Captchas Are Getting Harder (wsj.com) 88
Captchas that aim to distinguish humans from nefarious bots are demanding more brain power. WSJ: The companies and cybersecurity experts who design Captchas have been doing all they can to stay one step ahead of the bad actors figuring out how to crack them. A cottage industry of third-party Captcha-solving firms -- essentially, humans hired to solve the puzzles all day -- has emerged. More alarmingly, so has technology that can automatically solve the more rudimentary tests, such as identifying photos of motorcycles and reading distorted text. "Software has gotten really good at labeling photos," said Kevin Gosschalk, the founder and CEO of Arkose Labs, which designs what it calls "fraud and abuse prevention solutions," including Captchas. "So now enters a new era of Captcha -- logic based."
That shift explains why Captchas have started to both annoy and perplex. Users no longer have to simply identify things. They need to identify things and do something with that information -- move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape. Compounding this bewilderment is the addition to the mix of generative AI images, which creates new objects difficult for robots to identify but baffles humans who just want to log in. "Things are going to get even stranger, to be honest, because now you have to do something that's nonsensical," Gosschalk said. "Otherwise, large multimodal models will be able to understand."
That shift explains why Captchas have started to both annoy and perplex. Users no longer have to simply identify things. They need to identify things and do something with that information -- move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape. Compounding this bewilderment is the addition to the mix of generative AI images, which creates new objects difficult for robots to identify but baffles humans who just want to log in. "Things are going to get even stranger, to be honest, because now you have to do something that's nonsensical," Gosschalk said. "Otherwise, large multimodal models will be able to understand."
Ads and captchas (Score:2)
Enough to deter. Perhaps they should evaluate the lost traffic in comparison to letting some bots through. The day of the captcha is about done anyway.
Re: (Score:3)
Re:Ads and captchas (Score:4, Interesting)
In fact, smarter people may have to start playing dumb, as solving a captcha too quickly can be a sign it is being done by a bot.
Of course, the counter is adding in a human response profile, applying the correct delay and randomization to match what bot-detectors are using to determine 'humanness'.
Re: (Score:2)
solving a captcha too quickly can be a sign it is being done by a bot.
Yeah I've run into this issue. In the captchas where you have to identify crosswalks but they fade out each picture and fade in a new one once you click one. Not sure if it was triggered by clicking before it fully faded in, or submitting before the next one had fully faded in, but I knew I was done and it failed me. Super annoying. Now I sit here wasting three seconds waiting for their slow-ass-fade so I can click the image I already know needs to be clicked. Takes ten seconds for a captcha rather tha
Re: (Score:2)
No, it is not triggered by clicking too fast. People can configure how hard the captcha is. Every wondered why some sign up don't show a captcha when Google can track you well enough, but filehosters even show recaptchas when you're logged in to your google account? They just tell recaptcha, that the user has to be annoyed for 2-5 captchas, because they want to sell you premium without captchas.
Re: (Score:3)
I think you may have replied too fast. It's clear from the second sentence of HBI's post that they're talking about captchas deterring human users. Personally I can think of one recent instance where I aborted an interaction on a website after the 5th screen of "Select the squares with X".
Re:Ads and captchas (Score:5, Interesting)
I run a small web site with a decent level of human traffic for what it is. I haven't run the figures recently, but last time I did, about 90% of the page accesses were from bots. Fortunately, most of the bots are dumb and measures like captchas block them from the pages that need protection, as a first layer of security.
So it isn't a question of letting some bots through, it's a question of letting a hoard of bots through that will dominate traffic to the site.
Re: (Score:1)
I run a small web site with a decent level of human traffic for what it is. I haven't run the figures recently, but last time I did, about 90% of the page accesses were from bots.
How do you know you're not just terrible at what you do? Those 90% were just a small fraction of what got blocked and the rest were just running wild on your "small web site".
Re: (Score:2, Insightful)
Re: (Score:3)
I know exactly what they do. They play videogames all day.
Re: (Score:2)
They check the wires on the internet on big ben. Someone has to do and who is better at it then the masters of the web?
Re: (Score:3)
The more sophisticated bots have a real computational cost to them. A really boring CAPTCHA will keep your web site contact form safe, because there's not enough financial incentive. Anything being used to bypass the more complex CAPTCHAs are going to be targeting high profile web sites with a well defined return value.
Re: (Score:2)
Fortunately, most of the bots are dumb and measures like captchas block them from the pages that need protection, as a first layer of security
Exactly. If bots stop being dumb, we're doomed, lol.
2nd level is honeypot - a hidden field that humans don't even see and leave blank, but that stupid bots just fill in with their link spam or whatever. But smart bots - think googlebot, or even screen readers - do process JS and CSS to figure out what is visible.
When all the bots get smart, we're screwed, lol
Re: (Score:2)
unreadable (Score:2)
Re: (Score:3)
Re:unreadable (Score:4, Interesting)
Re:unreadable (Score:5, Interesting)
Or using a VPN that has an IP shared by others who are either infected or malicious.
Re: (Score:3)
Re:unreadable (Score:4, Interesting)
blocking enough of google's trackers also seems to trigger this.
