back to article So much for CAPTCHA then – bots can complete them quicker than humans

Completely Automated Public Turing test to tell Computers and Humans Apart – better known as the ubiquitous CAPTCHA we see standing athwart the doors to many websites – may now be a misnomer as researchers have found that computers are much better at completing them. The bot defense measure dates back to 1997 and the tortured …

  1. Neil Barnes Silver badge

    But surely an ethical bot

    would never lie about being a human?

    1. Graham Dawson

      Re: But surely an ethical bot

      It doesn't lie; it hallucinates. That's the term of art, now.

    2. David Nash

      Re: But surely an ethical bot

      In any case, the CAPTCHA doesn't give the option so say "I am a robot", so no need to lie, just do the task presented and let the server infer rightly or wrongly whether you are human or bot.

    3. Toni the terrible

      Re: But surely an ethical bot

      lie? Truth what is Truth? (See social media)

  2. Luiz Abdala
    Joke

    Task failed successfully.

    So if humans fail the task 50% of the time, you should present 2 or more tests, expect humans to fail, and bots to complete all of them successfully.

    After 10 tests, there is only 1 in 1024 chance of humans doing all of them correctly, while bots will get them every time.

    See icon.

    1. Steve Kerr

      Re: Task failed successfully.

      You got there first - pass the CAPTCHA test based on human mistakes for doing them - except when the bots are programmed to do that too!

      1. David Nash
        Terminator

        Re: Task failed successfully.

        Which of course they will be.

    2. theblackhand

      Re: Task failed successfully.

      "After 10 tests, there is only 1 in 1024 chance of humans doing all of them correctly, while bots will get them every time."

      I think you maybe onto something.

      My only concern is that 1 in 1024 is too low and increasing it to 20 tests makes the chances of it being a bot

      This would obviously show a huge increase in popularity for the tests (based on the numbers of tests completed...), and adding an audio component that detects frustration based on muttered swearing could provide an additional level of checking in the future...

      1. ThatOne Silver badge
        Devil

        Re: Task failed successfully.

        There is only one sure method: If you're a bona fide human, send us one of your fingers (DNA test to confirm ownership).

        This also limits bandwidth usage to a maximum of 10 connections per user (Toes are not accepted), keeping costs down.

        1. Roland6 Silver badge

          Re: Task failed successfully.

          Surely that’s a lifetime bandwidth usage, unless the fingers are returned…

        2. Mike007 Silver badge

          Re: Task failed successfully.

          Disability discrimination. Not everyone would get the same number of logins.

        3. Ken Moorhouse Silver badge

          Re: send us one of your fingers...

          I knew that someone would come up with a digital solution.

      2. Jim Whitaker

        Re: Task failed successfully.

        What do you mean "muttered"? Shouted, more like.

    3. Roland6 Silver badge

      Re: Task failed successfully.

      I would go further and say the research conclusion "There's no easy way using these little image challenges or whatever to distinguish between a human and a bot any more," is totally at odds with the findings, unless they have defined “easy” to only encompass the final submission and not easily observable and measurable completion behaviour.

    4. jmch Silver badge

      Re: Task failed successfully.

      "For distorted text fields, humans took 9-15 seconds with an accuracy of just 50-84 percent. Bots, on the other hand, beat the tests in less than a second with 99.8 percent accuracy."

      I was about to post on simlair lines.... if the test is passed correctly and quickly, reject the 'user'. If it takes a few seconds and gets it mostly right but misses one or two letters or boxes, congratulations, you're human!!!

      1. Anonymous Coward
        Anonymous Coward

        Re: Task failed successfully.

        I once DID get rejected for typing a password 'quicker than a human could have done so'. Clearly that was wrong, as I did it, but the other end didn't KNOW that...

        That was some time ago and I use a password manager for most stuff now, with delays programmed into the autotype where necessary!

  3. alain williams Silver badge

    Of course someone from Google

    would say how great they are. Google must harvest an enormous amount of information from reCAPTCHA -- learning about the sites that you visit.

    1. Charlie Clark Silver badge

      Re: Of course someone from Google

      To their credit, Google realised fairly early on that CAPTCHAs were being beaten by fairly simple OCR and/or terminal monkeys. This is why ReCAPTCHAs use different heuristics that simple image recognition to differentiate between meatware and software. But they're all annoying and will generally drive legitimate users away. They tend to come in waves for me and, when they're too many I use the NopeCHA extension to solve them for me, or I give up on the service. As I do with anything that tries to force me to use one of the Kraken to log in.

