If you've used the internet at all in the past few years, especially whilst connected to a proxy or VPN, you're likely to have encountered a 'CAPTCHA' challenge,
Short for, "Completely Automated Public Turing test to tell Computers and Humans Apart," these annoying prompts usually appear when trying to enter vital data like your login information.
Users are usually required to either enter text from an image that's been distorted in some way or listen to a series of characters being read out via audio. Sometimes users are prompted to select only certain images from a selection, solve a mathematical puzzle or sign via a social media account.
These types of challenges are hard for computers to recognize, so the stated purpose of CAPTCHAs is to prevent spam, data scraping and other forms of automated registration/data gathering.
Here's the rub: while CAPTCHAs can be difficult for computers to understand, the same is often true of human beings. This has been even more true in recent years as CAPTCHAs have been made harder to prevent more sophisticated attacks. This is where CAPTCHA solvers come in.
What is a CAPTCHA Solver?
As the name suggests, CAPTCHA solvers are computer programs designed to recognize and solve CAPTCHAS for users. They can recognize text and images, so they can do the hard work for you.
Usually this involves installing a third party program such as a browser extension, which will handle the CAPTCHA query on your behalf.
CAPTCHA the Human
Traditionally, CAPTCHA solvers have been human powered. In other words, another human solves the CAPTCHA challenge with the results being returned to the user. This is sometimes used in automated attacks on websites but can also have legitimate uses for web scraping, competitor research so on.
Although individual methods can vary depending on the service, all have some common steps:
In the case of websites, which use Google's reCAPTCHA, the process works a little differently. This is because the website may prompt users to click on 'I am not a robot' to continue.
In cases like this, the bot can use the CAPTCHA Solver service's API to instruct one of their human workers to visit the site itself and manually check the "I am not a robot" option, then solve the CAPTCHA challenge.
The human solver then receives a token for the solved CAPTCHA, which the CAPTCHA Solver service can then pass to the bot via its API.
The advantage of keeping humans in the loop is clear:
As people are still solving the CAPTCHA challenge, this allows a CAPTCHA Solver service to keep pace with new challenges, such as deciphering more complex images or performing mathematical sums.
The high accuracy of CAPTCHA Solver services that use humans tie in to the fact that humans are still in the loop. As most CAPTCHA solver services send challenges to two or more human beings the error rate can be much lower than relying on AI or machine learning.
CAPTCHA Solver services often also increase the pay rate for the most proficient and accurate human solvers.
A human driven CAPTCHA Solver service is less likely to fall afoul of websites' Terms of Service, as the process of registering and/or gathering information isn't entirely automated. Naturally this depends on the site in question and how exactly the solver service bot gathers data.
Downsides to using a human-drive CAPTCHA Solver service include:
AI and machine learning algorithms don't need to be paid the minimum wage. On the other hand if you're hiring a human to solve individual CAPTCHA challenges, then the costs can mount up very quickly, amounting to over a $1 for 1,000 reCAPTCHA challenges.
Human beings may be better at solving CAPTCHA Challenges overall but will never perform as fast as an automated computre program. They also can take longer to provide results, as most CAPTCHA Solver services will compare answers from multiple humans before processing them.
Relying on human beings to solve CAPTCHA challenges can make it difficult to scale up operations, as your chosen CAPTCHA solver service will always be limited by the number of workers it uses.
Rise of the Machines
In March 2023 GPT-4, a product of OpenAI, was able to defeat a CAPTCHA challenge by pretending to be a visually impaired person and hiring a human to solve the problem on its behalf.
While Bing Chat's own AI-powered bot is programmed to refuse to help solve CAPTCHA challenges, it's also quite capable of doing so. In October 2023, a cunning hacker used a visual jailbreak to alter the image of a CAPTCHA to resemble a locket, resulting in Bing's AI solving the challenge.
Modern CAPTCHA solver services use AI tools and other sophisticated methods to automate the CAPTCHA process. As with human-powered solver services, these can vary but there are some common procedures:
Naturally, there are a number of advantages in trusting to tech to solve CAPTCHA challenges. These include:
Automated CAPTCHA solver services are almost always more cost-effective, given that they don't need to be paid minimum wage and can work around the clock.