Re: (Score:1)
Re: (Score:2)
I was shown one the other day that looked like a bad acid trip full of psychedelic colors, and some animal shapes you had to match to dotted silhouettes at the top. Absolutely insane. I started feeling dizzy and nauseous from looking at it for just ten seconds.
Missed opportunity for a headline (Score:5, Funny)
Re:Missed opportunity for a headline (Score:5, Funny)
"AI makes it harder to prove you are not a robot."
or a dog..
Re: (Score:2)
or an ant...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Being completely serious, that really is the story here. AI has gotten good enough that it's hard to tell computers from humans. Captchas were created based on the idea that some tasks were easy for humans and hard for computers. Then computers got better at those tasks and they had to look for new ones. Now they're running out. Anything that's easy for a human is also easy for a computer. Anything that's hard for a computer is at least some hard for a human.
Philip K. Dick predicted this a long time a
TFS missed one (Score:3)
Users no longer have to simply identify things. They need to identify things and do something with that information -- move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape...
Hit the back button and browse elsewhere
Re: (Score:2)
I do that every time I go to a website and it has a must-click popup. Eventually some marketing taintstick will get the hint that their engagement goes down they bother people, but we know that marketing people are inhuman scum and will take that as a reason to bother you more.
Re: (Score:2)
I do that every time I go to a website and it has a must-click popup.
Must be nice not using the internet at all from a phone.
Re:TFS missed one (Score:5, Insightful)
Ebay has really clamped down, too. My ebay account was once tied to me by nothing more than a throwaway email. But now it's tied to your phone, your bank, and your social security number (because they report your sales to the IRS).
It's all pretty irksome, until my credit card number gets stolen yet again and wastes more of my time than typing in a 2FA ever could.
Sometimes you wonder if everything is just going to grind to a halt having been sucked dry by all the scamming leeches.
Re: (Score:2)
I'm not going to defend eBay, but just FYI you can bypass all the hassle by using Passkeys. One touch to log in.
Re: (Score:2)
Re: (Score:2)
Hit the back button and browse elsewhere
I don't "browse" the internet. I go somewhere specifically for something specific. There are two situations where I come across the captchas:
1. Login pages of places I'm trying to log in to for a specific reason. - No alternative
2. Virtually the entire internet including when I type something into the search bar if I am using a VPN. - No alternative.
There should be laws (Score:5, Insightful)
Let me ask you a question, would it be acceptable to put a 1-2 minute timer on your website just to waste people's time? because that's what recaptchas do.
Re: (Score:3)
Even if they are useless it does slow down the bot traffic that would otherwise overwhelm some sites.
Re: (Score:3)
I guess some people are just captcha challenged. Glad it's not me; although a few years back there was one set of photos where you were supposed to click on all the mailboxes, but the captcha itself was broken because one picture of a street address painted on a curb was supposed to be considered a mailbox...
I'm never sure how much of the motorcycle has to be in the picture. Does that little corner of the mirror or edge of the tire really count as "pictures with motorcycles"?
Re: (Score:2)
Re: (Score:2)
This, and the artificial stupidity's inability to recognize that a swathe of stripes on the edge of the road oriented parallel to the road is not a cross-walk.
Re: There should be laws (Score:1)
Or motorcycle versus bicycle.
Re: (Score:1)
It doesn't matter, because half the people choose either, so that picture gets ignored.
Re: (Score:2)
Re: (Score:2)
It's a pretty dishonest way to do rate-limiting to be honest.
Re: (Score:2)
Maybe your privacy settings are too low to see it, but it doesn't actually matter if you get the answers right or not. If your browser blocks fingerprinting, if you are using a VPN or even just an ISP with CGNAT, you can click the right squares over and over and it will still keep you there for a minute or two. It seems like when your IP address isn't unique and when your browser isn't letting it spy, it just puts in massive delay to slow down suspected spammers.
Ironically there is now a market for AI captc
Re: (Score:2)
If we take the argument of "My site is my property" to it's logical conclusion, then these bots are effectively defacing private property to make money. That's already illegal in many physical places. Take their profits (plus a percentage penalty fine) away, and give it to the property owner whom they've plastered their ads on.
Re: (Score:2)
Re: (Score:2)
one would *think* that after the first couple offices you killed them, the police would catch on . . . but then, I suppose they're sill stuck on the captcha . . .
Re: (Score:2)
The question I have is why sometimes the site makes you do a billion of them, while other sites using the same thing only make you do one.
It's like one site makes you do a half dozen "click all the cats/traffic lights/etc" and the like, while another site only presents one and lets you in. That always confused me.
But the worse by far is Hcaptcha - apparently now you can do it for profit where they show ads while making you do a billion of them. Sony uses these types and it's annoying to log in and then it s
Re: (Score:2)
I used to run a phpBB forum for a group in an online game. At one point, we were getting upwards of a dozen bots a day signing up and plastering spam in every public area they could access. I was the sole admin, so policing it was a pain. I briefly tried a traditional CAPTCHA, but users hated it and it was barely effective when I tuned it to be easier.
