But surely an ethical bot
would never lie about being a human?
Completely Automated Public Turing test to tell Computers and Humans Apart – better known as the ubiquitous CAPTCHA we see standing athwart the doors to many websites – may now be a misnomer as researchers have found that computers are much better at completing them. The bot defense measure dates back to 1997 and the tortured …
So if humans fail the task 50% of the time, you should present 2 or more tests, expect humans to fail, and bots to complete all of them successfully.
After 10 tests, there is only 1 in 1024 chance of humans doing all of them correctly, while bots will get them every time.
"After 10 tests, there is only 1 in 1024 chance of humans doing all of them correctly, while bots will get them every time."
I think you maybe onto something.
My only concern is that 1 in 1024 is too low and increasing it to 20 tests makes the chances of it being a bot
This would obviously show a huge increase in popularity for the tests (based on the numbers of tests completed...), and adding an audio component that detects frustration based on muttered swearing could provide an additional level of checking in the future...
I would go further and say the research conclusion "There's no easy way using these little image challenges or whatever to distinguish between a human and a bot any more," is totally at odds with the findings, unless they have defined “easy” to only encompass the final submission and not easily observable and measurable completion behaviour.
"For distorted text fields, humans took 9-15 seconds with an accuracy of just 50-84 percent. Bots, on the other hand, beat the tests in less than a second with 99.8 percent accuracy."
I was about to post on simlair lines.... if the test is passed correctly and quickly, reject the 'user'. If it takes a few seconds and gets it mostly right but misses one or two letters or boxes, congratulations, you're human!!!
I once DID get rejected for typing a password 'quicker than a human could have done so'. Clearly that was wrong, as I did it, but the other end didn't KNOW that...
That was some time ago and I use a password manager for most stuff now, with delays programmed into the autotype where necessary!
To their credit, Google realised fairly early on that CAPTCHAs were being beaten by fairly simple OCR and/or terminal monkeys. This is why ReCAPTCHAs use different heuristics that simple image recognition to differentiate between meatware and software. But they're all annoying and will generally drive legitimate users away. They tend to come in waves for me and, when they're too many I use the NopeCHA extension to solve them for me, or I give up on the service. As I do with anything that tries to force me to use one of the Kraken to log in.
I think they are using it to help their image recognition.
So while I normally skip sitse that require it, if it is a site I really want to visit I'll always take a minute to get things wrong over and over again before finally getting it right - to pollute their dataset.
I also used to deliberately try and pollute their dataset. These days, even when trying to get them right, I still need multiple rounds. (FFS, if you don't want me to click 20 out of 25 squares, don't show me a picture with a bicycle that covers 20 out of the 25 squares.)
The "correct" answer is the one most other people choose.
Since "most other people" don't know about anything like stinkwheels, we always have to ask ourselves "what would most 'normal' people have clicked on" instead of "what is actually the correct answer".
So it's kind of a test that rejects computers and also rejects very intelligent humans.
"Or traffic lights - is it just the illuminated structure, or does it include the support poles?"
They are trained based on "typical" responses from lazy humans with either questionable eyesight or small screens.
In most cases you can go for the minimal number of squares that are definitely part of the target rather than the surrounding squares containing small parts of the target
- squares containing large parts of the wheels on a bicycle but not the handlebars or rider
- motorcycles don't include handlebars unless the squares also include wheels
- traffic lights consist primarily of lights, anything else is optional
- stairs must contain a full "stair" or "step"
This research is based on supporting companies that have used SEO tools to try and manipulate search google results and resulted in Google performing reCAPTCHA testing on any attempts to use it's services while you try to identify the idiot who was responsible for mis-using SEO tools.
Ditto that. I once tried to order a consignment of electronic components from a supplier only to be prevented from completing my purchase at the checkout due to a failed captcha. As I was blocked from proceeding I abandoned my basket and placed the order with their competitor... who didn't use captchas. I'm sure there is a lesson there somewhere.
Suspect like many small businesses, particularly restaurants who got into online ordering during lockdown, they simply brought into a third-parties ordering system because it was already integrated with Deliveroo, Just Eat etc. and they only needed to add a few photos and a priced menu. It got them online quickly and cheaply and for my local Indian enabled them to fully benefit from increased business due to everyone being at home. Even the fish and chip van started visiting the village twice a week.
The robot testing which of the stolen cards in its list are valid/not blocked :(
Sadly things like that are abused, and the little coffee/pizza shop gets dumped on by the card acquirer (higher charges due to reversals etc.) so they need to protect themselves.
It’s crap, but I can’t blame them.
It could be partially due to the fact I'm getting long in the tooth, but I find Google's recaptchas of the "select all pictures containing a bike" sort tricky on a mobile device.
I wonder if timing the form submission (from time page served) would suffice to filter out most bots. Hell, a referrer check would probably block half.
In other contexts (web server connection and request limiting plus fail2ban) I've realised how depressingly unsophisticated most bot implementations are.
The sophistication of the bot correlates almost directly to the expected reward on the site. This is why the overwhelming majority are simple CURL (or similar) scripts looking for login pages and similar. These can be spun up to operate at scale to find potential targets for more sophisticated attacks that will use more reasonable IP addreses, credible referrers and timings and even real browsers. For the people running the attacks it's often worthwhile finding out which kind of protection is in use. Modern AI-bots can simulate human interaction enough to avoid detection but the costs of doing this are real.
