How do "click here if you're not a robot" buttons from ReCaptcha work?

We’ve all seen them. “Click here if you’re not a robot”. How do they work, exactly? We really can’t train a computer to click a button that says they’re not a robot?

It’s Asimov’s Fourth Law: A robot may not click a Captcha box that says “I am not a robot” unless not doing so would violate one of the first three laws.

Actually, I suspect that it’s not that a bot can’t be trained to click such a button, but that the simplest ones just aren’t. Kind of like having an easily pickable lock vs. none at all.

At least those are better than the “click on every photo with a bus in it” checks. Half the time, I can’t even make out what’s in the tiny photos.

Now I’m feeling guilty for joking in the first answer to an FQ question, so here’s a serious cite:

They don’t go into detail about how it works—maybe on purpose, to help preserve their effectiveness.

I got one of those click here ones, but cut/paste and opened that page on a different browser and it came up with one of the normal Captcha ones to solve. So I assume so does monitor page behaviors.

Okay. Related question.

If captchas work so well, how come we’re still competing with bots for expensive PlayStations whenever they come in stock?

Those I’ve seen recently usually pop up a box where you have to select the three (it’s virtually always three) pictures with bicycles or chimneys or something.

I wonder how easy it is for bots to detect that there is actually a captcha on the screen. AIUI, they won’t be able to just look at an image of the screen, but perhaps I’m wrong here.

The “check this box” captchas work by measuring things like the path the cursor takes to get to the box or how your finger presses it on a mobile screen. Bots have trouble with the random movements of humans.

I had one the other day that was ‘Click all the photos of lions that have manes.’ I wonder what they’re using this data for.

They’re not checking if you can click the button. They’re checking whether or not your browser fingerprint looks like a real person. Google’s ReCaptcha is probably the most common, and it can look at all of your Google cookies to see if you seem like a real person. It can also just use what data it can scrape to identify you, so that it will know if you suddenly start clicking 500 times on stuff.

If this preliminary check fails, that’s when you get the more complicated CAPTCHAS that ask you to find a particular object in an image, identify which images contain an object, insert a puzzle piece, etc. Those work just like the older ones that had you type words: they give you a task that a computer can’t complete quickly.

As for what happens with buying consoles and other stuff? Many if not most aren’t really relying on bots. Scalpers make enough money to essentially hire people to solve CAPTCHAS for them (or use a service that provides such). Combine that with the number of people compulsively clicking, and stuff sells out fast. If it was just letting bots through, the compulsive clickers would never get through.

Sexing lions, of course. :wink:

Of course! It’s for the next gen, self driving safari buses.

The original developer of Captcha spoke at my lab a number of years ago and said they were in a constant arms race with both bots and cheap labor.

At the time many of the text prompts (and I assume many of the traffic light photos now) were in fact being used to train their AIs to be better at recognizing ambiguous images. They figured that as long as their adversaries were going to throw that many resources at defeating captcha that they might as well get some work out of them.

Although this is a common explanation, I’m dubious.
If it’s possible for an algorithm to tell the difference between a human moving a mouse, and a computer, then it should be trivial to invert the algorithm and generate mouse movements which appear human.

Trivial enough. But for the basics of filling in web forms, creating a crappy bot that doesn’t do that fancy stuff is a lot easier. Remember all this low level cyber-vandalism is a very low margin business where cheap and half-assed is the order of the day.

Over time the websites’ defenses have gotten better. So the bad guys have gotten better too. But often it’s easier for them to simply move on to other less defended websites.

I still say, like a lot of people, that the mouse tracking thing was never actually part of it. That was just a bit of misdirection to hide how it actually worked.

Then why do they make the user click anything at all?

Is this my one new thing to learn for today - that when I go click on “I am not a robot” box, the website can see/track my mouse movement details?

Yes, and other behaviors that Google uses to determine you’re not a robot. If you go to one of those sites that has ReCaptcha using an incognito window, you’ll get a the pictures to pick out. At least, that has been my experience.