    2. DS999 Silver badge

      Re: Of course someone from Google

      I think they are using it to help their image recognition.

      So while I normally skip sitse that require it, if it is a site I really want to visit I'll always take a minute to get things wrong over and over again before finally getting it right - to pollute their dataset.

      1. This post has been deleted by its author

      2. Brewster's Angle Grinder Silver badge

        Anything you can do, I compute better.

        I also used to deliberately try and pollute their dataset. These days, even when trying to get them right, I still need multiple rounds. (FFS, if you don't want me to click 20 out of 25 squares, don't show me a picture with a bicycle that covers 20 out of the 25 squares.)

  4. MJI Silver badge

    I got rejected on one

    Said motorcycles, clicked on both, one missing.

    Was a stinkwheel, not usually classed as a motorcycle.

    Taxis are very difficult as usually none in the pitctures.

    1. Anonymous Coward
      Anonymous Coward

      Re: I got rejected on one

      I've never been sure of whether "motorcycle" was supposed to include the rider. Any time I don't include them it says I was incorrect.

    2. Anonymous Coward
      Anonymous Coward

      Re: I got rejected on one

      The "correct" answer is the one most other people choose.

      Since "most other people" don't know about anything like stinkwheels, we always have to ask ourselves "what would most 'normal' people have clicked on" instead of "what is actually the correct answer".

      So it's kind of a test that rejects computers and also rejects very intelligent humans.

      1. Anonymous Coward
        Anonymous Coward

        Re: rejects very intelligent humans

        where "very intelligent" means "knows about old motor bikes".

      2. MJI Silver badge

        Re: I got rejected on one

        I NEVER click on a moped nor a silly little scooter, but just real ones including smaller stuff like the Honda C90.

        Ain't clicking on a shitty little small wheeled stink wheel.

    3. Phil O'Sophical Silver badge

      Re: I got rejected on one

      Or traffic lights - is it just the illuminated structure, or does it include the support poles?

      1. Anonymous Coward
        Anonymous Coward

        Re: I got rejected on one

        "Or traffic lights - is it just the illuminated structure, or does it include the support poles?"

        They are trained based on "typical" responses from lazy humans with either questionable eyesight or small screens.

        In most cases you can go for the minimal number of squares that are definitely part of the target rather than the surrounding squares containing small parts of the target

        I.e.

        - squares containing large parts of the wheels on a bicycle but not the handlebars or rider

        - motorcycles don't include handlebars unless the squares also include wheels

        - traffic lights consist primarily of lights, anything else is optional

        - stairs must contain a full "stair" or "step"

        This research is based on supporting companies that have used SEO tools to try and manipulate search google results and resulted in Google performing reCAPTCHA testing on any attempts to use it's services while you try to identify the idiot who was responsible for mis-using SEO tools.

        1. Ken Moorhouse Silver badge

          Re: I got rejected on one

          We all need to go on a philosophy course to understand how to fill these things in.

          I mean, these pictures of traffic lights are not really traffic lights in themselves, they are pictures of traffic lights.

          1. mistersaxon

            Re: I got rejected on one

            “Click all the squares containing pixels representing images of traffic lights”

  5. Paul Crawford Silver badge

    Usually I just give up on any site that asks for one. I have complained to a local trader but they said they outsourced the web site it so can't do anything. Of course I could, I put my trade elsewhere.

    1. Andy Non Silver badge

      Ditto that. I once tried to order a consignment of electronic components from a supplier only to be prevented from completing my purchase at the checkout due to a failed captcha. As I was blocked from proceeding I abandoned my basket and placed the order with their competitor... who didn't use captchas. I'm sure there is a lesson there somewhere.

    2. Gene Cash Silver badge

      I had to stop buying from a vendor I'd used since before the interwaebz (since the '80s) because I block Google, meaning their CAPCHA won't let me buy anything from them anymore.

    3. Displacement Activity

      What really pisses me off are the vendors who ask you to fill in a reCAPTCHA to buy somehting - namely, my local Indian takeaway and my coffee supplier. What robot in its right mind fills in credit card details to buy coffee?

