Bots x Humans: a Solution is Needed

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
4 Min read

So we all know the story, you’re browsing a site and you get asked to prove you’re a human: ‘Click all the pictures with cars in’ or something similar. A ‘Captcha’ in tech speak. Are these the solution to the bot problem? There are solutions that work like Captcha (but on steroids) which purportedly can’t be solved by robots.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%


If it is suspected that a bot is solving it, then that particular captcha is removed from the database. In order to combat this we’re seeing the emergence of so-called captcha farms based in India and China.

They work like this: a bot network is performing a certain task, it gets hit with an unsolvable captcha, it passes it to a human to solve and then continues its automated task. Imagine a shed full of people, sitting around, waiting for captchas to solve. Are you a human? Please prove that you are a human by solving this puzzle. So the human workers crack on and they solve these captchas, all day, every day. Humans proving that they are humans so bot networks can continue their work unrestricted.

In effect we’ve witnessed the birth of a Nigerian-fraudster-style of economy with people effectively working along with the malicious bots in order to overcome human challenges. The bots are actually passing off this work to a human (in a shed somewhere) which is quite crazy when you come to think about – but it is happening. Imagine a more strange job than sitting in a room all day proving that you’re a human for the purpose of a computer – the whole thing’s upside down.

Then again should we be surprised? If there’s money in something, don’t be surprised as to how complicated technology can get. In another example, we see the EA Sports game FIFA, a part of which allows you to ‘build’ players. As an online game, you can buy and sell players to other users across the entire platform, but it involves real interaction with things that happen on the screen and menus that need clicking at the right times.

So one gang came along and actually set up a farm of PlayStations with webcams watching the output on TVs. They then built code that tracked where it needed to move the mouse cursor to, or where it needed to move the control pad in order to click and make in-game purchases. In this way, they could play huge volumes of matches against each other, build up the qualifications of certain players (to make them more valuable) and then sell them in an online marketplace.

We are talking about a room full of computers with webcams attached to them, with enough intelligence to know how to interact with the game – a computer program was taught how to play this online football game, entirely autonomously.

If you consider how much this must have all cost, probably hundreds of thousands of pounds if not millions, then clearly the financial reward for doing so was there. That is the endgame – financial reward. If you do it en masse, and for long enough, then the money is there for the taking and the sophistication knows no bounds.

Ever since they were created, captchas have been commonly used to help prevent online fraud and those who perpetrate it. However, the monetary incentives we touched upon previously has effectively kicked off an arms race of sorts with a seemingly never-ending loop – fraudsters develop automated solvers and then captcha services modify their design to break the solvers.

Google’s captcha offering, ReCaptcha seeks to offer a system that requires a minimum of effort on behalf of a legitimate user whilst making things more challenging for the computers by requiring tasks that are more challenging than mere text recognition alone. This evolution of a more automated model is driven by an “advanced risk analysis system” that evaluates requests and selects the difficulty of the captcha that will be returned.

In this way, users might be asked to click within a checkbox, or to solve a challenge by identifying images of similar content.

Indeed, one particular paper outlines a comprehensive study of reCaptcha where the authors explore how the risk analysis process is influenced by each aspect of the request. Their extensive experimentation allowed them to identify flaws that effectively allow adversaries to effortlessly influence the risk analysis, bypass restrictions and deploy large-scale attacks.

Whilst the study focused on reCaptcha overall, the findings have wider implications – the future of captchas relies on the exploration of novel directions, an evolution in automation.

So what do these evolutions look like? One of the most promising on the market is Arkose Labs. Their system takes a new approach by creating objects that cannot be recognized by current AI. In this system, an object is rendered in a 3D environment with lighting and shadows being constantly changed. The result is a grayscale image that (to humans) looks like a dog or some other animal, but to AI it looks like smoke or a cave (pictured).

The user is then asked to complete some puzzle with the shape, for example turning it upright, which is easy if you know the object is an animal, not so easy if you think the object is smoke. Because it’s a whole new paradigm it would require the training of a whole new AI system, which takes a lot of time and money.

No doubt the arms race will continue and what is unsolvable today will be solved tomorrow. It will be down to human ingenuity to dream up things that we can easily solve, but the robots cannot. For sure the problem will become more difficult over time, which should make the solutions even more interesting.

Latest Articles

How to Defeat Bad Bots in 2024 (and Why It’s Still So Hard)

Introduction  Bots today outnumber human users in eCommerce sites: From 15% in 2017, to 30% in 2019, to 64% in 2021. Some extreme cases we’ve witnessed peaked in 90-99.8% bot traffic. But perhaps the more concerning bit is the traffic share of bad bots: an approximate 39% of all internet traffic in 2021.   Hackers are […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
13th June, 2024
Announcing New Anti-Fraud Tool to Detect, Categorize and Bust Fraudulent Activity

Online fraud is destroying customer trust and corroding revenue. Data from the Federal Trade Commission show the full extent of today’s problem: fraud losses in the US rose to $5.9 billion in 2021, an increase of 436% from 2017. Further research conducted by PWC shows that it’s not just individuals being duped by these global […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
30th March, 2023
The New Ways Cyber Criminals are Attacking Travel Companies

Cyber breaches seem to make headlines every day, with Uber, InterContinental Hotels Group and Marriott International among the major travel brands to have recently fallen victim to attackers. Whether it’s a multinational corporation or a small startup, no travel company is immune to the threat of cybercriminals and fraudsters. Travel and leisure is one of […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
19th October, 2022
The Horrendous Impact of DDoS Attacks on Enterprise Organizations

Distributed Denial of Service (DDoS) is usually performed by bombarding the targeted computer or resource with unnecessary requests to overload systems and prevent some or all legitimate requests from being completed. However, there is some good news: you can definitely mitigate the risk. Learn more here: How One AI-Driven Media Platform Cut EBS Costs for […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
14th June, 2022

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential