Payment security, CAPTCHAs, and more than meets the AI

Do CAPTCHAs work?

by Jeff Domansky

Despite the promise of AI and its potential as a security tool, we’ve fallen into a world of pain when it comes to cybersecurity. That’s especially true when using CAPTCHAs to defend online forms or website access.

CAPTCHAs and Einstein

If you’re like the average person online, you should be able to resolve most CAPTCHAs in 10 seconds. But there are some of these obnoxious brainteasers even Einstein couldn’t solve.

Take the popular truck reCAPTCHA. Know the one? I swear, I’ve spent up to five minutes trying to solve that sucker on occasion. Only to find it had a mistake in the pictures that made it unsolvable.

On second thought, maybe that means it’s working, preventing bots from solving the problem and creating havoc?

In my case, if it takes more than five seconds to resolve a CAPTCHA, I’m out of there. I’ve got work to do and the next really important YouTubes to view.

However, there are real-world business implications if any of your security systems are intrusive or the CAPTCHA gets in the way of clients paying for a product or service, opening a new bank account, or subscribing for a course, newsletter, or medical information.

It’s always about UX – the user experience – good and bad.

Who invented the CAPTCHA?

Who created the CAPTCHA? Like many things in technology, it depends.

The familiar CAPTCHA we see online every day was initially developed by language-learning app Duolingo CEO Luis von Ahn. When he was a graduate student at Carnegie Mellon University in 2000, a guest lecture from a Yahoo exec challenged the students to come up with solutions to ten technology problems plaguing the company. 

original Yahoo CAPTCHA

Von Ahn thought he could solve only one of the problems – trying to reduce the impact of millions of daily spam emails on the then-popular service. By 2003, von Ahn and several colleagues came up with the now-familiar squiggly numbers and letters security puzzle, and modern-day CAPTCHAs were born.

In their 2003 academic paper, they described the CAPTCHA as “a win-win situation: either the problems remain unsolved, and there is a way to differentiate humans from computers, or the problems are solved, and there is a way to communicate covertly on some channels.” Eventually, von Ahn handed the technology over to Yahoo in 2009 for free.

CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart,” was a deceptively simple solution on the surface but complex under the hood. The cryptography and code built on British scientist Alan Turing’s theory that a computer program has AI if its responses can fool a human into believing it is human.

Before von Ahn, in 1997, a group at search engine AltaVista used CAPTCHA-like puzzles to prevent bots from spamming the site with fake URLs. Two early patents with similar technology but not using the CAPTCHA name were registered in 1997 and 1998.

Google – AI of the beholder

Today, many websites use modern reCAPTCHA tools to enhance security. Google acquired the technology in 2009, and it has become a useful first line of defense for many websites.

Google implemented reCAPTCHAs, and we’re now up to v3, which approaches a more user-friendly, less intrusive solution.

Google even used the technology to optically capture and archive the entire New York Times library from 1851 to the modern day.

Imperfect protection

unsolvable CAPTCHAs

Unfortunately, like many Google and other technology-engineered products, the user experience sometimes leaves a lot to be desired.

CAPTCHA tools based on reading or simple perception tasks often deny disabled users easy access. For example, blind, colorblind, or other visually impaired and dyslexic users have trouble solving puzzles and accessing websites or digital services.

Then there’s the time factor. Cloudflare estimates time wasted solving imperfect CAPTCHAs costs 500 years every day in lost time and productivity worldwide. Implementation matters.

Case in point, this CAPTCHA telling you to” Select all squares with buses.” That’s okay; we’ll wait. Found a bus yet? No? Neither did we. And clicking on the Verify button with no squares checked failed to work, blocking us from accessing the website.

Aaaargh!!

Do CAPTCHAs protect?

Then there’s the question of whether CAPTCHAs are worth the time and money. Do they actually protect your website?

In 2014, Google tested one of its machine learning algorithms against humans in solving the most distorted text CAPTCHAs. The score? Computer AI 99.8% right, humans only 33% correct. I don’t feel so bad now.

AI vs humans

University of Illinois computer science professor Jason Polakis used Google’s reverse image technology to defeat CAPTCHAs 70% of the time consistently.

Ironically, in a brilliant leap of logic, Amazon filed a 2017 patent for CAPTCHA technology that proves the user is human because they answered the trivia logic test wrongly. Amazon claimed in its patent filing, “By providing a CAPTCHA challenge from a library or set of challenges that are designed in a manner that causes or likely causes a human-user to trivially get the answer to the challenge wrong, [it] helps to confirm that a user is a human user, as a bot would answer the challenge correctly.”

I’ll bet you’re feeling better now too?

If you’re really determined to defeat the annoying CAPTCHAs, you can buy software to solve puzzles, including text-based CAPTCHAs, reCAPTCHAs, mathematical CAPTCHAs, Image-based CAPTCHAs, and 3-D CAPTCHAs. Or, just hire a team of humans to solve 1,000 CAPTCHAs for as little as $.08 to $3.99 and more per thousand.

All this to say, as our security solutions get smarter, so do the hackers and crackers.

CAPTCHA trivia

Here are a few more irresistible facts about CAPTCHAs:

AI defeats CAPTCHAs
  • humans solve an estimated 300 million CAPTCHAs daily
  • cost 500 years per day in time spent solving imperfect CAPTCHAs
  • humans solve the average one within 32 seconds
  • AIs take 8-10 seconds or less to solve with a 95%-plus success rate
  • AIs can solve some visual puzzles in 1-5 seconds.

Quantum computing, cryptography, and other solutions such as self-sovereign identity (SSI) promise more robust security in the future, but it’s an evolution.

The next time you’re frustrated trying to solve the latest reCAPTCHA, take a moment to think about the poor AI bot, caught in an endless loop, trying to solve a puzzle before they can move on to automatically do whatever task they were created to do.

Approaching the weekend, I’ll leave you with two final CAPTCHAs to solve. Have fun, and be secure.

integrity CAPTCHA
equation

Editor’s note: CAPTCHA 1 is just a visual, not a real working CAPTCHA. The answer to CAPTCHA 2 is 37. If you figured #2 out, you’re either a BOT or a serious mathematician. 😉

Related PaymentsNEXT news:

Failed payments cost global businesses $118.5 billion in 2020
12 billion records stolen last year; cybersecurity spend will grow +10%
The challenging state of small business cybersecurity