      1. ThatOne Silver badge
        Devil

        Security theater, so their website looks "just like the big sites"...

        "See, we're so important we have to block bots." Never mind why.

      2. Roland6 Silver badge

        Suspect like many small businesses, particularly restaurants who got into online ordering during lockdown, they simply brought into a third-parties ordering system because it was already integrated with Deliveroo, Just Eat etc. and they only needed to add a few photos and a priced menu. It got them online quickly and cheaply and for my local Indian enabled them to fully benefit from increased business due to everyone being at home. Even the fish and chip van started visiting the village twice a week.

      3. Pier Reviewer

        The robot testing which of the stolen cards in its list are valid/not blocked :(

        Sadly things like that are abused, and the little coffee/pizza shop gets dumped on by the card acquirer (higher charges due to reversals etc.) so they need to protect themselves.

        It’s crap, but I can’t blame them.

    4. Roland6 Silver badge

      Trouble is, things are much harder when the “reCaptcha” is a code sent to a mobile phone, which at time of writing is siting in my partners handbag at work with her…

  6. Pete Sdev
    FAIL

    Captchas, pah

    It could be partially due to the fact I'm getting long in the tooth, but I find Google's recaptchas of the "select all pictures containing a bike" sort tricky on a mobile device.

    I wonder if timing the form submission (from time page served) would suffice to filter out most bots. Hell, a referrer check would probably block half.

    In other contexts (web server connection and request limiting plus fail2ban) I've realised how depressingly unsophisticated most bot implementations are.

    1. Charlie Clark Silver badge

      Re: Captchas, pah

      The sophistication of the bot correlates almost directly to the expected reward on the site. This is why the overwhelming majority are simple CURL (or similar) scripts looking for login pages and similar. These can be spun up to operate at scale to find potential targets for more sophisticated attacks that will use more reasonable IP addreses, credible referrers and timings and even real browsers. For the people running the attacks it's often worthwhile finding out which kind of protection is in use. Modern AI-bots can simulate human interaction enough to avoid detection but the costs of doing this are real.

    2. Missing Semicolon Silver badge

      Re: Captchas, pah

      Fail2ban is getting less useful. I have seen the bots tuning their request rate to not trigger a ban.

  7. myhandler

    The article only refers to distorted text captchas being 'bottable', not the status of the ubiquitous image question things.

    Haven't seen a distorted text captcha on a modern site for a long time.

    1. Anonymous Coward
      Anonymous Coward

      4chan uses one, though its clever trick is to have you align one image behind cut-outs in another until the letters appear, then enter the letters you see.

    2. Mage Silver badge

      Amazon uses them frequently AFTER log in.

    3. Toni the terrible

      distorted text

      I have seen a number of distorted text captcha, from Amazon

  8. Gene Cash Silver badge

    Source would be nice

    It would be nice to have this code as a Firefox extension.

    1. Anonymous Coward
      Anonymous Coward

      Re: Source would be nice

      There's a company that offers this called NopeCHA, but it is a paid service.

      1. Claverhouse

        Re: Source would be nice

        Plus, even if it worked for Pale Moon or Basilisk, just looked it up, and the extension info says: This add-on needs to: Access your data for all web sites.

        I passed.

  9. Anonymous Coward
    Anonymous Coward

    What next for security now?

    Now that SMS and CAPCHA's are regarded as insecure by certain sites for 2FA?

    I hate the fact that I have to have my phone at my side when shopping. When this happens, it is probably charging in another room. That tells the world that my phone is not surgically attached to my hand.

    So much for progress?

    1. martinusher Silver badge

      Re: What next for security now?

      At home my mobile phone is invariably sitting downstairs on a mantel -- it lives there because that's where I can find it. So when 2FA kicks in I have to leave my computer, go downstairs, get the phone, go back to my computer, hope that the code hasn't timed out ..... and so on.

      Alphanumeric capchas are sort-of OK. Picture ones I keep getting wrong because there's often some issue about whether a picture has a staircase or whatever in it, its often a matter of judgment. I'm pretty sure that modern image recognition filters would do a much better job than my eyes straining to make sense of an often fuzzy picture.

