CAPTCHA Busters: Say Goodbye to CAPTCHAs

Did you ever get caught in a CAPTCHA black hole? No matter how many times you get a new CAPTCHA, there is always one character you’re not sure about. Is that an ‘e’ or a ‘c’ with a line through it? Is that a capital or small ‘v’? Is that a ‘one’ or an ‘l’? At some point in my battle against the CAPTCHA loop, I’ll simply give up on entering the web site, even though I know CAPTCHAs serve a purpose…or do they?

Purportedly, they exist to stop bots from getting into a website and causing various levels of mischief. Unfortunately, for the average net user, there are programs that will help bots get around these CAPTCHA barriers. Increasingly, the only users the CAPTCHAs seem to inhibit are human.

Until I began writing this article, I had no idea that CAPTCHA was an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. A CAPTCHA determines if you are human or not by making you do things that a computer (bot) cannot. This differentiation is determined by three main tests: 1) the recognition of distorted characters, 2) the recognition of characters without spaces between them, and 3) the recognition of characters by using context (as in decoding a word that they make up). Unfortunately, this Turing Test has failed. CAPTCHA decoder services boast of being able to bust 95% of CAPTCHAs and when Google tried, they did even better, managing to decipher 99.8%. At this level, it was concluded that using this defense against bots had become useless.

CAPTCHA bypass services had already figured this out. Many companies exist to help out the budding spammer. Some use optical character recognition (OCR) software while others use this plus human decoders. Due to competition, the services are relatively cheap. One of the more well-known companies offers 1,000 solved CAPTCHAs for just $1.39, but lesser known companies charge only $.40 for 1,000.

In the final analysis, bots are easily able to bypass CAPTCHAs and set up accounts on any site that they want, including Facebook.  CAPTCHA bypass software is now included in other more sophisticated and sometimes more malevolent bots. One such category of bots, which are becoming an increasing problem, are ticketbots. These bots are designed to reserve or purchase tickets online for everything from concerts, to sporting events. They can even be used to make hard-to-get restaurant reservations. These bots can be designed to start buying or reserving at specific times or whenever tickets come up for sale. By the time humans try to make purchases, the tickets have all been sold. But wait! Just go to eBay and you can probably find them for 2 or 3 times the original price, that is, if other bots haven’t already been waiting for them on eBay.

Naturally, this behavior makes humans angry. The average sport or concert fan has virtually no chance against these bots. In a number of US states, ticketbots have been outlawed. Tennessee is one of these states. So far, however, after 6 years, the number of people prosecuted under this law stands at zero. On the other hand, sales in ticketbots are booming. In fact, the competition is so intense that some vendors have lowered their prices by 50%. Many regular people, understanding the situation, have adopted the “if you can’t beat them, join them” philosophy and purchased ticketbots. It’s really the only way for the average person to get a ticket to a popular event nowadays.

Some online ticket sale sites believed they could stop ticketbots with CAPTCHAs. Unfortunately, all this did was to make the ticketbot creators include CAPTCHA busting software in the bots. CAPTCHA busting is done automatically, along with many other things. One ticketbot retailer claims that their bot will:

“…reserve multiple tickets, you can do multiple searches simultaneously on one event or multiple events with just a click of a mouse. You can use it for drop checks as well as set them for presales and onsale events. It also has an option to allow you to set the bot to start at a specific time, while you are not there and the software will start at a time and grab the tickets and notify you, if the tickets match your criteria. The bot can be customized to meet your exact needs as well.”

 In addition, the bot,

“Grabs tickets and hold for you instantly as soon as they get dropped

Grabs only particular tickets having specified section and/or row

Notify you via email/sms/sound when tickets are found

Option to automatically purchase tickets for you as soon as they are found”

 And all of this comes with an easy-to-use interface.


Is it really any surprise that these ticketbots are becoming more popular? They’re not cheap and are designed for people in the ticket resale (scalper) business. The particular bot with the above interface is selling for $990, down from $1800. My guess is that prices will go down even further as streamlined, no-frills models come online for those people who only buy tickets from time to time. Some people are building their own ticketbots for specific sport teams or events and, if you’re not good at writing programs, you can hire someone to make a bot for you at a reasonable price. There are many bots available that will do a number of things for you (you can get an idea of prices and services here) and CAPTCHAs aren’t going to prevent any of them from carrying out their assigned duties.

When Google finally realized that CAPTCHAs weren’t going to stop bots, they took matters into their own hands. Last December, they introduced a bot stopper called “noCAPTCHA reCAPTCHA”. This gives you one task when you want to enter certain websites. This is simply to confirm that you are human.


Checking the box triggers an Advanced Risk Analysis program which checks whether the behavior you displayed before encountering this box correlates with what a human would do. If there are any doubts, you will be given a more difficult task, such as identifying which animals in a set of pictures can be classified as cats. You may also get a regular CAPTCHA or a math CAPTCHA. This seems to bring up two important questions: 1) how much of your browsing history does Google need to know to make this determination and 2) if Google already can confirm you are human, why does it need to ask you this question at all?

However, the really bad news is that, by the end of December, 2014, posts began to appear on how to bypass noCAPTCHA reCAPTCHA. If true, it is only a matter of time before bots, such as ticketbots, incorporate this bypass into their programs and we’re back to square one.

This vulnerability, then, continues to expose corporations and institutions to the browsing habits of employees who persist in believing that CAPTCHA protected sites are safe. They may, in fact, be just the opposite.  Other methods, such as separating user behavior from sensitive company data at the hard drive level, must be used to protect sensitive corporate data from user browsing behavior. Keep in mind, however, that any Turing-based, CAPTCHA-style test can be busted by, of all things, humans. CAPTCHA farms exist that employ teams of humans to nothing else but decode CAPTCHAs that people send them. If it comes to the point where humans can’t decipher CAPTCHAs we have another problem; a completely inaccessible website.



About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s