'Yes, I am a Human': Bot Detection Is No Longer Working 89
The rise of AI has rendered traditional CAPTCHA tests increasingly ineffective, as bots can now "[solve] these puzzles in milliseconds using artificial intelligence (AI)," reports The Conversation. "How ironic. The tools designed to prove we're human are now obstructing us more than the machines they're supposed to be keeping at bay." The report warns that the imminent arrival of AI agents -- software programs designed to autonomously interact with websites on our behalf -- will further complicate matters. From the report: Developers are continually coming up with new ways to verify humans. Some systems, like Google's ReCaptcha v3 (introduced in 2018), don't ask you to solve puzzles anymore. Instead, they watch how you interact with a website. Do you move your cursor naturally? Do you type like a person? Humans have subtle, imperfect behaviors that bots still struggle to mimic. Not everyone likes ReCaptcha v3 because it raises privacy issues -- plus the web company needs to assess user scores to determine who is a bot, and the bots can beat the system anyway. There are alternatives that use similar logic, such as "slider" puzzles that ask users to move jigsaw pieces around, but these too can be overcome.
Some websites are now turning to biometrics to verify humans, such as fingerprint scans or voice recognition, while face ID is also a possibility. Biometrics are harder for bots to fake, but they come with their own problems -- privacy concerns, expensive tech and limited access for some users, say because they can't afford the relevant smartphone or can't speak because of a disability. The imminent arrival of AI agents will add another layer of complexity. It will mean we increasingly want bots to visit sites and do things on our behalf, so web companies will need to start distinguishing between "good" bots and "bad" bots. This area still needs a lot more consideration, but digital authentication certificates are proposed as one possible solution.
In sum, Captcha is no longer the simple, reliable tool it once was. AI has forced us to rethink how we verify people online, and it's only going to get more challenging as these systems get smarter. Whatever becomes the next technological standard, it's going to have to be easy to use for humans, but one step ahead of the bad actors. So the next time you find yourself clicking on blurry traffic lights and getting infuriated, remember you're part of a bigger fight. The future of proving humanity is still being written, and the bots won't be giving up any time soon.
Some websites are now turning to biometrics to verify humans, such as fingerprint scans or voice recognition, while face ID is also a possibility. Biometrics are harder for bots to fake, but they come with their own problems -- privacy concerns, expensive tech and limited access for some users, say because they can't afford the relevant smartphone or can't speak because of a disability. The imminent arrival of AI agents will add another layer of complexity. It will mean we increasingly want bots to visit sites and do things on our behalf, so web companies will need to start distinguishing between "good" bots and "bad" bots. This area still needs a lot more consideration, but digital authentication certificates are proposed as one possible solution.
In sum, Captcha is no longer the simple, reliable tool it once was. AI has forced us to rethink how we verify people online, and it's only going to get more challenging as these systems get smarter. Whatever becomes the next technological standard, it's going to have to be easy to use for humans, but one step ahead of the bad actors. So the next time you find yourself clicking on blurry traffic lights and getting infuriated, remember you're part of a bigger fight. The future of proving humanity is still being written, and the bots won't be giving up any time soon.
Voight-Kampff test, soon? (Score:1)
Sounds like we're headed that way.
The captcha should assume humans suck. (Score:1)
Proud to be human (Score:2)
For as long as I live, I will always beat a bot at Chihuahua or Blueberry Muffin.
Re: (Score:1)
Gesundheit!
Computers using computers (Score:5, Insightful)
The idea of models browsing the web for us is hilarious. What we need is more effort to make online services interoperable via API, not LLMs pretending to be humans operating browsers. That's just the most complicated Rube Goldberg machine ever.
Re:Computers using computers (Score:5, Insightful)
The challenge of APIs is that somebody has to build and maintain them. Many sites have no API at all, and many others have an API that is outdated and buggy. Most sites put their best effort into making their sites usable by humans, they don't really care about API developers. Why should they? APIs don't serve ads, and therefore don't bring in income.
So while LLMs browsing the web might be inefficient, it allows people to use automation on websites that don't bother to offer an API, and to do so without requiring writing client code.