      A surprising amount of web code either locks up a browser (i.e. "sits in an infinite loop waiting for an event that will never come because it probably happened before the browser got around to polling for it") or just plain doesn't work ("we outsourced this web stuff and it works just fine in whatever 'the latest' permutation of browser version, consumer operating environment and hardware we developed this PoS on"). (I maintain that's why companies like Amazon are so successful -- its not "unfair competition" but rather "we make sure our crap works before springing it on the unsuspecting public".)

      1. Gene Cash Silver badge

        Re: What next for security now?

        I maintain that's why companies like Amazon are so successful -- its not "unfair competition" but rather "we make sure our crap works before springing it on the unsuspecting public"

        Unfortunately, I have to agree there.The amount of times I've spent extra effort to find the original vendor of stuff, only to have their website completely fall over when I try to give them money is just amazing.

        1. Claverhouse

          Re: What next for security now?

          I recently wanted some Merrell [ vegan ] trainers. Logged into Merrells, went through the selection process and at the last it declined my debit card. Three times on different occasions.

          Finally bought the same off eBay with the same card.

      2. katrinab Silver badge
        Flame

        Re: What next for security now?

        Amazon's search facility most definitely doesn't work though.

        1. Roland6 Silver badge

          Re: What next for security now?

          Not the only website this is so. Too many times I find using Google to search a website will return results the websites own search fails to find…

        2. Anonymous Coward
          Anonymous Coward

          Re: What next for security now?

          may be it works in the way that most benefits amazon the most,

          returning you shit that seems unrelated but shit you will buy anyway,

          or that scam version of the thing you were looking for?

          1. katrinab Silver badge
            Megaphone

            Re: What next for security now?

            It doesn't benefit Amazon if I get so frustrated with the c*** search results that I end up going elsewhere.

    2. Anonymous Coward
      Anonymous Coward

      Re: What next for security now?

      I agree.

      I avoid 2FA sites if I can, and often I have no choice - like at the moment, I've been visiting my mum for the last 2 weeks, and didn't bring my mobile with me - the signal here is bad, and I simply couldnt be arsed. so I can't use paypal, for example.

      Amazon, I can use, because I deleted my phone number entirely - of course, now I don't get SMS delivery alerts either.

      Many are done badly too, it's just security theatre.

      When will they realise we aren't all physically attached to our phones 24/7

      Sometimes for example, I'll be next to my front door, and decide to go out for a walk, so I just do. No grabbing of phone/wallet/id/pager/driving/license/passport/cash/ - I'll only have my keys if I go driving. I'll often be out and about with nothing.

      1. ThatOne Silver badge

        Re: What next for security now?

        > When will they realise we aren't all physically attached to our phones 24/7

        Aren't we? I think the younger generation is. At least from what I see in the streets.

        Phones have started to become waterproof because their users tend to take baths/showers once in a while.

        1. Potty Professor
          Joke

          Re: What next for security now?

          "I think the younger generation is" But at 75 years old, does that make me one of them?

    3. Strahd Ivarius Silver badge

      Re: What next for security now?

      You could have a barcode/qrcode etched on your forefront, and then bow to the computer to be recognized, would it be better?

  10. vistisen

    As someone who is slighty dyslixic, I hate those CAPCHAs that use letters, number I have no problem with. And as a pedant I hate the images that almost always have edges of bridge, wheels, busses or what ever that overlap the suares by a pixel or two. IF you want me to mark the squares that I know are right then accept that your capcha is not correct. When really pissed off I take a screen shot, enlarge it and send an angry mail to the website, where I show them that I AM right, They ARE worng and THEY have just lost a customer.

    1. BenDwire Silver badge
      Holmes

      dyslixic ?

      I see what you did there! As a fellow suffer, I welcome you to the club.

      Dyslexia Rules KO

  11. Whitter

    I doubt security is the purpose

    Distorted text capchas may well be a security thing, but the more common "label things in a street photo" reek of being "free" input to an AI for self driving vehicles.

    1. ebruce613

      Re: I doubt security is the purpose

      Obligatory XKCD: https://xkcd.com/1897/

  12. Anonymous Coward
    Anonymous Coward

    A Bot Eperience

    I was using a chat session to attempt to solve a problem with an (in)famous bank. I was suspecting my human account expert was anything but. I asked if I was talking to a bot. "Yes, but I am a really good bot" was the reply.

