Friday, March 12, 2010

I Failed a Turing Test - Now What?

 It's a common occurrence on modern web applications where anti-automation is required.  CAPTCHAs are everywhere, and now even more prevalent are reCAPTCHAs.  The problem is two fold here, and you've probably experienced this already.

The first real issue is that CAPTCHAs were the most advanced way to deter automated scripts, bots, and programs from filling in forms - such as free web email registration forms - for quite some time.  The reality is that CAPTCHAs were easily broken by anti-automation automation software through the use of OCR (Optical Character Recognition) software.  In a strange irony the software that was built to "read" graphics and translate them into text (as in a scanned document) was being used to "read" CAPTCHAs and thus break the anti-automation.

Next came the reCAPTCHA.  This is much more difficult to break for a number of reasons not relevant here, but the sad reality is that when high-tech solutions fail the bad guys turn to low-tech answers.  The answer in this case turned out to be low-cost worker pools in 3rd world countries.  The evil masterminds out there wrote programs that pulled the reCAPTCHA images into a console and someone would just sit all day and type in the letters they saw.  These worker-drones are often in 3rd world countries, and make on average $0.01 (that's a penny, USD) per image they successfully transcribe.  Now, that may sound insane to someone like you or I - but remember these are 3rd world, impoverished workers who have rapidly expanding access to technology.  Through the Internet's reach they are able to make as much as $3.00-$5.00 per day - that's a fairly good wage when you consider the average income for some of these parts of the world.  Add to that the ability to work from anywhere there is an Internet connection (which doesn't even have to be fast!) and this can turn into the perfect labor for entire families in some of these places.

The economy of greed will always find a way to thrive - and this example is just one way of many ways that anti-automation is overcome by ingenuity and low-tech solutions.  This isn't the end of this story though because there is a a problem.

What if, in order to compensate for the ever increasing leaps in OCR technology, CAPTCHA companies start to create CAPTCHA images that even a normal human can't decipher?  I ran into one such incident lately, and since it's been happening more and more I thought I should write about it to raise some awareness.

The situation I can most clearly describe (and one that you may already be familiar with) happened on  If you've been ripped off by TicketMaster lately... I mean, if you've bought tickets on TicketMaster lately - you've undoubtedly had to transcribe the CAPTCHA image to complete your ticket search and purchase.  How many times have you found yourself squinting and thinking real hard before typing in those letters you think you see?  I'm betting pretty often.  The problem comes when we have to make turing tests so hard that humans are failing them.  This undoubtedly brings on the obligatory rant about usable security - right?  Think about it.

This is just one story, one example - I'm sure you have a few of your own like this

If turing tests become so difficult that a normal person fails them - and thus is prevented from performing a legitimate transaction - yet criminals are finding ways around this ...who's winning?

Update 1 [3/12/10 @ 10:14am] ______
  So ... this is disturbing but I got an email from someone that says I have my numbers wrong.  This someone would know... apparently the $/CAPTCHA is wrong - the real number right now is: $0.85 USD per 1,000 transcribed CAPTCHAs.  Wow, just wow.


Anonymous said...

ROFL, I myself had this problem in the past with several diferent websites.

this post makes me smile since I've long been conviced that most captchas I fail, "criminals" would probably pass.

at least I don't feel alone.

(even google services captchas can be quite hard sometimes...)

Anonymous said...

1$/k for under 200k/day
85c/k for 200k+/day
negotiable for over 1m/day

can send recaptcha, google, myspaz, hotmail, any captcha types, they dont care

average response time for a captcha is 12seconds from submitting until answer, if answer is incorrect you flag it so as if a single employee of theirs is giving too many wrong answers etc they are fired and you will get refunded for the captchas they filled in of yours

then theres also another company that i use as well incase the first company overloads and are taking too long for captchas that allow a bidding system that you bid your rate /k and based on that decides your priority, bidding 1.5/k currently with them and pay about 1.15/k (1/k is their minimum rung), response time from them is avg about 16secs but generally more accurate responses so sometimes they are better to use

gotta love the russians! and thats excluding those that can be cracked, only things like recaptcha currently are fed into these services generally, the rest are auto cracked with the latest gen ocr toys :)

enjoy knowing how little it costs to spam your social sites!