A breakthrough in AI solves CAPTCHAs better than most humans

You’ve surely seen it before: a garbled string of letters and numbers that you retype before leaving a comment on a blog post. It’s a test called CAPTCHA, or Completely Automated Public Turing Test to Tell Computers and Humans Apart, and it exists to separate the flesh-and-blood folks from the spambots. 

A test so simple could hardly be called foolproof. But now a Silicon Valley–based startup called Vicarious claims it’s created an artificial intelligence program so advanced it can solve CAPTCHAs with accuracy that, in many cases, approaches 100 percent. “Our mission is to work on an algorithms that mimic the visual functions of the human brain,” said Vicarious CEO D. Scott Phoenix, ‟and along the way, we just happened to find a way to solve CAPTCHA.”

Using automated means of solving CAPTCHA is nothing new—programmers have been plugging away at it for nearly a decade. The methods employed by those earlier programs often used relatively narrow tricks to beat the tests. For example, one of the first such programs exploited that most CAPTCHAs at the time used a consistent number of pixels for each characters, but the exact count of those pixels varied from one to the next. The letter A always comprised one number of pixels, whereas the letter B always had another number. The algorithm worked by simply tallying the pixels.

Phoenix explained that Vicarious’s program, on the other hand, functions by understanding the simplest aspects of a given picture (namely lines) and then gradually building up in complexity to larger and larger shapes. This process allows it to incorporate the ways in which each letter or number can vary while still remaining within the overall category for that character. The ability to deal with that variance is crucial because the characters in modern CAPTCHA bend and overlap with each other in random ways that are relatively easy for humans to decode but are typically problematic for computers.

Check out this video of Vicarious in action, beating CAPTCHAs on sites like Yahoo and PayPal:

Phoenix boasted that Vicarious’s new method has yielded an over 90 percent success rate when going up against virtually all of the text-based CAPTCHAs in wide use. Conversely, efforts to create CAPTCHA-crushing programs by a team of Stanford researchers resulted in only a 25 percent success rate.

Dr. Luis von Ahn, the MacArthur ‟Genius Grant”–winning Carnegie Mellon University computer science professor who was on the team that created CAPTCHA over a decade ago, remains skeptical of Vicarious’s high success rate. After watching an online video of the program in action, he speculated its claims may be ‟a bit exaggerated.”

Von Ahn, who sold a system he developed called reCAPTCHA to Google in 2009, noted that a team at the Mountain View tech behemoth created a program that could beat reCAPTCHA with some regularity. He recalled that the creation of the program led to an internal debate about whether the test should be made more significantly more difficult. The company ultimately decided to leave reCAPTCHA as it was because making the test tougher for computers to solve by adding more distortion to the text would inevitably increase the failure rate for humans.

“You want to make it so humans can do it 95 percent of the time,” noted von Ahn. ‟It’s not such an easy balance to strike.”

Screengrab via engineroomblog/Flickr

Additionally, the team at Google understood they were far more technologically sophisticated than the vast majority of people who would use CAPTCHA-breaking technology to flood blog comments sections with advertisements for sketchy medications and sucker-baiting get-rich-quick schemes. That’s because most advances in programs to beat CAPTCHA have come out of ‟white hat” community—groups of computer programmers who devise ways to beat security systems not out of a nefarious pursuit personal profit, but out of a genuine desire to ultimately make those systems more secure.

In a similar vein, Vicarious, which is funded by Facebook cofounder Dustin Moskovitz’s philanthropic for-profit investment firm Good Ventures, has no plans to sell the program to spammers. In fact, any attempts at monetization are not only years off, but like won’t involve beating CAPTCHAs. Instead, Phoenix insists, Vicarious has far bigger fish to fry.

Vicarious’s system can presently do things like handwriting recognition and scanning text from books. In the future, the possibilities may be virtually limitless. Phoenix predicted the program could eventually have applications like quickly scanning an X-ray to determine if someone has cancer or looking at a picture of a plate of food and automatically spitting out its caloric content. ‟Anything humans can do with their eyes, this program can help with,” he said.

While Vicarious’s software may never fall into the hands of spammers, company CTO Dileep George called the widespread ubiquity of similar software at some point in the future a virtual inevitability. “Eventually computer programs will evolve and replicate everything that humans do,” said George. ‟So people will ultimately need to come up with alternate methods of verification.”

There are already companies developing new forms of CAPTCHA well beyond the standard ‟what does this text say?” format. Detroit-based startup Are You Human has a system that requires users to beat a simple game in order to prove their humanity. Are You Human’s CAPTCHA technology is used for verification by companies like Quicken Loans and has already racked up more than 2 million games so far.

These sorts of game-based CAPTCHAs, which are even more difficult for computers to solve than text-based ones, are also vulnerable to a considerably more old-fashioned form of sabotage. The service Death by CAPTCHA employ the services of human beings to do wave after wave of CAPTCHAs, no matter their form, for bargain-basement prices.

Developing complex machine-learning systems like Vicarious is expensive and time-consuming, whereas Death by CAPTCHA charges a mere $1.39 to solve 1,000 of them (as the website insists, for research purposes only). At the end of the day, the most efficient way to beat tests determining if a user is human may just be to pay humans to take the tests.

Illustration by Jason Reed

Aaron Sankin

Aaron Sankin

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.