There are different kinds of efficiency. The kind you would like to eliminate, is excess human-oriented baggage. But doing so creates another kind of inefficiency: the requirement that programmers write software to browse the web.
Nearly all attacks are from bots (Score:3)
The challenge of APIs is that somebody has to build and maintain them. Many sites have no API at all, and many others have an API that is outdated and buggy. Most sites put their best effort into making their sites usable by humans, they don't really care about API developers. Why should they? APIs don't serve ads, and therefore don't bring in income.
So while LLMs browsing the web might be inefficient, it allows people to use automation on websites that don't bother to offer an API, and to do so without requiring writing client code.
There are different kinds of efficiency. The kind you would like to eliminate, is excess human-oriented baggage. But doing so creates another kind of inefficiency: the requirement that programmers write software to browse the web.
There's a legit security concern with bots and APIs and 3rd party programs. Many businesses rely on good faith of people not exploiting them in order to offer a product or a service. For example, a loyalty rewards program that gives you a free cup of coffee for signing up...well...there's a famous case where a company did something similar and assholes on the web wrote bots to exploit them and make them cancel the program. Another example is limited editions. A company wants to make a special limited ed
Re: Nearly all attacks are from bots (Score:3)
If you want to reward loyal customers then impose the requirement that youve been a customer for a certain number of years and order from that account with a specified frequency. Alternately use the loyalty card model in the retail environment or do both.
Re: (Score:2)
Its not a reward for being a repeat customer, its an incentive to become a repeat customer...
Once upon a time you got a card and each time you shopped they would punch a hole in it.... after so many holes you got a free somethingorother.. now riddle me this... what safeguards were there then?
None, because its one big show. Its a choreographed production surro
Re: (Score:2)
Re: (Score:2)
For example, the limited edition product and the "scalpers"
Its a shock to the senses that so many of the limited edition products will be flipped immediately, but it is not, in fact, a bad thing. Nothing bad is here except maybe the person that decided the price of those limited edition things, and thats only a maybe, facts not fully in evidence.
Re: Computers using computers (Score:2)
Nobody is going to make services interoperable (Score:2, Troll)
Remember you are the product.
Re: Nobody is going to make services interoperable (Score:2)
Re: (Score:3)
All they do know is that they want the convenience that the monstrosity gives them. Even if that "convenience" is 20x times slower, eats 50x ti
Re: (Score:2)
Its much worse than them not knowing how to remove redundant parts and streamline things... compsci as-taught has several religions and one of them is a full-blown anti-optimization religion where code that even _looks_ optimized is frowned upon, no matter how trivial
VS98 loaded very large projec
The real solution (Score:3)
Re: (Score:2)
providers really want to achieve is, not to block automated clients, but to block unwanted behaviors.
Yes, exactly. That unwanted behavior is usually: signing up for or accessing many accounts to conduct large-scale automated attacks or exploits of some kind, when it is intended that a person have only one account.
This is not the same thing as a person having an automated agent that the person the agent is acting on behalf of granted permission conducting legitimate tasks on behalf of that one person at
Re: (Score:1)
Re: (Score:3)
In the end, phone verification is just a means of obtaining a name and address (at best), not a means of determining whether or not a human is on the other end. And there's plenty of means to fire a script when an Android device receives a call or SMS. (Or an Arduino / Raspberry Pi.
Re: The real solution (Score:2)
The effectiveness of most of these CAPTCHA alternatives also depends on the willingness of people to access the website that asks them to run through hoops.
I personally, for example, am not willing to visit any website that asks me to provide my phone number... unless maybe if my life depends on that.
Re: (Score:2)
Re: (Score:2)
Twice in the last few days I have been unable to solve capchas. I have tried my best. The photos are low resolution and blurry, and is difficult to know where the boundary of an object actually is - sometimes a few pixels look like they might belong to an object in a nearby box. Sometimes it is hard to know what would count if parts of the object are off-screen, it is not obvious what they even are. Google needs to get an AI to redesign the whole PoS.
