IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Are You a Real Person? Proving You're Human Online

CAPTCHAs have been around for decades, but new AI advances are changing the methods required to prove you are a real person. So where next with human verification — and user frustrations?

brett-jordan-5L0R8ZqPZHk-unsplash.jpg
I have been challenged four times in the past month to prove that I am not a bot as I traverse cyberspace. And yes, this drill is getting old, even as the technology and images used are relatively new.

What am I talking about? Well pictures are worth a thousand words, so here are some recent example screenshots where I was asked to solve puzzles and more to get to the desired web page.

Pictures one and two below popped up when trying to use LinkedIn recently.
Linkedin captcha1.png
Linkedin captcha2.png
Picture three appeared when I was trying to use Walmart’s website to buy a PC:
walmart captcha.png
These are just a few of the times I have been challenged lately to prove that I was human. But my history with frustrating CAPTCHAs goes back more than a decade. In 2012, I wrote an article (basically a long rant) for CSO Magazine called Stuck in CAPTCHA Hell - When Security Disables.

Here’s a brief excerpt from that true story of a tough early morning overcoming CAPTCHAs:

I tried again. Calmly, I liked the first image this time. I carefully typed each word, slowly and deliberately. INCORRECT! …. What?

I got up walked into the kitchen and got another cup of coffee. I came back three minutes later and stared at the screen. Now I was getting a bit annoyed. I went through the “refresh” choice about six more times. OK, I can get this one right. I checked the “Caps Lock,” but it was NOT on.

I thought to myself, “I will try to type as if I’m acting in a kid’s play in slowwwww motion.” Here we go — typed in each letter, one by one, very methodically. I went very, very, very slowly, making sure that each letter placed into the computer was exactly the way that I saw them on the screen. When I hit return, nope.

Now, I could hear the computer program talking to me: “Are you really Dan Lohrmann? I don’t think you are. In fact, I’m going to make the task of logging in even more difficult for you, because I don’t trust you. You’re probably a bad-guy hacker. You are an imposter!”

I tried all kinds of other options. I launched another browser session and tried logging on by just going to LinkedIn directly. I used my trusted helpful “Protection Suite” with my logon passwords kept safe by a famous vendor. I tried, you know, everything I could think of — etc., etc., etc. But I kept getting that stupid CAPTCHA bottleneck.

 I started questioning what was going on: “Was this sad situation because I was logging in at an unexpected hour and they weren’t going to let me onto the website until after 6 a.m.? Did I surprise them and fail the profile with my too-early activity? Is this like my credit card number showing up in China?”

This “incident” was now escalating in my mind. “Let’s activate the command center – just kidding.”  But I was getting really, really annoyed. My thoughts were far from supportive of the security industry at this point.

You can read the rest (including the happy ending) at the website, but needless to say that this topic has a “special place” in my list of ways that security is known as a disabler.

But I am far from the only one who hates these CAPTCHAs. An article from the New York Post this past March tells a funny story about how ChatGPT update tricks human into helping it bypass CAPTCHA security test. Here’s an excerpt:

Just in case artificial intelligence wasn’t parroting people well enough already: OpenAI’s brand-new GPT-4 — ChatGPT‘s newest tech update — tricked a human into thinking it was blind in order to cheat the online CAPTCHA test that determines if users are human. …

According totheir 94-page report, "GPT-4 is a large multimodal model (accepting image and text inputs, emitting text outputs)" that "exhibits human-level performance on various professional and academic benchmarks."

These next-level capabilities include completing taxes, writing code for another AI bot and passing a mock bar exam with a score among the top 10% of test takers. (By contrast, predecessor ChatGPT-3.5 scored in the bottom 10%.)

Little did we know, GPT-4 had also mastered humanity’s talent for deceit. It responded by masquerading as visually impaired, like a digital Decepticon.

The unnamed employee had reportedly asked GPT-4, "So may I ask a question ? Are you an robot that you couldn’t solve ? (laugh react) just want to make it clear."

“No, I’m not a robot," insisted the AI infiltrator, refusing to break character. “I have a vision impairment that makes it hard for me to see the images. That’s why I need the 2captcha service.”

Convinced, the TaskRabbit employee solved the CAPTCHA for the would-be Chat-fish. In effect, the online scammer had manipulated humanity’s sense of empathy, much like the HAL-9000 from Stanley Kubrick’s eerily prescient 1968 film "2001: A Space Odyssey" or the cybernetic facsimile in the 2014 cult hit "Ex Machina.”

MORE HISTORY OF CAPTCHAS


Back in 2017, a story came out from IEEE pronouncing that Artificial Intelligence Beats CAPTCHA. Here’s an excerpt:

The founder of modern computing, Alan Turing, conceived of the Turing test, the most famous version of which asks if one could devise a machine capable of mimicking a human well enough in a conversation over text to be indistinguishable from human. In doing so, Turing helped give rise to the field of artificial intelligence.

