Category Archive: news

  1. Soon, Only Bots Will Be Able to Complete CAPTCHA

    1 Comment

    Vicarious reCAPTCHA crack

    In the ongoing saga of CAPTCHA cracks, progress tends to be incremental: cracks are released with success rates of one or two percent, and CAPTCHA products are quickly patched to defeat them. Not so with Monday’s news that AI startup Vicarious claims to have cracked most popular CAPTCHAs—including reCAPTCHA—with a success rate of over 90%. Since CAPTCHA-solving computer networks can make thousands of attempts per minute, even a success rate as low as 1% is considered a functional crack!

    In Vicarious’ video (shown below), their software scans various CAPTCHAs and identifies the letters they contain, often getting most or all of the letters correct on the first try. (And since many CAPTCHAs, including reCAPTCHA, only require that users get one of the two words correct, partial accuracy is often enough.)

    Were Vicarious’ tool to be released into the wild, it could enable hackers and other nefarious actors to bring CAPTCHA systems worldwide to their knees. Luckily, that’s not going to happen here—Vicarious developed their CAPTCHA crack as part of a broader artificial intelligence system, and they have no plans to make it publicly available. But if a small company like Vicarious was able to crack CAPTCHA so effectively, how long before the spammers and scammers are able to as well?

    email scam
    The latest scam: creepy stock photo people who pop directly out of your monitor!

    Of course, in all likelihood this crack won’t work for long: the CAPTCHA creators will update their CAPTCHAs to make them more difficult, and all will be well—or so they’ll claim. But in the war between the CAPTCHA-makers and the CAPTCHA-crackers, it’s us, the regular humans, who suffer. Every time CAPTCHAs are updated to become more effective at stopping bots and cracks, they become harder for humans1. What do we do once bots are able to solve CAPTCHAs that look like this?

    unreadable CAPTCHA

    This humans vs. bots arms race is just one of the reasons we designed PlayThru to be different. Since PlayThru determines humanity by analyzing user interaction, we can increase (or decrease) security without making the games any more difficult to play. In fact, we develop our humanness-scoring algorithm using the same types of machine learning that Vicarious uses. Essentially, we’re letting the bots fight it out, while the humans go on with their lives unscathed.

    Score one for Team Humans!


    1. Yes, we know about the recently-announced reCAPTCHA update that uses other kinds of analysis to give likely humans easier CAPTCHAs. But this only begs the question: if they know we’re most likely human, why are they showing us a CAPTCHA at all? Besides, it’s only a matter of time before the bots figure out how to exploit these techniques and we’re back to badly distorted text.

    In fact, some other CAPTCHA companies have had a similar systems for a while. They attempt to guess whether or not you’re a human before they show you a CAPTCHA, and to show easier CAPTCHAs to suspected humans. And it sort of works, sometimes… but when it doesn’t, you get gobbledygook like this:

    bad CAPTCHA gobbledygook

  2. CAPTCHA-Solving Tools Are Facilitating Russian Cybercrime

    Leave a Comment

    We like to joke that CAPTCHA provides a criminally bad user experience, but here’s a report about insecure CAPTCHAs enabling actual crime. From security researcher Dancho Danchev at the Webroot Threat Blog:

    Just how challenged are cybercriminals when they’re being exposed to CAPTCHAs in 2013? Not even bothering to “solve the problem” by themselves anymore, thanks to…an automatic registration tool which undermines the credibility of Russia’s major free email service providers by allowing cybercriminals to register tens of thousands of bogus email accounts.

    Danchev goes on to explain how this easily-available tool uses a relay attack, in which each CAPTCHA’s image is passed along to a human solver, to enable Russian cybercriminals to register thousands of fraudulent accounts. They can then use those accounts to send spam or register malicious domains.

    CAPTCHA-solving tool
    Screenshot of one CAPTCHA-solving tool

    This is just one more area in which PlayThru puts CAPTCHA to shame. Unlike traditional text CAPTCHAs, PlayThru isn’t just a test that’s looking for a correct answer. Our games require direct user interaction, so they can’t be passed off over the internet for someone else to “solve” via a relay attack.

    Read more on the Webroot Threat Blog.

  3. Ticketmaster CAPTCHA Disaster

    1 Comment

    Sher, an employee at our corporate friend and office-sharer Doodle Home, wrote to her team today to share a terrible experience she had with the Solve Media CAPTCHA on Ticketmaster’s site. The CAPTCHA was so bad, she wasn’t ever able to get her tickets!

    We’re sharing her email with you below. It’s a great reminder of why we started Are You a Human: to save people from unpleasant experiences like this one.

    Hi team, I wanted to share this experience with you. And believe me, if you know how this works, please feel free to reply to all with your feedback, I will not be embarrassed. This is an example of Not Simple = No Sale.

    Yesterday I was so excited to try and buy presale tickets to Justin Timberlake and Jay-Z on August 6th. Ready to buy and go in and get the best tickets, woot woot!

    Before I could see what seats were available and actually purchase them I had to first get through the human verification measures that Ticketmaster has in place. Below is their system (OMG).

    Ticketmaster disaster!

    First, I don’t know if I am supposed to solve a puzzle and answer a question from this or just simply try to decode the letters? No direction (the help button gives no direction on this either). After 15 – 20 minutes of attempts to try to enter the answer, I gave up.

    Long story short, Ticketmaster lost out on a big sale from me.

    Sher, we feel your pain. Have your own story about a CAPTCHA disaster? Reach out and tell us all about it!

  4. Ticketmaster replaces hated CAPTCHA with different, equally-hated CAPTCHA

    Leave a Comment

    CAPTCHA—which asks users to type in distorted text to prove they are not robots trying to cheat the system—is one of the web’s biggest annoyances. Recently, ticket retailer Ticketmaster has gotten a lot of positive press for overhauling their CAPTCHA system. But there’s a dirty little secret about the new system: it’s just as unpleasant as the last one.

    Meet the new CAPTCHA, same as the old CAPTCHA

    Ticketmaster is now using Solve Media’s “Type-In” product, which asks users to (you guessed it) type in distorted text. Sometimes this text is legible, but sometimes it’s as warped and misshapen as Voldemort’s face. Take a look for yourself—and remember, these are from the new system:

    Ticketmaster CAPTCHAs

    The PlayThru Promise

    At Are You a Human, we make a promise to our users: we’ll never force you to decipher twisted text. We want to build a verification system that’s more than just functional—we want to build one that makes you smile. That’s why we make games like “Make lemonade,” “Put the fish in the ocean,” and “Complete the face.”

    Type-in vs PlayThru

    Type-In (left) vs. PlayThru (right): Which would you rather do?

    Spread the Word

    If you like PlayThru, we’d really appreciate your help getting the word out on Twitter and Facebook. And if you have any comments or suggestions, we’d love to hear them. Write to us here or tweet @areyouahuman.