Captchas Are Getting Harder (wsj.com)
- Reference: 0173649544
- News link: https://it.slashdot.org/story/24/04/26/1736254/captchas-are-getting-harder
- Source link: https://www.wsj.com/lifestyle/captcha-not-robot-tests-harder-5129caf2
> The companies and cybersecurity experts who design Captchas have been doing all they can to stay one step ahead of the bad actors figuring out how to crack them. A cottage industry of third-party Captcha-solving firms -- essentially, humans hired to solve the puzzles all day -- has emerged. More alarmingly, so has technology that can automatically solve the more rudimentary tests, such as identifying photos of motorcycles and reading distorted text. "Software has gotten really good at labeling photos," said Kevin Gosschalk, the founder and CEO of Arkose Labs, which designs what it calls "fraud and abuse prevention solutions," including Captchas. "So now enters a new era of Captcha -- logic based."
>
> That shift explains why Captchas have started to both annoy and perplex. Users no longer have to simply identify things. They need to identify things and do something with that information -- move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape. Compounding this bewilderment is the addition to the mix of generative AI images, which creates new objects difficult for robots to identify but baffles humans who just want to log in. "Things are going to get even stranger, to be honest, because now you have to do something that's nonsensical," Gosschalk said. "Otherwise, large multimodal models will be able to understand."
[1] https://www.wsj.com/lifestyle/captcha-not-robot-tests-harder-5129caf2
unreadable (Score:2)
half the time I can't even read the captcha. what a pain the ass.
Re: (Score:3)
95% of the time, if I get a CAPCHA I bail thinking "I guess they do not want me to see their content". It is the number 1 reason I now use duckduckgo instead of google. Everytime I try to use google I get a CAPCHA.
Re: (Score:3)
You're likely infected by malware that is using your IP to bot on Google. Clean your computer.
Re: (Score:3)
Or using a VPN that has an IP shared by others who are either infected or malicious.
Re: (Score:2)
Yeah, Google really does not like VPN traffic. DDG is fine.
Re: (Score:2)
I was shown one the other day that looked like a bad acid trip full of psychedelic colors, and some animal shapes you had to match to dotted silhouettes at the top. Absolutely insane. I started feeling dizzy and nauseous from looking at it for just ten seconds.
Missed opportunity for a headline (Score:3)
"AI makes it harder to prove you are not a robot."
Re:Missed opportunity for a headline (Score:5, Funny)
> "AI makes it harder to prove you are not a robot."
or a dog..
TFS missed one (Score:2)
> Users no longer have to simply identify things. They need to identify things and do something with that information -- move a puzzle piece, rotate an object, find the specter of a number hidden in a roomscape...
Hit the back button and browse elsewhere
Re: (Score:2)
I do that every time I go to a website and it has a must-click popup. Eventually some marketing taintstick will get the hint that their engagement goes down they bother people, but we know that marketing people are inhuman scum and will take that as a reason to bother you more.
Re: (Score:3)
Sure, until a captcha is suddenly implemented to guard the entrance to your banking website. (My credit union did).
Ebay has really clamped down, too. My ebay account was once tied to me by nothing more than a throwaway email. But now it's tied to your phone, your bank, and your social security number (because they report your sales to the IRS).
It's all pretty irksome, until my credit card number gets stolen yet again and wastes more of my time than typing in a 2FA ever could.
Sometimes you wonder if
There should be laws (Score:3)
against recaptcha. It's useless and the site admins always turn it all the way up so you have to solve it for 2 minutes straight. I'll bet this is wasting millions of dollars worldwide. Putting recaptchas on your website is a good way to piss off customers. For some reason lately you can even solve them correctly, you can go through several rounds and not even get anywhere with it. In addition AI can solve them better than humans, so essentially you area locking out the humans and letting the bots through.
Let me ask you a question, would it be acceptable to put a 1-2 minute timer on your website just to waste people's time? because that's what recaptchas do.
Re: (Score:2)
I guess some people are just captcha challenged. Glad it's not me; although a few years back there was one set of photos where you were supposed to click on all the mailboxes, but the captcha itself was broken because one picture of a street address painted on a curb was supposed to be considered a mailbox...
Even if they are useless it does slow down the bot traffic that would otherwise overwhelm some sites.
Re: (Score:2)
> I guess some people are just captcha challenged. Glad it's not me; although a few years back there was one set of photos where you were supposed to click on all the mailboxes, but the captcha itself was broken because one picture of a street address painted on a curb was supposed to be considered a mailbox...
I'm never sure how much of the motorcycle has to be in the picture. Does that little corner of the mirror or edge of the tire really count as "pictures with motorcycles"?
Re: (Score:2)
I hear you, brother
Re: (Score:2)
Not when the system admins force you to do 5 rounds of captchas, and you can't solve them fast either or it will give you more.
Re: (Score:2)
I'm pretty sure they don't just use it as a bot detector, but to do rate-limiting too. The faster you solve them the more they dump on you so that it will slow you down.
It's a pretty dishonest way to do rate-limiting to be honest.
Re: (Score:2)
Instead of laws against recaptcha, how about laws against using someone else's site to advertise without their explicit permission?
If we take the argument of "My site is my property" to it's logical conclusion, then these bots are effectively defacing private property to make money. That's already illegal in many physical places. Take their profits (plus a percentage penalty fine) away, and give it to the property owner whom they've plastered their ads on.
