Arms Race: We're No Longer Smart Enough for CAPTCHA

A test to determine whether something is human (or not) has formed part of science-fiction for a long time.

This need eventually grew into the CAPTCHA security check - but how long can this flawed solution continue to serve us?

Critically, what comes next?

The Turing Test, otherwise known as the Imitation Game, solved part of this identity puzzle in 1950. It’s a simple exercise requiring a computer and a human subject. If a third party can’t determine which one is the machine (usually via a text conversation), our robot passes the Test.

Challenge-Response

CAPTCHAs work on a similar premise. If the target can’t solve a problem, they’re probably not a human. CAPTCHAs are designed to provide a barrier to bots, password crackers, and malicious users that could wreak havoc if they can get at a website’s underbelly. The problem is that they’re annoying for human users, but how to safely get around them?

Internet users tend to be a savvy bunch. If we can't solve a problem ourselves, someone else has likely worked it out. When faced with geoblocked sites, companies devised VPN services to help people access them from wherever they wanted. When some felt this didn't do enough to protect their privacy, those same companies produced another solution: with a dedicated IP VPN, a user gains their own private IP address. 

The challenge-response type of security embodied by CAPTCHA is in an arms race with the web’s villains. This means they’ve become more complicated as threats have grown more sophisticated. Now, rather than just ticking a box or inputting the numbers on the screen, CAPTCHA prompts include jigsaw and rotation puzzles and an endless array of traffic lights, bridges, and buses to pick from. Google’s reCAPTCHA tool is being used to train self-driving cars like the Waymo.

The Atlantic described Pandora's box of brain teasers as “CAPTCHA hell”. So can the internet help us get around CAPTCHA, too?

“Nonsensical”

CAPTCHAs no longer serve their original purpose, i.e., to pose a problem simple enough for a human to solve but not a machine - as the robots have reached a point where they’re smarter than most people. AI, for instance, can solve even complex equations in moments. 

The solution is to do something that humans excel at - being weird. Arkose Labs CEO Kevin Gosschalk told the Wall Street Journal that CAPTCHAs need to be “nonsensical” to confuse bots, otherwise, advanced “multimodal” machines will be able to figure them out.

Seemingly, this nonsense involves aimless, pointless tasks. An example of secure CAPTCHA from Arkane requires the user to rotate an animal to point in the same direction as a hand. Not quite a MENSA test but it’s fooling the robots, for now. 

Things can only get worse for security companies. In April, the TechRadar website wrote that businesses need to rethink CAPTCHAs “urgently”, quoting a Stanford statistic that 40% of customers won’t complete a task if a CAPTCHA form is included. 

Of course, that’s quite a different problem than ‘the robots are smarter than us’, but it still needs fixing.

Invisible CAPTCHAs

Invisible CAPTCHAs dispense with the traditional puzzles so that bots don’t know where to look for the security check. Put another way, they work by collecting signals of human behavior behind the scenes.

These signals might include mouse movement, typing speed and cadence, and information from the user’s device - all analyzed by a machine for a human-like ‘fingerprint’. The irony of using one machine against another for the sake of humanity surely isn’t lost on tech experts.

Overall, CAPTCHA is long overdue for retirement. It's only a matter of time before the checks become too smart for us.