Stopping PokePocalypse: save Pokemon Go with FunCaptcha techniques

In a previous post, we broke the news that hackers have rigged the game Pokemon Go to allow thousands of software “bots” to play the game automatically. That post explains on a high level how FunCaptcha can prevent the damage without affecting average players at all. This post gets into more technical details.

How many Pokemon Go bots are here, and how do they work?

Sites that point to bot installers:

Videos showing bot software from install to run:
Bonus: This guy has a super charming accent!

Discussion groups devoted to botting:

When should a FunCaptcha appear in the game?

This analysis by leading application testing company BugCrowd puts a finger on it: “Trading is going to have a huge impact due to bots. Maybe implement level requirement so Niantic has a data threshold to ban bots.” We extend this idea by saying that FunCaptcha should appear in the gray area between tolerance and the banning threshold.

For example, keep a running suspicion score per user. Raise the score when a time slice contains a highly implausible gain in XP, items, captures, wins, or the like. Drain the score over time so merely lucky players don’t remain suspicious. When the suspicion score crosses a threshold, and the user is not in the middle of something, and there has not been a challenge shown for a while, then show a single FunCaptcha challenge. If it is solved, suspicion is lowered. If not, suspicion is raised. Only when suspicion continues to climb should the user be suspended or banned.

The data threshold is simple and objective, but it can risk being accidentally too strict. This is okay because the consequent challenge is a minor inconvenience to a small number of super-high-performing players– far better than a sharp binary division of users between allowed and banned, which causes problems no matter where that line gets drawn. If the challenge is successfully solved, the developer has feedback that maybe the threshold was too strict, and needs a bit more tuning.

A user (or for that matter, a very tame bot) advancing at anywhere close to the speed of a normal user would never see the challenge.

Everyone hates CAPTCHAs, why is this not end of conversation?

Bad old CAPTCHAs are everywhere, but the new techniques demonstrated by FunCaptcha show real progress. We have proven that legitimate users can solve a well-made challenge, in seconds, with a 99% success rate, in a playful and appealing way.

Online games have always had bots, so why worry?

So what is the difference between bots in Pokemon Go and bots in many other games? We all know bots have been around a long time. For example, MMOs have long endured bots automatically “farming” in-game advancement. Why is Pokemon Go really different? Other games survived bots, so why panic about Pokemon Go and other AR games on the way?

This is the first big game that has new gaps between what the server can possibly know about its players, and what its players are actually doing as input. Exploiting that gap, bots do more damage while being harder to detect. This is for a few key reasons that differ between, for example, an MMO bot and a Pokemon Go bot.

MMO bot Pokemon Go bot Gap
Speed that the avatar can possibly move through the world is known to the server, and everyone pretty much moves at this maximum. Speed that the avatar (a real human) can possibly move through the (real) world is high, but everyone almost always moves well below this maximum. A Pokemon Go bot moving at a speed much faster than an average human gets a big advantage… but can’t be outright banned, because it still might actually be a human.
An avatar always has to be realtime connected to the server, and as it moves, every bit of its movement is tracked on the server. An avatar (a real human) can disconnect from the server (the app is off) and later reappear far away, plausibly after flying or driving there. How large a jump, done how often, is enough to ban? What algorithm can effectively make a binary division between allowed and banned?
When an avatar has obstacles (mountains, buildings, walls, etc) preventing it from directly reaching resources, all obstacles are known to the server. The avatar usually has a lot of obstacles (cars, crosswalks, buildings) slowing it down that the server does not know about. But the avatar might not have those obstacles, and can’t be blamed for moving at a brisk walk from one point directly to another and gathering the resource. Another binary division can go very wrong. How efficient can an avatar be at gathering before a ban? What if a ban hits someone lucky enough to be free of obstacles for a while?

These gaps are much larger for Pokemon Go and the coming wave of AR games than it has been for any other popular digital game ever made. A Pokemon Go bot can (and does) advance many times more quickly than nearly any human player, but can’t be banned in case it actually is a dedicated human. This means the impact both of the abuse, and of misfired ways of stopping the abuse, is vastly larger than any other game has suffered.

Won’t hackers make their bots operate at a speed just below the activity threshold?

The measures described here will limit the bots to a tiny fraction of their current speed, making the impact on the game economy and competition minimal.

Also, in the process of finding the threshold, a lot of hackers will slip over it, get challenged, fail to solve it, and get suspended or banned. The risk gets much higher and the reward much lower– that is victory when dealing with automated abuse.

Won’t hackers keep an eye on their bots and solve challenges manually?

If the bot is advancing superhumanly fast, and therefore gets a challenge once in a while, a human operator of the bot who is watching out can indeed solve it manually and keep the bot going. However this costs a bit of the most irreducible thing on the Internet: human attention. That user could not run multiple high-speed bots 24/7 as is presently the case. A speed bump won’t stop a bike, but it sure will mess up a rocket car.

How can FunCaptcha techniques adapt to fit smoothly into Pokemon Go?

FunCaptcha poses challenges that tap into innate human powers of visual recognition, but are impractical for computer programs to solve. This can be as simple as turning an image the right way up, or as complex as proprietary techniques we are developing for a wide variety of systems. The challenge built into Pokemon Go may hardly appear to be a CAPTCHA at all– it will be just another brief, fun activity players do for a reward.

Bot writers are saying they won’t write bots that fight in gyms, so the damage won’t be that bad…

This voluntary self-limitation won’t last. This thread is a good example of how a downward spiral of reasoning leads to that next inevitable step. UPDATE: As predicted, it’s probably happening now.

It is too late to save Pokemon Go?

No! Present bot activity levels are nothing compared to what will build up over time, so immediate action will stop the worst damage. Also, as the game is expanded, it will add new resources, new currencies, and new pillars and tiers of the advancement economy. These will be free of the stain of today’s bot abuse, if it is stopped now.

Besides, this discussion is not just about the first, revolutionary game in this genre. Sequels will come. Other games will follow the stunning success of Pokemon Go. Working on bot-reducing measures now will stop the rot from spreading.

Who is Boris?

To get attention for this urgent issue, we did a silly thing: we made a video that lots of people would share. This worked amazingly well. Take a look and share it yourself to shine a spotlight on this problem!

Leave a comment

Our Clients