Have you ever struggled to identify letters from a distorted image or find all the pictures of fire hydrants or traffic lights? Or maybe you’ve been baffled by how simple it is to click on the checkbox to verify you are a human. Oftentimes, these tests either seem too easy for bots to do or too hard for humans to complete. Does CAPTCHA stop bots successfully? And if it does, how do they actually work at stopping them?
What is CAPTCHA?
Well, starting off, CAPTCHA which stands for Completely Automated Public Turing test to tell Computers and Humans Apart” is used to prevent bots from spamming websites by creating multiple accounts or posting several messages.
How are these tests able to successfully stop these bots? Well, originally, CAPTCHA tests were simple distorted text, which was images. If you have ever scanned the document and tried to ‘ctrl F’ something in the document, you may have realized that most programs cannot find text within an image and this is what CAPTCHA took advantage of.
People can read text on images but the computers were simply a conglomeration of random pixels. But as time passed along optical character recognition programs evolved, these tests became easier and easier for bots to crack and this is why the texting CAPTCHA became more and more distorted.
If you ever struggled to correctly identify these distorted letters, well you’re not alone. At a point, these letters became so distorted in an effort to fight against advancing bots that they actually became too hard for humans to discern. In fact in 2014, before the switch to – ”I am NOT a robot” checkbox, computers got the CAPTCHA test right 99.8% of the time, while humans only got it right 33% of the time. So clearly, this was not keeping out the right demographic.
As a result after a few years of development, Google came out with reCAPTCHA as a replacement. This is what you usually come across today, the iconic I am NOT a robot checkbox, sometimes followed up by identifying crosswalks and traffic lights.
How Does CAPTCHA Work?
So how do these checkboxes work? They seem to be much easier than discerning distorted text. Well, Google doesn’t officially release a “how reCAPTCHA works” for obvious reasons but the community has, over the past couple of years, developed some surprisingly effective key points that Google uses to determine if you’re a human.
Starting off, when every CAPTCHA is presented to you the website tracks your mouse movements. See, we humans have a human behavior and are not very nimble with the mouse, we are unable to move it in a linear fashion at a constant speed. We often jitter or move it in an arc fashion with random spurts of speed, we may overshoot the check box and move our mouse back to click it on the edge. Before all of this, we may have taken a second or two to even realize where the check box is. See, the problem for robots is that they are too intelligent to make such stupid human errors. They are able to identify the check box within milliseconds, swiftly move them in a linear fashion, and then click on the center of them.
Does CAPTCHA Really Help?
Computers are extremely efficient but one place where they struggle a lot is in trying to replicate human behavior and this carries on to the following test as well. If you are asked to identify a crosswalk or traffic light, you may move a mouse over each slide and think about it for a couple of seconds before choosing one of the slides. A computer on the other hand would simply analyze an image in a split second and choose the correct slides. As a result, Google isn’t checking if you click all the slides with crosswalks correctly but rather monitoring how you interact with the image. They may actually throw in traffic lights that are notoriously hard for humans to spot, so if you exhibit a human mouse behavior and miss one of the slides with traffic lights, you may actually still be a lot forward.
So essentially, Google realized that robots are much smarter than humans, so testing for intelligence simply would not work. As a result, the newer reCAPTCHA alternative basically tests if you exhibit behavior that is less than perfect. Ironically to get to reCAPTCHA, you have to act dumber than a computer would. But it’s not just how you interact with the images either.
Google also takes advantage of your recent activity on Google. Perhaps you misspelled a word as you were searching Google or maybe you clicked on several different links before landing on the page you are currently on. Furthermore, Google takes into account how often you create new accounts or try to post. Security researchers say that Google takes advantage of cookies, browser attributes, and traffic patterns. It also takes into account if you’re using a VPN or have anti-tracking extensions. These can actually all lead to you filing a reCAPTCHA. But all these methods of testing are just temporary.
Machine learning is constantly getting better and their ability to mimic human behavior will eventually be on point. So not only will both be able to analyze video, audio and images better than us, but also act as human as us. In fact, an engineering lead at Google claims as such blockades will only prove effective for another five to ten years. After this, we will most likely have to turn to constant tests running in the background as we surf the web. So as a recap, bots had trouble completing CAPTCHA in the past as they were not capable of analyzing and successfully completing Turing tests. But as bots have gotten smarter, these tests have started to rely on human behavior to determine if a user is human. Currently, it is difficult for bots to emulate human behavior, but that too will one day change and then we will have to deal with constant monitoring. But that’s why bots can’t complete reCAPTCHA right now.