The principal barrier against automated abuse and spam are CAPTCHAs. They are the custodian of every website and app, deputed to tell human users and spammers apart.
The most common type of CAPTCHA challenges the user to type an obscured sequence of letters or digits that appear on the screen, or to discern abstracted images in a grid. For some, an encounter with a CAPTCHA is frustrating because everyday work is slowed down by distorted words that are difficult to read. However, to the diverse group of users who rely on assistive technology, this rudimentary user-identification procedure is chronically inaccessible. The Internet is a place for everyone, and yet many of its corners remain closed to the very people it intends to serve.
Now, as the world becomes increasingly more connected, it is both our privilege and duty to ensure that all people are given equal opportunity to be a part of the online community. FunCaptcha is committed to providing these opportunities; championing accessibility support to position FunCaptcha as the most accessible CAPTCHA available on the market, in line with Section 508 Standards.
Accessibility Support in FunCaptcha
FunCaptcha controls include a text alternative.
This allows instructions and controls to be read by screen readers.
FunCaptcha provides an audio alternative.
This allows users with vision impairment to complete verification by listening to a sound file.
This ensures all content and functionality is both accessible to, and controllable by, assistive technology.
FunCaptcha does not require any additional apps or plugins to be completed.
This means the normal functionality is natively available to the user agent (browser) on-the-spot.
FunCaptcha is navigable without a pointing device.
This allows controls to be tabbed through on desktop, as well as touched on mobile.
FunCaptcha does not use repetitive navigation links.
This ensures instructions and controls are placed in their focus order, and users begin at the main content.
We will always strive to ensure the verification experience of FunCaptcha remains accessible to people of all abilities. We’re also mindful that accessibility standards can be challenging to get right for everyone, so we’ll be paying close attention to feedback from our diverse group of users. If you’d like to suggest an improvement, or request additional support, we’d love to hear from you.
Today people have started seeing this message in Pokemon Go: “You’re going too fast! Pokemon Go should not be played while driving”.
This matches a prediction we made in a previous post, that as Niantic tries to limit the damage done by bots, they will start to monitor and challenge users who have a particular suspicious behavior pattern. But in the play experience of us and others, this appears as a false positive: we were playing the game normally. It’s impossible to draw a sharp line like this without mis-categorizing either bots or humans. This illustrates the point made in our earlier post about how game developers need to use FunCaptcha techniques to avoid the binary separation of users into totally permitted and totally prohibited, filling in the gap between those extremes with FunCaptcha.Niantic briefly stopped bots by encrypting its API. However, as we predicted, unfortunately this brought only temporary relief and now the bots are back. This Ars Technica article has a good summary of that.
In a previous post, we broke the news that hackers have rigged the game Pokemon Go to allow thousands of software “bots” to play the game automatically. That post explains on a high level how FunCaptcha can prevent the damage without affecting average players at all. This post gets into more technical details.
How many Pokemon Go bots are here, and how do they work?
Sites that point to bot installers:
Discussion groups devoted to botting:
When should a FunCaptcha appear in the game?
This analysis by leading application testing company BugCrowd puts a finger on it: “Trading is going to have a huge impact due to bots. Maybe implement level requirement so Niantic has a data threshold to ban bots.” We extend this idea by saying that FunCaptcha should appear in the gray area between tolerance and the banning threshold.
For example, keep a running suspicion score per user. Raise the score when a time slice contains a highly implausible gain in XP, items, captures, wins, or the like. Drain the score over time so merely lucky players don’t remain suspicious. When the suspicion score crosses a threshold, and the user is not in the middle of something, and there has not been a challenge shown for a while, then show a single FunCaptcha challenge. If it is solved, suspicion is lowered. If not, suspicion is raised. Only when suspicion continues to climb should the user be suspended or banned.
The data threshold is simple and objective, but it can risk being accidentally too strict. This is okay because the consequent challenge is a minor inconvenience to a small number of super-high-performing players– far better than a sharp binary division of users between allowed and banned, which causes problems no matter where that line gets drawn. If the challenge is successfully solved, the developer has feedback that maybe the threshold was too strict, and needs a bit more tuning.
A user (or for that matter, a very tame bot) advancing at anywhere close to the speed of a normal user would never see the challenge.
Everyone hates CAPTCHAs, why is this not end of conversation?
Bad old CAPTCHAs are everywhere, but the new techniques demonstrated by FunCaptcha show real progress. We have proven that legitimate users can solve a well-made challenge, in seconds, with a 99% success rate, in a playful and appealing way.
Online games have always had bots, so why worry?
So what is the difference between bots in Pokemon Go and bots in many other games? We all know bots have been around a long time. For example, MMOs have long endured bots automatically “farming” in-game advancement. Why is Pokemon Go really different? Other games survived bots, so why panic about Pokemon Go and other AR games on the way?
