AI Bots Beat CAPTCHAs Better Than Humans, Leaving Websites Vulnerable

AI Bots Beat CAPTCHAs Better Than Humans, Leaving Websites Vulnerable

Researchers from the University of California found that AI bots can now successfully beat CAPTCHAs – security measures used to separate humans from bots online – and are even better and much faster at it than people, according to a new study.

A preprint of the research paper published recently on arXiv says the AI programs were able to solve CAPTCHAs with 15% greater accuracy than humans. To do this, the bots imitated how the human brain and vision work.

As a result, researchers say, the systems could perform many of the tasks once thought to be the exclusive domain of humans. Scientists are worried this could leave websites that depend on the tech vulnerable to spam and other malicious activity.

Also read: AI Cyberattack Steals Passwords With 95% Accuracy, Study Warns

Smarter AI bots

The study was carried out by a team of researchers including three from the University of California, Irvine, and one each from ETH Zurich, Microsoft, and the Lawrence Livermore National Laboratory. It is titled, “An Empirical Study & Evaluation of Modern CAPTCHAs.”

“The bots’ accuracy ranges from 85-100%, with the majority above 96%. This substantially exceeds the human accuracy range we observed (50-85%),” the research paper read.

“Furthermore the bots’ solving times are significantly lower in all cases, except reCAPTCHA, where human solving time of 18 seconds is nearly similar to the bots’ time of 17.5 seconds.”

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a technology used to protect websites from fraud and abuse. CAPTCHAs typically present users with a challenge that ideally should be easy for humans to solve, but hard for bots.

AI Bots Beat CAPTCHAs Better Than Humans, Leaving Websites Vulnerable
Examples of CAPTCHAs used for the study.

For example, a CAPTCHA might ask users to identify distorted text, select squares with a car, or to complete a simple math problem. The tech is designed to be effective at preventing AI bots from accessing websites, but it can also be frustrating for humans to use.

In 2019, Google replaced CAPTCHA with an advanced version called reCAPTCHA, which is meant to be difficult for bots to break.

However, the team’s technical lead Aaron Malenfant says the tech will no longer be viable in 10 years’ time due to better technology that allows the Turing test to run in the background, as Quartz reported.

‘Unloved’ CAPTCHAs

For their study, the researchers selected more than 1,000 people to test websites that used CAPTCHA challenges, which account for 120 of the world’s 200 most popular websites, as ranked by Alexa Top websites list.

Participants were asked to solve 10 different types of CAPTCHAs, including identifying boats and chimneys, rotating images, ticking a checkbox, and typing distorted text. The study was done on Amazon’s crowdsourcing platform MTurk.

According to the research paper, humans take longer to solve CAPTCHA puzzles compared to AI programs when placed in a more natural setting. In such an environment, humans will complete a puzzle in 22 seconds, while the average AI bot solving time is 17.5 seconds.

“We do know for sure that they [the tests] are very much unloved. We didn’t have to do a study to come to that conclusion,” Gene Tsudik, one of the study’s researchers, told the New Scientist.

“But people don’t know whether that effort, that colossal global effort that is invested into solving CAPTCHAs every day, every year, every month, whether that effort is actually worthwhile.”

Could digital IDs curb Web3 threats?

As AI becomes more advanced, it will become increasingly difficult to distinguish between real and fake identities, according to experts. That may already be happening, as the CAPTCHAs’ study demonstrates.

Artificial intelligence also has the potential to undermine the security and privacy of digital identities. As one example, it can be used to create deepfakes, realistic but fake images or videos used to impersonate someone else, including their voice.

Some companies such as Polygon, Identity Labs, and Worldcoin are now trying to address those threats by building blockchain-based digital identities. Worldcoin is pushing ahead with its World ID system, which collects unique biometric data by scanning human irises.

Identity Labs recently launched NFID, a decentralized identity and login tool that does not require a password, allowing users to verify their identity by linking their phone number to their account.

Experts say digital identity is the cornerstone of web3 and the metaverse, as it enables trust and security in decentralized systems. Digital IDs can take two forms. The first is a digital version of an official physical ID document, like a passport, stored on a mobile crypto wallet.

The other is a credential for accessing online services such as DeFi apps, NFT marketplaces, and other web3 services. In both cases, digital IDs are used to verify the identity of the user to ensure they have the required permissions to access services or perform certain actions.

Image credits: Shutterstock, CC images, Midjourney, Unsplash.