These riddles are designed to let you buy concert tickets or sign up for Netflix but keep out someone who is using computers to hammer a bank website with bogus credit card applications or employing rapid-fire software to buy video game consoles before you have a chance.
The problem is that Captchas don’t do a great job stopping bots. And for the rest of us, they waste time and harvest our personal information.
Captchas persist partly because there haven’t been better options to stop fraud or automated software. Finally, though, there are more technologies coming to put Captchas on their deathbed.
One basic premise behind the Captcha-killers backed by companies including Apple is that instead of you solving a puzzle, your computer must solve challenges to prove you’re human. You don’t have to do anything.
Captchas are a tiny annoyance, but they’re also one more stodgy technology that’s making your life harder, not easier. Like online passwords and app stores, Captchas have a good reason to exist, but they have clung to life long after the drawbacks outweighed the benefits.
Let’s talk about why Captchas persist to annoy you, and why there’s hope they might slowly die.
Why Captchas are so terrible
The goal of Captchas is to prove that you’re a human by doing a task that (in theory) only a person can do.
The simplest version of a Captcha is a box you check that says, “I am not a robot.” The complicated versions of a Captcha are diabolical:
While Captchas can be tough for humans, they aren’t so effective at proving humanness.
The more people and machines find ways to get around Captchas, the harder companies have made them. This creates a doom loop of irritation that might drive you away from buying stuff or accessing your accounts.
Forter, which helps retail websites stop fraud, said that for every dollar a business loses to bogus transactions, it turns away $30 by mistakenly blocking or discouraging legitimate customers, including through use of Captchas.
“Captchas have been broken to some extent for a long time,” said John Graham-Cumming, chief technology officer of the security firm Cloudflare.
Cloudflare’s data shows that people take 25 seconds on average to solve a Captcha. “They’re a hell of a waste of time,” Graham-Cumming said.
Captchas also compromise your privacy. When you run across a Captcha, the technology might keep a permanent record of your phone or computer identity that can track everywhere you go online.
They also tend to be difficult for people with low vision or other disabilities.
The potential Captcha killers are here
What’s changing are newer approaches that don’t make you prove to a computer that you’re human — which, let’s face it, is a silly idea.
Instead, machines back channel to one another to sort out who is a legitimate web visitor and who isn’t.
If you’re trying to buy tickets to a football game, for example, throwing a Captcha at you is a traditional way to stop people from using software to hoard tickets.
Instead, Graham-Cumming said, the ticketing company’s computer systems might challenge your web browser to draw a random piece of text.
It might then look for clues in the small differences in fonts between the Chrome web browser on a Mac and Windows computer that signal a browser is being controlled by automated software and not a real person.
Humans also fiddle with a computer mouse or move around a touch screen phone in a “very human way,” Graham-Cumming said, so the ticketing computer might scope out how the cursor is moving.
Apple says a ticketing app might also detect whether you’re logged in to your Apple account and therefore the ticket buyer is more likely to be an individual rather than automated software.
The best-case scenario is that all this happens without you doing anything. The computer on the ticketing end is making a yes-or-no assessment about whether the computer on your end is exhibiting bot-like behavior.
There’s also separation between you and the ticketing website to keep your identity and information private.
Carlos Alvarez, the chief technology officer of Ticketmaster, said the ticket seller also uses machine-to-machine scoring systems to sort out legitimate ticket buyers from scalpers using software.
Alvarez wouldn’t spill details on exactly what computer signals the ticketing service uses to distinguish bots from the rest of us. He said no technology on its own will stop ticket bots.
There will be ways around these non-Captcha technologies, too. As long as locked gates have existed on the internet, people have found ways to go around or through them.
The challenge is to strike a balance between making it easy for you to buy tickets while putting up roadblocks to fraudsters or hoarders. Captchas aren’t striking the right balance anymore.
“Captchas are such a nightmare for people that something better had to come along,” Graham-Cumming said.
If you’re wondering whether there’s anything you can do to see fewer maddening Captchas … sorry, not really.
The websites and apps you use are the ones that determine whether you see a Captcha and what form it takes.
Experts in online security told me that if you’re using technologies intended to shield your online activity such as a virtual private network (VPN) or Apple’s iCloud Private Relay, you might see more Captchas.
You may also be more likely to hit Captchas on less sophisticated websites than on large sites that have smarter ways to verify you’re a legitimate customer.
And if you’re wondering, as I did, why the image-picking Captchas always seem to ask you to identify snapshots of the same handful of items like bicycles, buses and motorcycles, it’s because those images are taken from Google’s Street View. (Google owns popular Captcha-generating technologies.)
Bicycles and motorcycles are seen on public streets, and people (mostly) recognize them no matter what country they’re from, said Dan Woods from online security firm F5 Inc. (Woods once worked on a Captcha-solving click farm and wrote about it.)
And when we solve Captchas like the ones that ask us to identify images of buses, we are training corporations’ AI systems.