So much for CAPTCHA then – bots can complete them quicker than humans
We, for one, welcome our distorted-letter-recognizing overlords
Completely Automated Public Turing test to tell Computers and Humans Apart – better known as the ubiquitous CAPTCHA we see standing athwart the doors to many websites – may now be a misnomer as researchers have found that computers are much better at completing them.
The bot defense measure dates back to 1997 and the tortured acronym 2003, with the technology starting out as a distorted series of letters and/or numbers. Google's implementation, reCAPTCHA, eventually did away with much of these shenanigans to make the browser identify low-risk human users in the background, but the image verification method still pops up occasionally if risk cannot be ascertained.
Normal people see them as a time-waster, web devs see them as a crucial defense against bots, and criminals see them just as another obstacle to be hurdled.
"We do know for sure that they are very much unloved. We didn't have to do a study to come to that conclusion," team lead Gene Tsudik of the University of California, Irvine, told New Scientist. "But people don't know whether that effort, that colossal global effort that is invested into solving CAPTCHAs every day, every year, every month, whether that effort is actually worthwhile."
Thanks to the inexorable march of progress, the answer appears to be no.
Having found that 120 of the 200 most popular websites used CAPTCHA tests of one sort or another, the team enlisted 1,000 people of all ages, sexes, location, and education, and got them to each perform 10 CAPTCHA tests on these sites.
- DataDome looks to CAPTCHA the moment with test of humanity that doesn't hurt
- A great day for non-robots: iOS 16 will bypass CAPTCHAs
- How CAPTCHAs can cloak phishing URLs in emails
They then compared their successes to those of a number of bots coded by researchers and published in journals for the purpose of beating CAPTCHA tests. The results make for embarrassing reading.
For distorted text fields, humans took 9-15 seconds with an accuracy of just 50-84 percent. Bots, on the other hand, beat the tests in less than a second with 99.8 percent accuracy.
"There's no easy way using these little image challenges or whatever to distinguish between a human and a bot any more," commented team member Andrew Searles, recommending that organizations should use "intelligent algorithms" to sort bot interactions from legit ones rather than CAPTCHA.
The full paper, "An Empirical Study and Evaluation of Modern CAPTCHAs," is here.
Shujun Li, professor of cyber security at the University of Kent, explained that the explosion in advanced machine learning methods have rendered the defense obsolete.
"In general, as a concept CAPTCHA has not met the security goal, and currently is more an inconvenience for less determined attackers," he said. "New approaches are needed, like more dynamic approaches using behavioural analysis."
Jess Leroy, senior director of product management at Google Cloud, added: "We are increasingly focused on recognizing and interrupting malicious activity, whether perpetrated by bots or humans. As such, we are able to help our customers prevent loss even as AI bots become better at masquerading as humans. Further, we have a very large focus on helping our customers protect their users without showing visual challenges, which is why we launched reCAPTCHA v3 in 2018." ®