick will get the hint that their engagement goes down they bother people, but we know that marketing people are inhuman scum and will take that as a reason to bother you more.

      • I do that every time I go to a website and it has a must-click popup.

        Must be nice not using the internet at all from a phone.

    • Re:TFS missed one (Score:5, Insightful)

      by timeOday ( 582209 ) on Friday April 26, 2024 @02:37PM (#64428258)
      Sure, until a captcha is suddenly implemented to guard the entrance to your banking website. (My credit union did).

      Ebay has really clamped down, too. My ebay account was once tied to me by nothing more than a throwaway email. But now it's tied to your phone, your bank, and your social security number (because they report your sales to the IRS).

      It's all pretty irksome, until my credit card number gets stolen yet again and wastes more of my time than typing in a 2FA ever could.

      Sometimes you wonder if everything is just going to grind to a halt having been sucked dry by all the scamming leeches.

      • by AmiMoJo ( 196126 )

        I'm not going to defend eBay, but just FYI you can bypass all the hassle by using Passkeys. One touch to log in.

        • I do need to figure that out. I am a little worried about locked out of my entire life the next time I lose my phone.
    • Hit the back button and browse elsewhere

      I don't "browse" the internet. I go somewhere specifically for something specific. There are two situations where I come across the captchas:
      1. Login pages of places I'm trying to log in to for a specific reason. - No alternative
      2. Virtually the entire internet including when I type something into the search bar if I am using a VPN. - No alternative.

  • by wakeboarder ( 2695839 ) on Friday April 26, 2024 @01:53PM (#64428082)
    against recaptcha. It's useless and the site admins always turn it all the way up so you have to solve it for 2 minutes straight. I'll bet this is wasting millions of dollars worldwide. Putting recaptchas on your website is a good way to piss off customers. For some reason lately you can even solve them correctly, you can go through several rounds and not even get anywhere with it. In addition AI can solve them better than humans, so essentially you area locking out the humans and letting the bots through.

    Let me ask you a question, would it be acceptable to put a 1-2 minute timer on your website just to waste people's time? because that's what recaptchas do.
    • I guess some people are just captcha challenged. Glad it's not me; although a few years back there was one set of photos where you were supposed to click on all the mailboxes, but the captcha itself was broken because one picture of a street address painted on a curb was supposed to be considered a mailbox...

      Even if they are useless it does slow down the bot traffic that would otherwise overwhelm some sites.
      • I guess some people are just captcha challenged. Glad it's not me; although a few years back there was one set of photos where you were supposed to click on all the mailboxes, but the captcha itself was broken because one picture of a street address painted on a curb was supposed to be considered a mailbox...

        I'm never sure how much of the motorcycle has to be in the picture. Does that little corner of the mirror or edge of the tire really count as "pictures with motorcycles"?

      • Not when the system admins force you to do 5 rounds of captchas, and you can't solve them fast either or it will give you more.
        • I'm pretty sure they don't just use it as a bot detector, but to do rate-limiting too. The faster you solve them the more they dump on you so that it will slow you down.

          It's a pretty dishonest way to do rate-limiting to be honest.
      • by AmiMoJo ( 196126 )

        Maybe your privacy settings are too low to see it, but it doesn't actually matter if you get the answers right or not. If your browser blocks fingerprinting, if you are using a VPN or even just an ISP with CGNAT, you can click the right squares over and over and it will still keep you there for a minute or two. It seems like when your IP address isn't unique and when your browser isn't letting it spy, it just puts in massive delay to slow down suspected spammers.

        Ironically there is now a market for AI captc

    • Instead of laws against recaptcha, how about laws against using someone else's site to advertise without their explicit permission?

      If we take the argument of "My site is my property" to it's logical conclusion, then these bots are effectively defacing private property to make money. That's already illegal in many physical places. Take their profits (plus a percentage penalty fine) away, and give it to the property owner whom they've plastered their ads on.
    • Select all the picture that has cars/dogs/whatever until there is no one left. The whatever continues to reappear. When it's done, instead of "solve" there is a "next" button. Repeat, combined with selecting parts of a picture. After 6 or 7 rounds and more than 40 clicks finally the "solve" button appears but apparently I guessed wrong and I have to restart the process. I resist the urge to throw the laptop out the window, curse the captcha's developers and promise to kill them if I meet them in real life.
      • by hawk ( 1151 )

        one would *think* that after the first couple offices you killed them, the police would catch on . . . but then, I suppose they're sill stuck on the captcha . . .

    • by tlhIngan ( 30335 )

      The question I have is why sometimes the site makes you do a billion of them, while other sites using the same thing only make you do one.

      It's like one site makes you do a half dozen "click all the cats/traffic lights/etc" and the like, while another site only presents one and lets you in. That always confused me.

      But the worse by far is Hcaptcha - apparently now you can do it for profit where they show ads while making you do a billion of them. Sony uses these types and it's annoying to log in and then it s

    • I used to run a phpBB forum for a group in an online game. At one point, we were getting upwards of a dozen bots a day signing up and plastering spam in every public area they could access. I was the sole admin, so policing it was a pain. I briefly tried a traditional CAPTCHA, but users hated it and it was barely effective when I tuned it to be easier.

      I eventually installed a plugin that simply asked users to correctly sort items via dragging into one of two categories before they could register. We wanted

  • I run a small server that does not do logins, but I still find all the attempts annoying. So I've walled off a good bit of Russia, China, NK etc to cut down on the traffic. Do others do this? I get that some companies may need to have access from these cesspools, so some can't. But I'd be good even if my bank (smaller state based) denied access from certain countries if they made that known. Actually I'd prefer if they did, because it would secure things(my money) down a bit more. Not much, but a bit. And a
    • Seems like a simple solution to stop bots would be to deny any layer 7 traffic that contains an IP address where a host name is expected.

