Want to get around a CAPTCHA? That’ll be 0.00094c, please

By | 11:13 PM Leave a Comment

Shopping or booking an appointment online can seem increasingly like busywork. Please prove that you’re not a bot: select all the photos that show traffic lights. Do some light arithmetic. Squint and retype these increasingly indecipherable letters (“Is that a lowercase H or a lowercase B?”).

get around CAPTCHA

With over half of web traffic automated, it’s increasingly important for businesses to tell which of their online visitors are real and which are bots. Not every bot that visits a website is there to cause trouble, but many are—scraping the content, trying to buy limited-edition goods before genuine customers can, or using card gateways to check if stolen credit card details are still valid. Even those bots that aren’t bad actors can cause problems when businesses use web analytics skewed by bots to make decisions.

CAPTCHAs are the most visible technique used by online businesses to differentiate between real customers and bots. Unfortunately, it’s a technology that’s under threat from a very old technology: outsourced manual labor.

The economics of CAPTCHA farms

If you are a bot operator and are faced with the problem of small repetitive tasks getting in the way of making serious money, then you have a couple of choices. One is to seek out or even build a bot that is capable of solving these CAPTCHAs, continuing the ongoing arms race. The other is to hire humans to solve tasks designed to be solved by humans.

CAPTCHA farms have been around for over a decade, pretty much since CAPTCHAs first became a way to protect against bots. CAPTCHA requests will be sent from the bot to the farm through an API, and at the other end a human will be available to solve the test.

It’s important to understand that these farms are not small organizations operating in shabby basements. They are established, well-run businesses akin to contact centers, with full employee training. They do, however, rely on inequality to thrive, as it is only lucrative when they are based in emerging markets and are, effectively, a digital sweatshop.

At the time of our most recent research, we found that employees earn around $0.18 for every 1,000 CAPTCHAs solved. Bot operators buy these services at around $0.94 for every 1,000 solved. This is a business model where the employees are doing lots of repetitive work for very little, and where bot operators are by comparison paying pennies to have their CAPTCHA problem solved. The farm owners need to operate at scale to be profitable—and they do.

The end result is that bot operators can see CAPTCHA as more of a speed bump than a barrier to achieving their aim.

An arms race with multiple weapons

Businesses and bots are in an escalating battle—but there are two fronts. As bots get more sophisticated, so do the techniques to identify and prevent bot attacks. And as bots get less effective, work will go into making them circumvent the new barriers erected to slow them down.

At the same time, businesses will rely on CAPTCHA to try and block bots – but when this becomes too much for bots to handle, outsourced labor will solve the problem.

Businesses are not helpless in the face of CAPTCHA farms, though admittedly it can seem like they are facing an impossible task. If bot operators can pose as ordinary users simply by spending some money, can they really be stopped at all? The answer lies in asking a new question. Businesses should still ask of their visitors “Is this a bot or a human?” but also ask “What does this visitor intend to do?”

All users, whether real or human, provide far more signals that can be analyzed than whether or not they have passed a CAPTCHA test. Where did they arrive from? How did they navigate through the site? What are they using to access the site? Is their behavior truly human-like, or simply trying to mimic that of a human?

For example, one way to mitigate against bots is rate-limiting, simply setting a maximum number of requests that a visitor can make in a certain amount of time. Sophisticated bots will figure out this limit and stay just below it, in a very inhuman way.

Analysis of behaviors like these will be key to sifting out the bad actors from the genuine users in the future. CAPTCHA will still have a place, but it’s important to remember that it will only deter those unwilling to spend a few extra pennies.


from Help Net Security https://ift.tt/3doPez1

0 comments:

Post a Comment