This is the first big game that has new gaps between what the server can possibly know about its players, and what its players are actually doing as input. Exploiting that gap, bots do more damage while being harder to detect. This is for a few key reasons that differ between, for example, an MMO bot and a Pokemon Go bot.
|MMO bot||Pokemon Go bot||Gap|
|Speed that the avatar can possibly move through the world is known to the server, and everyone pretty much moves at this maximum.||Speed that the avatar (a real human) can possibly move through the (real) world is high, but everyone almost always moves well below this maximum.||A Pokemon Go bot moving at a speed much faster than an average human gets a big advantage… but can’t be outright banned, because it still might actually be a human.|
|An avatar always has to be realtime connected to the server, and as it moves, every bit of its movement is tracked on the server.||An avatar (a real human) can disconnect from the server (the app is off) and later reappear far away, plausibly after flying or driving there.||How large a jump, done how often, is enough to ban? What algorithm can effectively make a binary division between allowed and banned?|
|When an avatar has obstacles (mountains, buildings, walls, etc) preventing it from directly reaching resources, all obstacles are known to the server.||The avatar usually has a lot of obstacles (cars, crosswalks, buildings) slowing it down that the server does not know about. But the avatar might not have those obstacles, and can’t be blamed for moving at a brisk walk from one point directly to another and gathering the resource.||Another binary division can go very wrong. How efficient can an avatar be at gathering before a ban? What if a ban hits someone lucky enough to be free of obstacles for a while?|
These gaps are much larger for Pokemon Go and the coming wave of AR games than it has been for any other popular digital game ever made. A Pokemon Go bot can (and does) advance many times more quickly than nearly any human player, but can’t be banned in case it actually is a dedicated human. This means the impact both of the abuse, and of misfired ways of stopping the abuse, is vastly larger than any other game has suffered.
Won’t hackers make their bots operate at a speed just below the activity threshold?
The measures described here will limit the bots to a tiny fraction of their current speed, making the impact on the game economy and competition minimal.
Also, in the process of finding the threshold, a lot of hackers will slip over it, get challenged, fail to solve it, and get suspended or banned. The risk gets much higher and the reward much lower– that is victory when dealing with automated abuse.
Won’t hackers keep an eye on their bots and solve challenges manually?
If the bot is advancing superhumanly fast, and therefore gets a challenge once in a while, a human operator of the bot who is watching out can indeed solve it manually and keep the bot going. However this costs a bit of the most irreducible thing on the Internet: human attention. That user could not run multiple high-speed bots 24/7 as is presently the case. A speed bump won’t stop a bike, but it sure will mess up a rocket car.
How can FunCaptcha techniques adapt to fit smoothly into Pokemon Go?
FunCaptcha poses challenges that tap into innate human powers of visual recognition, but are impractical for computer programs to solve. This can be as simple as turning an image the right way up, or as complex as proprietary techniques we are developing for a wide variety of systems. The challenge built into Pokemon Go may hardly appear to be a CAPTCHA at all– it will be just another brief, fun activity players do for a reward.
Bot writers are saying they won’t write bots that fight in gyms, so the damage won’t be that bad…
It is too late to save Pokemon Go?
No! Present bot activity levels are nothing compared to what will build up over time, so immediate action will stop the worst damage. Also, as the game is expanded, it will add new resources, new currencies, and new pillars and tiers of the advancement economy. These will be free of the stain of today’s bot abuse, if it is stopped now.
Besides, this discussion is not just about the first, revolutionary game in this genre. Sequels will come. Other games will follow the stunning success of Pokemon Go. Working on bot-reducing measures now will stop the rot from spreading.
Who is Boris?
To get attention for this urgent issue, we did a silly thing: we made a video that lots of people would share. This worked amazingly well. Take a look and share it yourself to shine a spotlight on this problem!
Hackers have rigged the game Pokemon Go to allow thousands of software “bots” to play the game automatically. Instead of walking around catching Pokemon and items, lazy hackers scoop them up without getting out of bed. In the past few days this has been getting a lot of attention from gaming site Polygon, popular site Vice, tech site Ars Technica, and more.
UPDATE: Polygon spoke with us about Pokémon Go bots ruining the game, and how our unique CAPTCHA can stop them with visual puzzles that blend into normal gameplay.
Why should we care? This abuse floods the in-game economy and out-competes real players– the world’s first level 40 player is a bot. Real players get no chance to win at competitive Pokemon “gyms”, so the game’s main goal is ruined by the cheaters. This threatens to pop the bubble of the most popular game app ever made. Listen to this guy, who I found after just a few minutes of asking around. His friend is using a Pokemon Go bot right now, and he’s mad about it:
The game’s developer Niantic made a similar game, called Ingress, that is being attacked the same way. In the effort to stop bots, the company banned suspected cheaters, but their inexact method also banned honest players, causing a huge uproar. History repeats with Pokemon Go, at a scale many thousands of times greater.