      A lot of bots are just scanning IP space and attempting brute force logins whenever they encounter a recognized login form.

      For example, https: // google.com and https: // 142.251.40.206 are equivalent, bot only a bot would be accessing the IP address directly.

    • For the websites I used to manage, I blocked all of Asia. Piles of bots and hacking attempts from India, China, Russia. Pakistan, etc. Also a lot from the US, but we also had legitimate traffic from there, so I couldn't block it.
      • Good to hear I'm not the only one. Seems so drastic especially since I think I have whacked a class A or 2.
  • by Roger W Moore ( 538166 ) on Friday April 26, 2024 @01:55PM (#64428096) Journal
    The logical conclusion of this arms race is that eventually they are going to make things so hard that no human will be able to get in without an AI algorithm at which point the only people accessing the site will be the scammers.
  • by ebunga ( 95613 ) on Friday April 26, 2024 @01:58PM (#64428106)

    There, fixed the headline.

  • by PPH ( 736903 ) on Friday April 26, 2024 @02:16PM (#64428192)

    ... to spot the bicycles? I can't even do that when I'm driving!

    • ... to spot the bicycles? I can't even do that when I'm driving!

      Busses, bridges, taxis, motorcycles... Damn it Google, why don't you just teach your self-driving cars the same way everyone else does, by putting them on the road and letting them learn from their own mistakes? So what if a few of them end up reenacting some drunk GTA V gameplay scenes. That's just the price of progress! /s
       

    • Then you should turn in your driver's license.

  • by Petersko ( 564140 ) on Friday April 26, 2024 @02:20PM (#64428208)

    Unless there is an unbelievably specific reason to do otherwise, when I see a captcha, that's it. I'm out. I have walked away from giving companies my business over this.

    This wasn't true until it got to the point where "pick all squares with a motorcycle" got to "try to guess if we think the motorcycle rider's helmet is part of the motorcycle".

    Fuck them. May the creators of CAPTCHA/ReCAPTCHA/whatever rot.

    • by dfm3 ( 830843 )
      Usually those are not looking for you to click on specific tiles, but use other data like mouse movements and browser config to fingerprint you. I typically just click a few tiles at random and more often than not, it passes.
    • This wasn't true until it got to the point where "pick all squares with a motorcycle" got to "try to guess if we think the motorcycle rider's helmet is part of the motorcycle".

      Or the tip of a fender. I'm getting to not care...I click a few obvious tiles then wait for it to refresh, go through it a time or two again and it lets me in...I've noticed that it doesn't seem to care how precise I am (dfm3 mentions why, I think), it always asks again. My Credit Union is about the only place that I'll put up with it.

    • try to guess if we think the motorcycle rider's helmet is part of the motorcycle

      The above made me stop using Google Search and Chrome.

  • can make it more about doing something for 30 sec and not needing to get it right. That will slow down bots big time.

  • by davidwr ( 791652 ) on Friday April 26, 2024 @02:55PM (#64428306) Homepage Journal

    What is your credit card number minus the current year?
    What is the square of your credit card PIN?
    What is 10 times the security code on the back of your credit card?
    Type your name adding 1 letter to each letter, so A becomes B and so on, with Z becoming A.
    Type your zip code backwards.

    • Sum (

      What is your credit card number minus the current year?
      What is the square of your credit card PIN?
      What is 10 times the security code on the back of your credit card?
      Type your name adding 1 letter to each letter, so A becomes B and so on, with Z becoming A.
      Type your zip code backwards.

      ) | rot13 = 42

  • Just saying, if I see a captcha and it isn't my bank site or something extermely important, I'm moving on. If you are an important site, I tend to email the companies with my disdain. Long story short, you better have something worth my time, because if not, you lost my business. Captchas have ruined the internet more than ads.
  • by TheNameOfNick ( 7286618 ) on Friday April 26, 2024 @03:49PM (#64428426)

    Quote from a Yosemite Park forest ranger: "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists." The same applies to bot-proof websites: There's a considerable overlap between the capabilities of the smartest software and the dumbest website visitors.

  • I personally have been frustrated by those stupid "Identify all the pictures that contain a bus" or a traffic light. I think I'm pretty good at recognizing those things, but still sometimes can't get the CAPTCHA to agree with my choices. You then end up in an endless cycle of new tries that still don't work.

    The "read this text" puzzles also are problematic, because when you see letters like C, K, O, S, V, W, or X, it's sometimes not possible to tell whether the letters are upper case or lower case, and you end up just guessing.

    So enough with the poorly-designed CAPTCHAS, don't make them harder, that's just a good way to keep a significant portion of the population out of your website.

  • We have reached the time where robots make humans prove they are not robots.

    something something Skynet.

  • ... Captcha -- logic based.

    A puzzle-driven game-show, "The 1% club" reveals how quickly people are outside their comfort zone, how little detail they remember, how easily they're distracted (and multi-tasking isn't a 'thing') and how they can't filter data to detect a pattern. (There's also assuming pattern X when it's really pattern Y but that's a consequence of incomplete information, not of being 'normal'.)

  • With apologies for the link to X...

    https://twitter.com/JeffMightB... [twitter.com]

The most difficult thing in the world is to know how to do a thing and to watch someone else doing it wrong, without commenting. -- T.H. White

Working...