Re: (Score:2)
Select all the picture that has cars/dogs/whatever until there is no one left. The whatever continues to reappear. When it's done, instead of "solve" there is a "next" button. Repeat, combined with selecting parts of a picture. After 6 or 7 rounds and more than 40 clicks finally the "solve" button appears but apparently I guessed wrong and I have to restart the process. I resist the urge to throw the laptop out the window, curse the captcha's developers and promise to kill them if I meet them in real life.
Re: (Score:2)
Old and busted: "Click on all squares that contain a traffic light"
New hotness: "Write a one-paragraph erotic fiction story"
Re: (Score:2)
"I have a girlfriend. She's hot."
Do many couple with firewall? (Score:2)
I run a small server that does not do logins, but I still find all the attempts annoying. So I've walled off a good bit of Russia, China, NK etc to cut down on the traffic. Do others do this? I get that some companies may need to have access from these cesspools, so some can't. But I'd be good even if my bank (smaller state based) denied access from certain countries if they made that known. Actually I'd prefer if they did, because it would secure things(my money) down a bit more. Not much, but a bit. And a
Re: (Score:2)
Seems like a simple solution to stop bots would be to deny any layer 7 traffic that contains an IP address where a host name is expected.
A lot of bots are just scanning IP space and attempting brute force logins whenever they encounter a recognized login form.
For example, https: // google.com and https: // 142.251.40.206 are equivalent, bot only a bot would be accessing the IP address directly.
Re: Do many couple with firewall? (Score:2)
For the websites I used to manage, I blocked all of Asia. Piles of bots and hacking attempts from India, China, Russia. Pakistan, etc. Also a lot from the US, but we also had legitimate traffic from there, so I couldn't block it.
This will not end well (Score:5, Interesting)
The logical conclusion of this arms race is that eventually they are going to make things so hard that no human will be able to get in without an AI algorithm at which point the only people accessing the site will be the scammers.
Re: (Score:2)
How else is SkyNet meant to gain control over society?
Illegal, unpaid labor farms making you work harder (Score:2)
There, fixed the headline.
They expect me ... (Score:2)
... to spot the bicycles? I can't even do that when I'm driving!
Re: (Score:2)
> ... to spot the bicycles? I can't even do that when I'm driving!
Busses, bridges, taxis, motorcycles... Damn it Google, why don't you just teach your self-driving cars the same way everyone else does, by putting them on the road and letting them learn from their own mistakes? So what if a few of them end up reenacting some drunk GTA V gameplay scenes. That's just the price of progress! /s
Captcha is the early exit for me. (Score:4, Insightful)
Unless there is an unbelievably specific reason to do otherwise, when I see a captcha, that's it. I'm out. I have walked away from giving companies my business over this.
This wasn't true until it got to the point where "pick all squares with a motorcycle" got to "try to guess if we think the motorcycle rider's helmet is part of the motorcycle".
Fuck them. May the creators of CAPTCHA/ReCAPTCHA/whatever rot.
Re: (Score:2)
Usually those are not looking for you to click on specific tiles, but use other data like mouse movements and browser config to fingerprint you. I typically just click a few tiles at random and more often than not, it passes.
can make it more about doing something for 30 sec (Score:2)
can make it more about doing something for 30 sec and not needing to get it right. That will slow down bots big time.
Logic problems (Score:3, Insightful)
What is your credit card number minus the current year?
What is the square of your credit card PIN?
What is 10 times the security code on the back of your credit card?
Type your name adding 1 letter to each letter, so A becomes B and so on, with Z becoming A.
Type your zip code backwards.
I hate captchas (Score:1)
Just saying, if I see a captcha and it isn't my bank site or something extermely important, I'm moving on. If you are an important site, I tend to email the companies with my disdain. Long story short, you better have something worth my time, because if not, you lost my business. Captchas have ruined the internet more than ads.
Regarding bear-proof garbage bins: (Score:2)
Quote from a Yosemite Park forest ranger: "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists." The same applies to bot-proof websites: There's a considerable overlap between the capabilities of the smartest software and the dumbest website visitors.
Re: (Score:1)
Thus, it's important to bear-proof your websites with honeypots and blackholes.
Ads and captchas (Score:2)
Enough to deter. Perhaps they should evaluate the lost traffic in comparison to letting some bots through. The day of the captcha is about done anyway.
Re: (Score:3)
They don't deter, AI can beat humans at solving many of them and sometimes better than humans. The humans are stuck waiting and randomly clicking.
Re: (Score:3)
In fact, smarter people may have to start playing dumb, as solving a captcha too quickly can be a sign it is being done by a bot.
Of course, the counter is adding in a human response profile, applying the correct delay and randomization to match what bot-detectors are using to determine 'humanness'.
Re: (Score:2)
I run a small web site with a decent level of human traffic for what it is. I haven't run the figures recently, but last time I did, about 90% of the page accesses were from bots. Fortunately, most of the bots are dumb and measures like captchas block them from the pages that need protection, as a first layer of security.
So it isn't a question of letting some bots through, it's a question of letting a hoard of bots through that will dominate traffic to the site.
Re: (Score:1)
> I run a small web site with a decent level of human traffic for what it is. I haven't run the figures recently, but last time I did, about 90% of the page accesses were from bots.
How do you know you're not just terrible at what you do? Those 90% were just a small fraction of what got blocked and the rest were just running wild on your "small web site".
Re: (Score:3)
You're terrible at guessing what web masters do.
Re: (Score:2)
The more sophisticated bots have a real computational cost to them. A really boring CAPTCHA will keep your web site contact form safe, because there's not enough financial incentive. Anything being used to bypass the more complex CAPTCHAs are going to be targeting high profile web sites with a well defined return value.