We propose that Pokemon Go should embed a simple, playful CAPTCHA to catch cheater bots while leaving real players unaffected. CAPTCHA is any kind of digital activity that only humans can complete, to distinguish between people and programs. FunCaptcha protects major game and social sites and apps against millions of bot attacks per day.
Will I have to solve a CAPTCHA as I play Pokemon Go?
No you won’t. FunCaptcha would pop up in the game only for players who are beyond the upper limit of how fast a human could possibly be progressing. This is a fuzzy line, and super-devoted players should not get banned on a whim, so the gray area gets filled by FunCaptcha. Even if a hugely successful real player has a great day and sees a FunCaptcha, he or she will be able to solve it in seconds, having a bit of fun doing it, and even get a little in-game reward for their trouble, like getting a bonus PokeStop.
Won’t hackers make their bots operate at a speed just below the activity threshold you set?
We have learned a lot about hacking over the years and see this as a victory, not a problem. Even if hackers stay just on the safe side of the line, that will limit the bots to a fraction of 1% of their current speed, making the impact on the game economy and competition minimal. To give up because hackers are slowed instead of stopped is like saying, “Some marathon runners buy really expensive sneakers to give them an edge, so let’s scrap all the rules and let runners wear rocket skates.”
Also, in the process of finding the threshold, a lot of hackers will slip over it, get challenged with a FunCaptcha, fail to solve it, and get suspended or banned. The risk gets much higher and the reward much lower– that is victory when dealing with automated abuse.
It is so easy to see how to turn a Pokemon the right way up– why can’t a bot do it?
The human brain has amazing powers of pattern recognition. What you find very easy (like seeing that this is a Picachu and you know which way to stand it upright) is hard for a software program. It’s not impossible, but the kind of work and intelligence it takes to write and train a program to recognize Pokemon is much better spent on an activity far more profitable than Pokemon Go abuse. These are PhD-level challenges, and need more than a fast-food wage to justify the work.
By protecting thousands of sites and apps, our development team has overcome all kinds of challenges. Some of the things we know about how to complicate “machine vision” attacks are secrets we can’t share here. For proof, witness the years of attacks we have overcome.
Why say that competing at gyms the main goal in the game, over catching Pokemon?
We hear from many players who feel their interest waning because gyms are hopeless. Every gym we try leaves us with no XP and no effect on the big battle. Lately we are playing less because we think, what’s the point? Without a reason to even try a battle, we don’t get to see our beloved little creatures do what they are made to do.
After all, the original Pokemon show had at least one battle in every 30-minute episode. The Pokemon card game was all about fighting. The Pokemon games on the Nintendo GameBoy had battle after battle. The generation who grew up with Pokemon battled a lot in every kind of game so far. Now, it seems like nobody we know ever gets to win at any battle, and we are all getting disheartened.
Another way to think about it is how many of Pokemon Go’s game assets and features have to do with fighting. Tap a Pokemon in the game and see nothing but stats that have something to do with winning battles: hit points, attack type, combat power, and how much candy and stardust you need to make those stats better. Nearly all the animations and detail of a Pokemon can only be seen during a battle. Most of the things you get while walking around are about battle– including the Pokemon you catch that are weaker versions of what you already have. When you run out of room, you transfer them to the Professor… why? To get the item that makes your lead Pokemon more powerful. To give up on battling “cuts the game loop” that makes the rest of the game feel worthwhile.
Why so serious? It’s just a game.
Have you met a Pokemon Go fan? But to prove we’re not too serious, here’s a funny video we made to illustrate the problem.
We want to help Niantic address this problem before the world’s most successful app has its bubble popped. It’s too great a game to be ruined by lazy hackers, especially when the solution is already at hand. Help us spread the word by liking the video above or on YouTube!
Every day, users from all around the world attempt more than 200 million CAPTCHAs – but nearly half of those may include a language that is foreign to them. We think traditional CAPTCHAs are hard enough as it is, let alone trying to figure them out in another language! That’s why we’ve been working tirelessly to deliver more localized language support. In fact, FunCaptcha now speaks more than 96% of the languages used on the Internet:
2. Chinese (Simplified)
3. Chinese (Hong Kong – Traditional)
4. Chinese (Taiwan – Traditional)
11. Portuguese (Brazil)
13. Spanish (Latin America)
20. Spanish (Europe)
21. Portuguese (Europe)
23. French (Canada)
Over the coming months, we’ll continue to work closely with our users to ensure our verification experience holds an authentic localized voice. We know language can be tough to get right, so we’ll be paying close attention to our feedback and performance across the globe. If you’d like to suggest an improvement, or request a new language, we’d love to hear from you.