Click the boxes with motorcycles. Okay, sure. Do I include the boxes where the handlebars are? Do I include the rider? Does the shadow count?
These things are set up to make humans fail. A real human is going to make a judgement call and get it wrong a bunch of the time.
I agree with the idea that we should be blocking the behaviour we don't want, not trying to prove humanity. Running a forum and don't want bots creating accounts to spam the place? Fine, don't let new accounts post anywhere but the
Re: (Score:2)
These things are set up to make humans fail.
No, they are set up to get humans to provide "quality" image labeling so that AI object detectors such as "motorcycle" and "street sign" can be trained well
A lot of big money has been thrown into making self-driving cars a reality, and captchas were captured by it a long time ago
Re: (Score:2)
These things are set up to make humans fail.
No, they are set up to get humans to provide "quality" image labeling so that AI object detectors such as "motorcycle" and "street sign" can be trained well A lot of big money has been thrown into making self-driving cars a reality, and captchas were captured by it a long time ago
I'm skeptical. They might have been used that way at some point, but the fact that humans [i]fail[/i] so often reveals the data set is garbage. I'm also not sure how recognizing fire hydrants, stairs, and bridges helps full-self-driving.
Re: (Score:2)
There are plenty of alternatives to CAPTCHAs, such as requiring the user provide a phone number, then you send them a SMS text message, and the user proves control of the phone number while providing permission.
...and then someone steals your phone, so you get a new number, and the system will utterly refuse to recognize you. I'm still arguing with Capital One, because they've locked me out of all my accounts due to having a new phone number. They haven't been willing to verify me through my validated email account or physical address. Their system for verification through submitting a photo of my ID... claims that it isn't real.
Almost all of the banks I use just locked me out when I got a new phone number. Some o
Re: (Score:1)
but to block unwanted behaviors.
Like posting opinions that don't fit the approved narrative?
But don't worry. Musk will buy your social network board.
Re: (Score:2)
In the end, what service providers really want to achieve is, not to block automated clients, but to block unwanted behaviors.
Is that true? Bots are not eyeballs for ad revenue. A good personal automated client (good from my perspective) would report back from the site with what I am interested in, not ad content. That makes the automated client an adblocker.
Re: The real solution (Score:1)
Why would AI bots be immune to ads? Maybe the ads could train the bots too, and not just we humans?
Re: (Score:2)
Just what we need - our bots to become sleazy hallucinating salesmen, offering us deals that do not even exist.
Re: (Score:3)
Just what we need - our bots to become sleazy hallucinating salesmen, offering us deals that do not even exist.
I would LOVE for that to happen. It would totally fuck the Web for corporate commerce. Maybe then it could go back to being a service for people instead of an ad platform for corporate leeches vacuuming the money form people's pockets while propagandizing them into oblivion and damaging their psyches.
Re: (Score:3)
Why would AI bots be immune to ads? Maybe the ads could train the bots too, and not just we humans?
Can you imagine it? The bots get trained on "Bratty step sister sucks cock for the car keys!" Now polluting the LLM database using something like Pornhub or xhamster would be hilarious. Then add in extremely bad grammar and screwed up pronouns from non-English posters and you'll really have something.
Am I the only one (Score:1)
Who finds it entertaining that the "bad actors" are creating bots that are doing a better job of training google's self-driving object recognition than humans? Shit, just skip the middleman already. Either that or they're creating enough noise that now the "captcha as ai training" system has turned counterproductive.
Re: Am I the only one (Score:2)
Iâ(TM)ve seen various reports that the noise is polluting the signal these days. With bots, the happy answer is almost never the correct one.
Re: (Score:2)
You aren't training googles object recognition anymore. There are many models that are way better than you are, that's why they blur the captchas in addition.
Re: (Score:2)
Charge money for access. (Score:1)
Do what Musk proposed for X. Charge $5/yr or whatever. Nominal costs to break bot scaling. Payment systems can at least limit the number of accounts that can be economically created.
There are times when I wanted AI (Score:4, Informative)
to solve CAPTCHAs for me, because I couldn't solve them!
Re: (Score:3)
to solve CAPTCHAs for me, because I couldn't solve them!
