Captcha is the abbreviation for “Completely Automated Public Turing test to tell Computers and Humans Apart”. These automatic tests are intended to distinguish computers from human interlocutors – via their answers in the context of communication. In the late 1990s, the first practical solutions were used to stave off the increasing number of dangerous bot attacks on websites. In most cases, the user has to recognize and enter letters or numbers displayed in an image.
In fact, the first generations of bots were barely able to overcome this hurdle. But with increasing development, they solved simple captchas, so that the picture puzzles became more and more complex and are more and more difficult to answer even for humans. So many real users cancel their request. In addition, cyber criminals can easily circumvent this defense measure. They don’t even need expensive technology for this: the simplest and most popular solution is the human click farm. Here people are paid to solve captchas and pass the results on to their clients. In practice, this happens in such a way that the attacking bot takes a picture of the captcha and sends it to the click farm via its API. From there it will be forwarded to one or more employees who will solve it. They send the result to the head office, which forwards it to the bot, which in turn enters the correct solution on the website. This mistakenly classifies him as human and he can continue.
For the provider of such a click farm, the whole thing is not even really illegal. He can talk himself out of the fact that he supposedly knows nothing about the criminal targets of his clients – the actual hackers. The click farm business model is quite attractive. For example, the provider 2Captcha charges 0.75 US dollars per 1,000 pieces for conventional picture puzzles. More complex re-captchas cost $ 2.99 per 1,000. For the hacker clientele, these prices are a no brainer. Click farm employees receive only a portion of this income: $ 0.30 for 1,000 traditional captchas and $ 1.01 for 1,000 re-captchas.
This is an article from our print edition 10/2021. Order a free trial subscription.
Since cybercriminals can easily bypass captchas with the help of such services, companies should avoid this security measure. Because even complex re-captchas are no obstacle for human click farms. Instead, only legitimate users are repulsed by the complex picture puzzles. In practice, this security approach often achieves the opposite of its original goal. Correspondingly, companies should use other mechanisms – from web application firewall to behavior-based services to two-factor authentication. These are a real hurdle for cyber criminals.