news
New AI research puts final nail in CAPTCHA’s coffin; alternatives needed
The Internet needs better security mechanisms, as advanced AI can break CAPTCHAs designed to prove that web actions are being performed by humans rather than machines. a new study shows.
“Current AI technologies can take advantage of advanced image-based capture,” is part of the text of a new paper, “Breaking reCAPTCHAv2,” published this month by researchers at ETH Zurich University in Switzerland.
(Click on the image to enlarge.) Types of CAPTCHAs (Source: Arxiv.org).
This is more of an improvement than breaking new ground, as it all but confirms that advanced AI can determine which photos in a selection contain images of specific objects.
A fully automated public Turing test for distinguishing between computer and human structures. Previous research on breaking CAPTCHAs includes “Cracking CAPTCHAs Using Deep Learning” in 2022 for text-based systems. To explore how automated deep learning-based solutions can crack visual CAPTCHA tests, check out our 2020 paper Deep-CAPTCHA: A deep learning-based CAPTCHA solver for vulnerability assessment.
Meanwhile, a new paper written by Andreas Plesner, Tobias Vontobel, and Roger Wattenhofer says, “Our research examines the effectiveness of employing advanced machine learning techniques to resolve captchas from Google’s reCAPTCHAv2 system. ” is stated.
This is just one of several CAPTCHA systems on the market.
“We utilize an advanced YOLO model for image segmentation and classification to assess the effectiveness of automated systems for resolving capture. Our main results are Additionally, our findings increase the number of challenges humans and bots must solve to pass a captcha with reCAPTCHAv2. This suggests that there is no significant difference. This means that current AI technology can take advantage of advanced image-based capture. We also looked inside reCAPTCHAv2 and found evidence. , relies heavily on cookies and browser history data when evaluating whether a user is a human.
In fact, previous related work, as described in the May 2024 paper “Oedipus: LLM-enchanced Reasoning CAPTCHA Solver,” reported low effectiveness of CAPTCHA superiority. “Our evaluation shows that Oedipus effectively solves the studied CAPTCHAs and achieves an average success rate.” 63.5\%. ”
A new paper from ETH Zurich does not provide a useful list of recommendations to address this issue, but does note that “prioritize the development of capture systems that can adapt to the complexities of artificial intelligence or human validation. It urges further research to explore alternative methods that can withstand the technological progress. ”
However, since this issue has been known for years, there are at least useful checklists of CAPTCHA alternatives like this one: Top 6 CAPTCHA Alternatives That Will Not Frustrate Users. This list comes from Akismet, which offers its own product, and other alternatives include honeypots, time-based form submissions, and improved or reimagined CAPTCHA systems. In fact, reCAPTCHAv3 already exists.
Another improved CAPTCHA system was presented in the 2023 paper “New Cognitive Deep-Learning CAPTCHA,” which states: “In this work, the authors apply characteristics of text-based, image-based, and cognitive CAPTCHAs, as well as adversarial examples and neural style transfer.”
In addition to the improved CAPTCHA, there are also alternatives such as multi-factor authentication (MFA), biometrics, and bot protection software in addition to those listed in Akismet’s article.
Some specific commercial examples (with some vendor descriptions) are:
Cloudflare Turnstile: This maintains the user experience by employing non-intrusive challenges to verify user authenticity without displaying traditional puzzles and can be seamlessly integrated into any website. while increasing security. DataDome: An advanced bot protection solution that operates in real-time to detect and mitigate automated threats. By analyzing user behavior and leveraging machine learning, DataDome provides robust security without relying solely on traditional CAPTCHAs. The site also lists the other alternatives mentioned above, including MFA, web application firewalls (WAF), anti-spam plugins, and the popular honeypot. hCaptcha: Features include passive and No-CAPTCHA modes, server-side API protection, and available in different editions. Friendly Captcha: This replaces traditional CAPTCHAs with tasks that are solvable for humans but difficult for bots, emphasizes user privacy, and provides an accessible approach to distinguish between human and automated traffic. It is described as the preferred alternative.
Of course, advanced AI is advancing rapidly, so it remains to be seen how long the shelf life of current alternatives will be. Things are moving quickly, and the industry is still deciding what to do about AI bots that disable CAPTCHAs, but it’s in the context of addressing much broader issues arising from runaway technology, such as human extinction. It’s happening in stay tuned.
About the author
David Ramel is an editor and writer at Converge360.