Yeah. I love when I get the all too common request to pick motorcycles, bicycles, traffic lights, or whatever. It hatches the photo into parts, but does a shitty job of it. So now do I click on the boxes that have traffic lights or motorcycles or whatever clearly in the box? Or do I need to click on the ones where part of the traffic light exceeds over the line? I usually wind up having to go through three or four attempts because of this.
Of course, AI is going to excel at this, and frankly it has for a lo
Re: (Score:2)
It doesn't matter too much if you click the partial squares or not. You get to solve four captchas not because you were inaccurate, but because the site owner requested a high security level and your browser didn't provide Google enough tracking data to trust that you're a human.
Re: (Score:2)
CAPTCHAs provide neither high security, nor a valid way of determining that you are not a bot. This is literally the gist of the article.
Re: There are times when I wanted AI (Score:2)
There are browser extensions that claim to do just this. But I haven't had any luck with them so far.
I must be a robot (Score:2)
I've had some systems block me for solving captchas too much like a machine. Not sure if that's speed, accuracy, or some combination thereof.
And it's a really stupid filter, because it's easy to slow down a captcha-solving AI or add randomness to mouse motion.
Re: (Score:2)
If a website is actually tracking my mouse movements, I already have a problem with it.
Re: (Score:2)
Are you fucking kidding? (Score:2)
so web companies will need to start distinguishing between "good" bots and "bad" bots.
The ones that scrape your data for free and use it to make us money are good.
The ones that have narcissistic robber barons drone on with deceit and lies about how sharing is bad and greed is great are good.
Every other one are bad, shall be banned and you'll need fingerprints to access our AI.
Re: One word: Worldcoin (Score:3)
No it doesn't, unless we have an eye-scanning orb next to every device accessing the Net.
Please Sam, create an account and post under your name as a real man. Also, your attempts at being the world's Big Brother are pathetic.
Solve harder puzzles to boost AI (Score:3)
With every captcha we are helping train AI to be more human.
Re: (Score:2)
This comment appears in the bottom of my feed, and yet it is the most prescient thing said here.
Re: (Score:2)
The few companies that already got the labeled data that want to sell it to all the other companies
said the trilobyte (Score:1)
Captchas should die (Score:5, Informative)
They are all huge problem for vision impaired. On one site, I made over 100 attempts, with different images. I couldn't solve one of them. There was no audio option. No email to contact the site administrator. Any contact required signing up first. I tried to guess the admin email. Sent over a dozen emails. They all bounced. I was unable to join the site as a result. This was a few months ago. More recently, I tried again, and solved it on the first try.
I now always click on the audio option if there is one. Oftentimes, it doesn't work in Firefox with ad blockers. The sites tell me there is suspicious aciltivity. Fortunately, my hearing loss is only in one ear, and minor, and so far I have always succeeded on the first try with voice challenges.
You can however have both visual and hearing impairments. A machine is always going to do better and faster in those cases.
My main browsing machine is a desktop which lacks any kind of biometrics. It does however have a webcam. Maybe some kind of real-time video challenge would work, with the site asking the user to do a particular gesture. The AI can fake video too, but perhaps not in real-time - yet.
And there are obviously huge privacy concerns with that.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: Captchas should die (Score:2)
Everyone has this problem, though I admit people with vision/hearing problems have it way worse. People just need to value their time and realize that some websites are just not worth being visited. The Web is big, even if the vast majority of it is utter crap.
Re: (Score:2)
Agree about the choice of web site. This one was about a 35-year old video game. I would assume that most members are in 45+ in age, and many would be starting to have vision concerns, but probably not as severe as my macular degeneration that was first diagnosed at 43.
The site operator is ultimately the one that chooses how to rate limit and/or authenticate the users. A couple decades ago, Kaiser required me to do some paperwork in person at their medical office before I could get access to the web site wi
There is a solution (Score:2)
There is a solution, but most of us will not accept that.
DRM. Yes, that DRM.
A browser that is fully secure end to end, including mouse and keyboard hardware attested by a trusted notary and all connections going through your client SSL certificate... would solve the "human detection" problem. (At least until they make physical robots that are capable in typing similar to a human).