I eventually installed a plugin that simply asked users to correctly sort items via dragging into one of two categories before they could register. We wanted
Re: (Score:2)
Old and busted: "Click on all squares that contain a traffic light"
New hotness: "Write a one-paragraph erotic fiction story"
Re: (Score:2)
"I have a girlfriend. She's hot."
Do many couple with firewall? (Score:2)
Re: (Score:2)
Seems like a simple solution to stop bots would be to deny any layer 7 traffic that contains an IP address where a host name is expected.
A lot of bots are just scanning IP space and attempting brute force logins whenever they encounter a recognized login form.
For example, https: // google.com and https: // 142.251.40.206 are equivalent, bot only a bot would be accessing the IP address directly.
Re: Do many couple with firewall? (Score:3)
Re: (Score:2)
This will not end well (Score:5, Interesting)
Re: (Score:2)
How else is SkyNet meant to gain control over society?
Re: (Score:2)
Then you just flip the sign. Let only people in who could not solve the captcha.
Re: (Score:2)
Illegal, unpaid labor farms making you work harder (Score:3)
There, fixed the headline.
They expect me ... (Score:3)
Re: (Score:2)
Busses, bridges, taxis, motorcycles... Damn it Google, why don't you just teach your self-driving cars the same way everyone else does, by putting them on the road and letting them learn from their own mistakes? So what if a few of them end up reenacting some drunk GTA V gameplay scenes. That's just the price of progress! /s
Re: (Score:1)
Then you should turn in your driver's license.
Captcha is the early exit for me. (Score:5, Insightful)
Unless there is an unbelievably specific reason to do otherwise, when I see a captcha, that's it. I'm out. I have walked away from giving companies my business over this.
This wasn't true until it got to the point where "pick all squares with a motorcycle" got to "try to guess if we think the motorcycle rider's helmet is part of the motorcycle".
Fuck them. May the creators of CAPTCHA/ReCAPTCHA/whatever rot.
Re: (Score:3)
Re: (Score:2)
Why are you still using IE6?
Re: (Score:2)
Google claims they do not. And at least in the past they used the data to train their AIs.
Re: (Score:2)
Re: (Score:2)
This wasn't true until it got to the point where "pick all squares with a motorcycle" got to "try to guess if we think the motorcycle rider's helmet is part of the motorcycle".
Or the tip of a fender. I'm getting to not care...I click a few obvious tiles then wait for it to refresh, go through it a time or two again and it lets me in...I've noticed that it doesn't seem to care how precise I am (dfm3 mentions why, I think), it always asks again. My Credit Union is about the only place that I'll put up with it.
Re: (Score:1)
try to guess if we think the motorcycle rider's helmet is part of the motorcycle
The above made me stop using Google Search and Chrome.
can make it more about doing something for 30 sec (Score:2)
can make it more about doing something for 30 sec and not needing to get it right. That will slow down bots big time.
Logic problems (Score:5, Funny)
What is your credit card number minus the current year?
What is the square of your credit card PIN?
What is 10 times the security code on the back of your credit card?
Type your name adding 1 letter to each letter, so A becomes B and so on, with Z becoming A.
Type your zip code backwards.
Re: (Score:2)
Sum (
What is your credit card number minus the current year?
What is the square of your credit card PIN?
What is 10 times the security code on the back of your credit card?
Type your name adding 1 letter to each letter, so A becomes B and so on, with Z becoming A.
Type your zip code backwards.
) | rot13 = 42
I hate captchas (Score:1)
Regarding bear-proof garbage bins: (Score:4, Insightful)
Quote from a Yosemite Park forest ranger: "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists." The same applies to bot-proof websites: There's a considerable overlap between the capabilities of the smartest software and the dumbest website visitors.
Re: (Score:1)
Thus, it's important to bear-proof your websites with honeypots and blackholes.
Humans already have trouble with CAPTCHAs (Score:3)
I personally have been frustrated by those stupid "Identify all the pictures that contain a bus" or a traffic light. I think I'm pretty good at recognizing those things, but still sometimes can't get the CAPTCHA to agree with my choices. You then end up in an endless cycle of new tries that still don't work.
The "read this text" puzzles also are problematic, because when you see letters like C, K, O, S, V, W, or X, it's sometimes not possible to tell whether the letters are upper case or lower case, and you end up just guessing.
So enough with the poorly-designed CAPTCHAS, don't make them harder, that's just a good way to keep a significant portion of the population out of your website.
Re: Humans already have trouble with CAPTCHAs (Score:1)
Re: (Score:2)
Maybe you've had this kind of luck, I have not. It's not possible to generalize from your own experience, there are SO many different home-brew CAPTCHA techniques out there.
What irony (Score:2)
something something Skynet.
Logic is a difficult skill (Score:2)
A puzzle-driven game-show, "The 1% club" reveals how quickly people are outside their comfort zone, how little detail they remember, how easily they're distracted (and multi-tasking isn't a 'thing') and how they can't filter data to detect a pattern. (There's also assuming pattern X when it's really pattern Y but that's a consequence of incomplete information, not of being 'normal'.)
The hardest Captcha (Score:2)
With apologies for the link to X...
https://twitter.com/JeffMightB... [twitter.com]