Now that SMS and CAPCHA's are regarded as insecure by certain sites for 2FA?
I hate the fact that I have to have my phone at my side when shopping. When this happens, it is probably charging in another room. That tells the world that my phone is not surgically attached to my hand.
So much for progress?
At home my mobile phone is invariably sitting downstairs on a mantel -- it lives there because that's where I can find it. So when 2FA kicks in I have to leave my computer, go downstairs, get the phone, go back to my computer, hope that the code hasn't timed out ..... and so on.
Alphanumeric capchas are sort-of OK. Picture ones I keep getting wrong because there's often some issue about whether a picture has a staircase or whatever in it, its often a matter of judgment. I'm pretty sure that modern image recognition filters would do a much better job than my eyes straining to make sense of an often fuzzy picture.
A surprising amount of web code either locks up a browser (i.e. "sits in an infinite loop waiting for an event that will never come because it probably happened before the browser got around to polling for it") or just plain doesn't work ("we outsourced this web stuff and it works just fine in whatever 'the latest' permutation of browser version, consumer operating environment and hardware we developed this PoS on"). (I maintain that's why companies like Amazon are so successful -- its not "unfair competition" but rather "we make sure our crap works before springing it on the unsuspecting public".)
I maintain that's why companies like Amazon are so successful -- its not "unfair competition" but rather "we make sure our crap works before springing it on the unsuspecting public"
Unfortunately, I have to agree there.The amount of times I've spent extra effort to find the original vendor of stuff, only to have their website completely fall over when I try to give them money is just amazing.
I avoid 2FA sites if I can, and often I have no choice - like at the moment, I've been visiting my mum for the last 2 weeks, and didn't bring my mobile with me - the signal here is bad, and I simply couldnt be arsed. so I can't use paypal, for example.
Amazon, I can use, because I deleted my phone number entirely - of course, now I don't get SMS delivery alerts either.
Many are done badly too, it's just security theatre.
When will they realise we aren't all physically attached to our phones 24/7
Sometimes for example, I'll be next to my front door, and decide to go out for a walk, so I just do. No grabbing of phone/wallet/id/pager/driving/license/passport/cash/ - I'll only have my keys if I go driving. I'll often be out and about with nothing.
> When will they realise we aren't all physically attached to our phones 24/7
Aren't we? I think the younger generation is. At least from what I see in the streets.
Phones have started to become waterproof because their users tend to take baths/showers once in a while.
As someone who is slighty dyslixic, I hate those CAPCHAs that use letters, number I have no problem with. And as a pedant I hate the images that almost always have edges of bridge, wheels, busses or what ever that overlap the suares by a pixel or two. IF you want me to mark the squares that I know are right then accept that your capcha is not correct. When really pissed off I take a screen shot, enlarge it and send an angry mail to the website, where I show them that I AM right, They ARE worng and THEY have just lost a customer.
"explained that the explosion in advanced machine learning methods have rendered the defense obsolete"
Verb is conjugated for the subject of the sentence, not the adjectival phrase (or whatever that is) that comes after it. The *explosion* HAS rendered, not the methods. Bah humbug.
...is slightly different. Sites can use it simply for irritation value. You're thinking Ok, that's stupid, no site would want to irritate their own users. But a UK sports governing body does exactly this.
They have 25K+ users who frequently look up their own results ('PBs'). These are public information, which was supplied by the user's club to the governing body itself. 15+ years ago a number of clubs started scraping their own results to keep their local systems up to date. The governing body didn't like this and, without explanation, started rate-limiting, blocking IP addresses, and so on. Fast-forward 20 years, and every user now has to fill in a reCAPTCHA and then wait 5 seconds to get their PBs. All completely pointless, and without any basis in law. The reason is simply that (a) the website provider has a software product that they believe (incorrectly) fills this need, and (b) the governing body has an undisclosed financial relationship with that provider (until someone was forced to disclose it in a court case recently).
So, I've spent 15 years doing counter-measures, and waiting for the people involved to retire, be fired, or die. The sooner reCAPTCHA is finished off the better.
My bot prevention is to reject anything that is completed too quickly or too slowly (too slowly indicating it's been saved for later), using an MD5 encrypted timestamp, with JS being used to create the submission feature. There is no captcha for people to do, and I've never had anything non-human get through. I'm sure if I was a major site though people would take note and get round it but as an individual site it's perfect. d
I recall this little beauty from a few years back, I thought 'el Reg covered it. Maybe I was mistaken...
Either way, I could continue to shoot the baddies without even bothering going to the actual website!
Why are we getting them not just on creation of a new account but after login. Both text and image picking.
Why do they popup very much less often if using Chromium?
Ebay even denied they were serving them. I send them screen shots and they stopped communicating. I've stopped using ebay.
Ebay after login.
Amazon after login.
Kobo after login
Are the Google recaptcha's even legal in EU?
And what is the real purpose?
We've been hearing that bots are better at cracking CAPTCHAs for at least four years - ever since Verge published this article in 2019: https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence. Still a vast majority of the most popular websites in the world continue to use them, even at the cost of annoying their users. I'm somehow inclined to take these research findings with a barrel of salt.