Using automated programs makes it much easier to scale up operations if you need to solve a large amount of CAPTCHA challenges at once such as for web scraping or data collection.
Human solvers working in 'CAPTCHA farms' rarely make more than a few dollars a day, even after hours of work. Employing a machine to do the task instead is far less exploitative.
Yes - you heard us correctly. Not only are bots faster at solving CAPTCHA challenges than human beings, they can be more accurate too. According to a study published in July 2023 by researchers at the University of California, bots solved distorted-text CAPTCHA tests almost 100% of the time. The human test subjects only solved these challenges 50% to 84% of the time.
Still, trusting to tech for CAPTCHA solving also has its challenges, including:
The University of California study may have given robots the edge for distorted text but CAPTCHA challenges are becoming progressively more challenging over time. This isn't an issue for human solvers, who simply need to apply their ingenuity but automated CAPTCHA solver services need to update their algorithms constantly to keep pace.
Many major websites' terms and conditions specifically forbid using bots or other automated scripts for registration and data gathering. Using an AI-based CAPTCHA Solver service means you no longer benefit from the fact that humans are still in the loop.
Automated bots can use a variety of methods to bypass solver detection techniques. These include "user agent switchers" to make it appear as though a human's accessing the website from a different device such as a tablet or cellphone. It can also rapidly switch between proxy servers to change its IP address. This can make for much faster CAPTCHA solving.
Are CAPTCHA Solvers illegal?
It's true that bad actors have used bots/scripts to bypass CAPTCHA challenges to perform immoral or illegal activities such as ticket scalping or to perform denial of service attacks against websites.
However, CAPTCHA solvers also have legitimate uses, including for:
Web scraping (the automated extraction of data from websites) can be essential for market research, competitor analysis and for collecting general business intelligence. Unfortunately websites containing useful information like this often have CAPTCHA challenges to deter automated scrapers.
CAPTCHA solver services can help organizations to gather data of this kind to make better decisions and perform market analysis.
Modern CAPTCHA challenges have become so complex that many human beings struggle to solve them. This can be particularly challenging if you're suffering from a disability like being visually or hearing impaired, especially given some CAPTCHA challenges place a time limit on how quickly they must be solved.
Using a CAPTCHA Solver service effectively bypasses tricky challenges, discriminate against users with accessibility issues. Mindful of this, as of iOS 16 Apple devices like iPhones and iPads can actually be configured to complete CAPTCHA challenges on users' behalf.
If you yourself run a website or other online service that uses CAPTCHA challenges, what better way to test its effectiveness than to sign up for one or more CAPTCHA solver services to check that bots can't automatically register and/or scrape data?
Naturally even if you're using a CAPTCHA solver legitimately, you should always check the target website to make sure that using it doesn't go against the Terms & Conditions. Remember also that laws will differ depending on the jurisdiction where the website is based.
CAPTCHA The Future
The road ahead for CAPTCHA Solvers isn't certain. Security developers are becoming aware that old methods for detecting CAPTCHA solver bots such as filtering by User Agent or IP address are largely ineffective these days
Such bots can make use of sophisticated AI and machine learning algorithms but those very same tools can be used to create websites that can detect automated bots and scripts.
For instance, some websites now use behavioral analysis to detect the difference between humans and bots, such as detecting how quickly the CAPTCHA challenge is answered and how good the end user has been at solving challenges in the past.
It's also likely that more CAPTCHA challenges will become multi-modal - in other words they will require multiple inputs like both text and images to verify a website visitor as human.
There are also growing concerns about privacy protection, given that CAPTCHA services often make use of tracking services and monitor users' IP addresses. Organizations may well have to balance security with respecting website visitor's rights, as Proton has done with its new privacy-centric CAPTCHA system.
CAPTCHA Solver services themselves could adapt to these changes through a hybrid model which employs both humans and AI working together to solve new challenges.
