In the ongoing saga of CAPTCHA cracks, progress tends to be incremental: cracks are released with success rates of one or two percent, and CAPTCHA products are quickly patched to defeat them. Not so with Monday’s news that AI startup Vicarious claims to have cracked most popular CAPTCHAs—including reCAPTCHA—with a success rate of over 90%. Since CAPTCHA-solving computer networks can make thousands of attempts per minute, even a success rate as low as 1% is considered a functional crack!
In Vicarious’ video (shown below), their software scans various CAPTCHAs and identifies the letters they contain, often getting most or all of the letters correct on the first try. (And since many CAPTCHAs, including reCAPTCHA, only require that users get one of the two words correct, partial accuracy is often enough.)
Were Vicarious’ tool to be released into the wild, it could enable hackers and other nefarious actors to bring CAPTCHA systems worldwide to their knees. Luckily, that’s not going to happen here—Vicarious developed their CAPTCHA crack as part of a broader artificial intelligence system, and they have no plans to make it publicly available. But if a small company like Vicarious was able to crack CAPTCHA so effectively, how long before the spammers and scammers are able to as well?
The latest scam: creepy stock photo people who pop directly out of your monitor!
Of course, in all likelihood this crack won’t work for long: the CAPTCHA creators will update their CAPTCHAs to make them more difficult, and all will be well—or so they’ll claim. But in the war between the CAPTCHA-makers and the CAPTCHA-crackers, it’s us, the regular humans, who suffer. Every time CAPTCHAs are updated to become more effective at stopping bots and cracks, they become harder for humans1. What do we do once bots are able to solve CAPTCHAs that look like this?
This humans vs. bots arms race is just one of the reasons we designed PlayThru to be different. Since PlayThru determines humanity by analyzing user interaction, we can increase (or decrease) security without making the games any more difficult to play. In fact, we develop our humanness-scoring algorithm using the same types of machine learning that Vicarious uses. Essentially, we’re letting the bots fight it out, while the humans go on with their lives unscathed.
Score one for Team Humans!
1. Yes, we know about the recently-announced reCAPTCHA update that uses other kinds of analysis to give likely humans easier CAPTCHAs. But this only begs the question: if they know we’re most likely human, why are they showing us a CAPTCHA at all? Besides, it’s only a matter of time before the bots figure out how to exploit these techniques and we’re back to badly distorted text.
In fact, some other CAPTCHA companies have had a similar systems for a while. They attempt to guess whether or not you’re a human before they show you a CAPTCHA, and to show easier CAPTCHAs to suspected humans. And it sort of works, sometimes… but when it doesn’t, you get gobbledygook like this: ↩
David has created a Clojure library for PlayThru, and graciously shared it with the entire community. Check out David’s Clojure library on Bitbucket.
Created your own plugin or library for PlayThru? We’d love to hear from you!
Providing support for a web plugin can be infuriating. People will install PlayThru and come to us with support requests, and a lot of times, those requests will have nothing to do with the part of their site that we control. For example…
- “How do I make my contact form redirect to another page upon completion?” — Not our fault.
- “How do I get my website to email me whenever someone leaves a comment?” — Not our fault.
- “I’m getting a lot of Trackback spam. Can you do something about that?” — Not our fault.
- Or this gem, from an old support chat:
Perhaps you’re noticing a pattern here: we’re constantly asked to fix stuff that’s not our fault.
When this happens, we have an easy way out. We can explain that your problem isn’t our fault. We can explain that the only part of your site we’re responsible for is the human verification game—that we don’t control your contact form, your email settings, your Trackbacks… or your 1895 Chilean musket. We can offer a half-hearted “apology” and move on.
Sure, we can do all of that… but why would we?
People discover PlayThru because they have a problem—they’re getting tons of comment spam, or the CAPTCHA on their registration page is driving users away—and we help them fix that problem. Why wouldn’t we help them fix their other problems as well? People, especially beginners, don’t know and don’t care if the problem on their site was caused by this plugin or that plugin or their own error. They just know that something is broken.
People remember when a company goes above and beyond. So when someone has a problem with their contact form, we help them with their contact form. When someone has a problem with their email settings, we help them with their email settings. And once, when someone had trouble with PlayThru because their laptop’s trackpad was broken, we sent them a mouse.
Not that kind of mouse.
It’s simple, really. We started this company to solve people’s problems, and that’s what we’re going to do—even if they’re not our fault.
Oh, and that guy who asked about what kind bullets his 1895 Chilean Mauser needed? The answer’s 30 caliber. That’s right—we looked it up for him
Today we’re posting documentation about two features that let developers customize and interact with PlayThru in unique ways:
Because runtime options require a direct call to getPublisherHTML, you’ll have to be using a direct language integration like PHP to make use of them—they’re not compatible with plugins like our WordPress plugin. Game state events, however, are compatible with all PlayThru integrations.
You can read more about runtime options and game state events on our installation page. And if you use either advanced feature to do something particularly cool, let us know and we’ll share your project with the world!