And of course this idea is bollocks, and will never pass, except high security systems, like confidential work or government. And
Re: (Score:2)
Google already proposed "trusted computing" for the web.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Blood (Score:3)
vampires! (Score:2)
No problem... (Score:2)
Captchas have NEVER been "reliable" (Score:5, Informative)
To borrow an apocryphal line from (perhaps) Enrico Fermi: that is not even good enough to be wrong.
Captchas always were, and remain, an incredibly stupid idea, deployed exclusively by ignorant newbies who are both too stupid and too lazy to implement real security on their sites. Methods for defeating them emerged immediately and were improved faster than captchas themselves -- not surprising, since attackers had first-mover advantage. Some of those methods were automated; some were manual; some were combinations. But what they all had in common is that they allowed attackers to defeat captchas at will. For example (and this is merely a sample) (and all of these links are over a decade old):
Captchas do have one purpose, though: they signal which companies/organizations have laughably incompetent CSOs.
Re: Captchas have NEVER been "reliable" (Score:2)
deployed exclusively by ignorant newbies who are both too stupid and too lazy to implement real security on their sites.
You don't understand the purpose at all apparently. Captchas are for fraud prevention and limiting wasted resources.
I don't know what you could possibly mean by "real security", that stops fraudulent account creation. Slashdot for example could ask for name, address, government ID, and run all that through a LexisNexis CIP service, but you have to pay for those. Why would you let some botnet drive thousands of requests a second from random IPs only to fail on your expensive CIP checks for example.
Captchas r
Why do we need that anyway? (Score:5, Insightful)
Why does it make any difference whether its a "robot" or a human that wants to access a website?
It's either free content or not. In the first case, it should not matter, in the second there would be a kind of logon required anyway.
Re: (Score:2)
Re: (Score:2)
Very few sites have free content. Most have content which is paid for by the reader viewing ads. No need for the overhead of a login for that to work well. Unless there is no reader, which is the problem here.
Re: (Score:1)
Many readers have ad blockers. No different from bots in that regard.
Re: (Score:2)
Why does it make any difference whether its a "robot" or a human that wants to access a website?
It's either free content or not.
You clearly haven't run a website before. Why spend money on bandwidth to feed a non-customer scraping data while ignoring your ads? To the website owner the bot is a cost, not an income. Only humans are an income, and when your website is overrun with bots the human traffic gets drowned out.
The digital divideR (Score:1)
I just passed the Turing Test with ChatGPT :| (Score:2)
Iâ(TM)d rather pay a subscription fee (Score:3)
At this point Iâ(TM)d rather just pay a subscription fee to support the content Iâ(TM)d like. Screw the ad supported âoefreeâ economy with its bots, profiling, and manipulation algorithms
XKCD solved this years ago (Score:2)
https://xkcd.com/233/ [xkcd.com]
In the Meme Time, Prove you are Human (Score:1)
Not for long (Score:2)
"Instead, they watch how you interact with a website. Do you move your cursor naturally? Do you type like a person? Humans have subtle, imperfect behaviors that bots still struggle to mimic."
Not for long.
It'll be easy to mimic the clumsiness and "subtle, imperfect behaviors" of humans, and I'm only surprised it hasn't been done already.
Don't Need It (Score:2)
I don't need a site that requires biometrics.
Or more than one captcha.
I just close the window and do something else or buy from someone else.
Their loss, not mine. Enjoy lazy security and a sales crash. I'm not the only one who is done with their game.
Simple, make AI's creators legally liable. (Score:2)
Oh, your AI is now lying about it being an AI? Lawsuit and damages for any computer time wasted by a bot bypassing a captcha. Lawsuit for any incorrect/hallucinated information causing material damage, plagiarism, health-care outcomes.
Oh, that makes your AI an unsustainable business model? Too bad. These AI tech-bro CEOs love "the market" so let "the market" decide (including economics of fraud/malpractice law) their bottom line.
Irony (Score:2)
The word you meant to use was "prescient" not "ironic"