How CAPTCHA Works
For a long time, websites and mobile applications have been under large-scale attacks from bots.
These malicious bots are programmed to automatically consume vast computational resources, post spam, collect website data, and even register and perform user verification.
In 2022, nearly half (47.4%) of all internet traffic came from bots, an increase of 5.1% from the previous year. The proportion of human traffic (52.6%) fell to its lowest level in eight years.
In this context, CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) was born, which is now known as the verification code.
As a computer scientist, Tam Nguyen believes that CAPTCHA is an effective barrier for websites to prevent automated attacks, enhance network security, and improve user experience, at least in the short term.
CAPTCHAs are designed as questions or challenges that are easy for humans but difficult for computer bots to answer.
They can be divided into four types: text-based, image-based, audio-based, and behavior-based.
Text-based
Text-based CAPTCHAs have been popular since the inception of the internet.
This type of CAPTCHA requires users to read distorted and complex text images and enter the answer into a text field.
A variant of text-based CAPTCHA is to ask users to solve simple math problems, such as "18+5" or "23-7".
However, due to the prevalence of deep learning AI, advanced optical character recognition algorithms have recently solved this problem.
Ironically, when the text is adjusted to be more distorted and complex, real humans are unable to provide the correct answer.
Wired once published an article, "I failed two CAPTCHA tests this week, am I still human?"
Audio-based
Audio CAPTCHAs play a short audio clip containing a series of numbers or letters spoken by human or synthetic voices, which users listen to and then enter into the provided text field.
The input is verified against the correct answer to determine if the user is human.
Like text-based CAPTCHAs, audio CAPTCHAs can be difficult for humans to interpret due to factors such as background noise, poor audio quality, severe distortion, and unfamiliar accents.
Image-based
Image-based CAPTCHAs were introduced to increase the challenge for bots.
Users must identify specific objects from images, for example, selecting all image blocks containing traffic lights.
This task leverages human visual perception, which still outperforms most computer vision-based bots.
However, this type of CAPTCHA can also be confusing for humans in many cases.
"CAPTCHAs always make me obsess over those little edges"
Behavior-based
Behavior-based CAPTCHAs analyze user behavior, such as mouse movements and typing patterns.
The popular behavior-based CAPTCHA reCAPTCHA requires users to check the "I'm not a robot" box.
During this process, reCAPTCHA analyzes mouse movements and clicks to distinguish between humans and bots. Human behavior is typically more variable and less predictable, while bot behavior is usually precisely consistent.
AI vs. Humans
In the seemingly endless battle between AI and humans, CAPTCHA is another battlefield.
Initially, the idea of image-based CAPTCHAs was to help train AI to better perform text recognition when digitizing books.
This innovation, invented by Luis von Ahn (co-founder of Duolingo), presented unclear scanned words as CAPTCHAs to humans, teaching AI through our identification of these words.
Today, AI has become increasingly advanced, able to solve CAPTCHA puzzles using modern technologies such as deep learning and computer vision.
For example, optical character recognition algorithms have continuously improved, making text-based CAPTCHAs less effective. Advanced speech-to-text technology can bypass audio CAPTCHAs. Similarly, AI models trained on large image datasets can solve many image-based CAPTCHA problems with high accuracy.
Paper link: https://arxiv.org/pdf/2307.12108
On the other side of the battlefield, CAPTCHA researchers have created more complex verification techniques.
For instance, reCAPTCHA can evaluate users' interaction behavior and calculate the likelihood that they are human.
Ironically, humans are helping AI solve complex CAPTCHA problems.
For example, click farms employ large numbers of low-paid workers to click on ads, including social media posts, follow accounts, write fake reviews, and even solve CAPTCHAs.
Vietnamese social media click farm
Their job is to help AI systems behave like humans, thus defeating CAPTCHAs and other anti-fraud technologies.
The Future of CAPTCHA
The permanent arms race between security measures and those seeking to circumvent them promotes continuous innovation.
As AI continues to develop, the methods adopted by cybersecurity experts and those seeking to break through digital barriers will also evolve.
It's foreseeable that the future of CAPTCHAs will be influenced by the continuous advancement of AI.
Traditional CAPTCHA methods are losing effectiveness, so future CAPTCHA systems may focus more on analyzing user behavior, such as how people interact with websites, making it harder for bots to mimic this behavior.
Websites may turn to using biometric CAPTCHAs, such as facial recognition or fingerprint scanning, but these raise privacy concerns.