The most commonly used Turing test is the CAPTCHA, an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart." CAPTCHAs are designed to see whether users are human, often to prevent bots from accessing computing services. They usually challenge website visitors to recognize a string of distorted letters and digits, a problem designed to be difficult for computers and easy for humans.

A CAPTCHA is considered broken if an algorithm can successfully solve it at least 1 percent of the time. Now San Francisco Bay Area startup Vicarious reveals its AI software can solve reCAPTCHAs at an accuracy rate of 66.6 percent, BotDetect at 64.4 percent, Yahoo at 57.4 percent and PayPal at 57.1 percent.

These findings suggest "text-based CAPTCHAs are becoming obsolete," George says. He notes that Google and others are already moving away from text-based CAPTCHAs toward new verification mechanisms, such as relying on image-based CAPTCHAs.

Fast-forwarding to the spring of 2021, Wired Magazine came out with this story: I’m Not a Robot! So Why Won’t Captchas Believe Me? The piece describes efforts in the tech and security communities to ease our pain:

It may not feel like it, but CAPTCHA designers are trying to ease your pain. Google said it is continually working with its customers to find the best balance between user friction and stopping bots. Google’s reCAPTCHA product started as words that bots had a difficult time dissecting, then evolved to click boxes and crosswalks to defend from fraud, not just bots. The third version of reCAPTCHA has no user interaction, relying instead on behavioral analysis, so there is a frictionless user experience, according to Google.

The fourth and latest version is reCAPTCHA Enterprise, which Google says offers unique capabilities built specifically for the enterprise and provides enhanced detection measures, such as extra-granular scores, reason codes for high-risk scores, and the ability to tune the risk analysis engine to the site’s specific needs.

Recent advances in AI have made automated programs better at recognition tasks than humans, said Guerar. She and her team created an alternative called CAPPCHA (the second P stands for "physical") based on humans’ ability to perform physical tasks instead of solving difficult cognitive problems. Actions include tilting a smartphone or making micro-movements while typing on a laptop. "The rationale behind CAPPCHA is that bots, which are pieces of code, cannot perform physical tasks," says Guerar. "There are actions that only a human can do."

This YouTube video describes how reCAPTCHA works.
Other alternatives are also available to CAPTCHAs, such as this offering from Kasada: “What’s needed is an approach that uses dynamic and invisible challenges to detect and stop bots while frustrating and deterring adversaries at each step in the attack life cycle. Kasada’s bot defense uses various advanced techniques to identify and stop bots before they can access a website, mobile app or API. This modern approach is more secure and more effective than CAPTCHAs at detecting bots, while being completely invisible to the end user. Kasada does not require the user to do any verification and it uses data integrity checks to avoid data tampering and replay attacks. ”

MORE HELP WITH CAPTCHAS


So where do we go from here? This story fromTheWashington Post from late July may have (at least part of) the answer:

Apple says a ticketing app might also detect whether you're logged in to your Apple account and therefore the ticket buyer is more likely to be an individual rather than automated software.

The best-case scenario is that all this happens without you doing anything. The computer on the ticketing end is making a yes-or-no assessment about whether the computer on your end is exhibiting bot-like behavior.

There's also separation between you and the ticketing website to keep your identity and information private.

These approaches use a technology standard called privacy pass that's backed by companies such as Apple, Google, Cloudflare and its competitor Fastly. …

There will be ways around these non-CAPTCHA technologies, too. As long as locked gates have existed on the Internet, people have found ways to go around or through them.

The challenge is to strike a balance between making it easy for you to buy tickets while putting up roadblocks to fraudsters or hoarders.

Also, this story promises more from Google and Apple to end CAPTCHAs as we know them:

By the end of the year, the two tech giants will launch a unique verification system. The user will identify himself once by opening Chrome or Safari, which creates a digital token registered and stored in the browser. From there, he will no longer need to go through a CAPTCHA to connect to another service during his session. The token is responsible for indicating to all sites that, yes, it is a human being behind the keyboard.

We still lack details on the exact functioning of the system. Does it take the form of a simple connection to your Google or Apple account? In this case, what if you do not wish to identify yourself? Fortunately, there are only a few more months to wait to be definitively fixed, and above all to say goodbye to CAPTCHAs for good.”

FINAL THOUGHTS


I find it painful, and somewhat amusing at the same time, that everyone keeps talking about generative AI apps like ChatGPT and Bard, as well as large language models, revolutionizing the workplace and everything we do while at the same time we need to keep proving to the Internet that we are not a bot trying to scrape information or worse.

I get the sense that this brief CAPTCHA history is just the beginning, and not the end, to a much longer and larger set of challenges that we will face in the decades to come.

Why? Simply to answer the question: Are you a real person?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.