  13. ChrisBedford

    Grammar! Grammar! Grammar!

    "explained that the explosion in advanced machine learning methods have rendered the defense obsolete"

    Verb is conjugated for the subject of the sentence, not the adjectival phrase (or whatever that is) that comes after it. The *explosion* HAS rendered, not the methods. Bah humbug.

  14. Giles C Silver badge

    Obligatory xkcd

    https://xkcd.com/1897/

  15. Anonymous Coward
    Anonymous Coward

    I like the Newsthump story: "Cyclist repeatedly fails Captcha test after failing to identify images with traffic lights"

  16. MJI Silver badge

    had one today

    Asked for crosswalks, random street stuff including a few zebra crossings.

    Refreshed got traffic lights.

    1. Mage Silver badge
      Devil

      Re: had one today

      They are very USA culturally biased and abusive.

      1. hayzoos

        Re: had one today

        In order to have culture appropriate CAPTCHA your culture will have to endure self driving vehicles.

  17. Displacement Activity

    My problem with reCAPTCHA...

    ...is slightly different. Sites can use it simply for irritation value. You're thinking Ok, that's stupid, no site would want to irritate their own users. But a UK sports governing body does exactly this.

    They have 25K+ users who frequently look up their own results ('PBs'). These are public information, which was supplied by the user's club to the governing body itself. 15+ years ago a number of clubs started scraping their own results to keep their local systems up to date. The governing body didn't like this and, without explanation, started rate-limiting, blocking IP addresses, and so on. Fast-forward 20 years, and every user now has to fill in a reCAPTCHA and then wait 5 seconds to get their PBs. All completely pointless, and without any basis in law. The reason is simply that (a) the website provider has a software product that they believe (incorrectly) fills this need, and (b) the governing body has an undisclosed financial relationship with that provider (until someone was forced to disclose it in a court case recently).

    So, I've spent 15 years doing counter-measures, and waiting for the people involved to retire, be fired, or die. The sooner reCAPTCHA is finished off the better.

  18. David-M

    My bot prevention is to reject anything that is completed too quickly or too slowly (too slowly indicating it's been saved for later), using an MD5 encrypted timestamp, with JS being used to create the submission feature. There is no captcha for people to do, and I've never had anything non-human get through. I'm sure if I was a major site though people would take note and get round it but as an individual site it's perfect. d

    1. ThatOne Silver badge

      > people would take note and get round it

      Indeed. Especially since the workaround is as simple as timing your submission "just right". Definitely not secure I would say, just good enough for filtering casual, simple bots with timing issues.

  19. DarthKegRaider
    Happy

    If more sites had DOOM Captcha then no one would complain!

    I recall this little beauty from a few years back, I thought 'el Reg covered it. Maybe I was mistaken...

    https://vivirenremoto.github.io/doomcaptcha/

    Either way, I could continue to shoot the baddies without even bothering going to the actual website!

  20. Mage Silver badge
    Flame

    And why is Google's reCaptcha free?

    Why are we getting them not just on creation of a new account but after login. Both text and image picking.

    Why do they popup very much less often if using Chromium?

    Ebay even denied they were serving them. I send them screen shots and they stopped communicating. I've stopped using ebay.

    Ebay after login.

    Amazon after login.

    Kobo after login

    Are the Google recaptcha's even legal in EU?

    And what is the real purpose?

    https://m.xkcd.com/1897/

  21. sketharaman

    We've been hearing that bots are better at cracking CAPTCHAs for at least four years - ever since Verge published this article in 2019: https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence. Still a vast majority of the most popular websites in the world continue to use them, even at the cost of annoying their users. I'm somehow inclined to take these research findings with a barrel of salt.

    1. Diogenes8080

      Possibly captchas make mules uneconomic and block the vast majority of spiders that aren't equipped to deal with them?

      Just because it's possible for a bot to defeat a captcha does not mean that every ripper and leach comes equipped with the code to do so.

  22. Toni the terrible

    A Bot?

    I often fail Captcha requests, does this mean I am a Bot? and a poor one at that.

  23. Bump in the night
    FAIL

    Unbreakable toys are good for breaking other toys

    This has "computers are best at messing up other computers and not much else" written all over it.

    By the way, where can I get this? I can never enter those things right the first time . . .

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like