Over the last year, we’ve expanded our localized language support to an increasing number of countries across Europe, Asia and South America. The growing demand for translation has made it possible for FunCaptcha to advance into foreign languages that have been previously unsupported by most CAPTCHA providers, and to craft a verification experience that is meaningful to our global users.
Today, we’re rolling out Chinese (Simplified) – our biggest language yet – which will support more than 700 million users around the world with localized instruction and feedback. This achievement is made particularly notable because unlike most popular CAPTCHAs, FunCaptcha is not blocked for users in Mainland China.
We value FunCaptcha as ‘the CAPTCHA for everyone,’ and place great importance on making sure our service scales into new languages with grace and function. These advancements are underpinned by our core beliefs of usability and accessibility, which guide us toward translations that are enriched by native character. With that said, it is our sincere pleasure to welcome the second biggest language on the Internet to FunCaptcha –欢迎!
We’re excited to announce a change to our account system – specifically, how accounts are created and how they are reviewed for Partner status.
Historically, a user would sign up and add any site(s) he/she wished. Our support team would closely observe the traffic of the ever-growing list of domains and if they met the requirements for Partner status, they were contacted and invited to join the program. Up until now, this has been a feasible process.
This is changing.
Moving forward, we’re streamlining the review process, meaning that clients will get a clear indication of where their domains stand in the Partner program pipeline. If their domains aren’t eligible for Partner, they have the option to join our Plus program.
On sign-up, clients can now select specific options that give us a better indication of their needs, allowing us to tailor our service to them – right from the get go.
For our current customers: those who have been “Under Review” will see their Dashboards change to reflect their account status more accurately.
We’re committed to revolutionizing the moment of CAPTCHA and look forward to providing a more streamlined service for current and future users.
If you have any queries, please feel free to Contact Us.
The worldwide sneaker market has become a pretty cutthroat place. Brands like Adidas are collaborating with artists like Kanye West to produce limited edition sneakers for a large audience. Demand is high, the prices are higher and it’s become common place for shoes to be instantly sold out when they “drop” online. Why? The usage of sneaker bots by both avid customers and reselling market places.
Just like ticket scalpers, sneaker resellers are using sneaker bots to snap up rare sneakers the second they go on sale. The available supply drops, demand sky rockets and then they resell them through their platforms for much higher prices (and profits). In 2014, Complex was educating sneaker fans on how to snag their favorite sneakers without having to resort to sneaker bots.
Unfortunately, no amount of basic plugins or page refreshes are going to beat dedicated, automated systems designed to purchase large quantities of rare merchandise. Nike, just like Adidas, has been seeing the same issues and their retailers are even forced to delay sales due to swarms of bots.
They’ve implemented CAPTCHA systems but their level of security is unfortunately sub-par.
FunCaptcha is the logical solution to the dangers of sneaker bots. We specialize in beating the bots which ensures genuine customers are getting access to the limited number of sneaker releases currently dropped. Further, we streamline a process that many currently find tense and sometimes stressful. We can provide analytics for any customers engaging with FunCaptcha and we can even be customized to fit a big brand’s aesthetic – for example…
Want to protect your sneaker merch from bots and open the door for your customers? Get in touch.
Banner Image: Nana B Agyei
We recently read an article by Deadline’s Jeremy Gerard with Jordan Roth, President of Jujamcyn Theatres. They discussed the recent news of Jerry Seinfeld’s six-month residency at the Beacon Theatre in New York City and theorized that ticket scalping is the result of prices not matching demand for the show.
Their theory is, that if theatres charge only $100 for a show that people are willing to pay $300 for, it makes economical sense for ticket resellers to step in and make a profit. Roth makes it clear though: just because it makes financial sense, doesn’t mean that resellers should be able to do so en-masse with illegal software – something we wholeheartedly agree with.
Nevertheless, bot abuse is what makes scalping so incredibly efficient: in fact, in 2010, three men plead guilty to making nearly $25 million dollars by using bots to purchase and resell tickets. Because of cases like this, ticket buying bots are actually banned in 13 states of the USA. The Foo Fighters even resorted to manually selling tickets to ensure that only genuine fans were able to purchase tickets at a fair price.
In the article, they suggest that theatres could simply charge the $300 from the very beginning. This would bring the “profit” back to the actual performers/stockholders instead of the pockets of scalpers. However, this comes at the cost of possible negative blowback because the theatres might seen to be “gouging”. And we’re not so sure it actually makes sense, as it is scarcity that drives demand. People are only willing to pay triple the price when there are no tickets left, and it feels like the show is very popular – the same customers very well could balk at paying such a price on the day the show is announced and while there are still thousands of available seats. What may make more sense is the hotel/airline model where tickets become more expensive, as fewer are left for sale.
Luckily, FunCaptcha’s security service provides online ticket sellers with a fast, secure and highly converting solution that would not only completely prevent any sort of automated abuse but also enable fans access to the tickets they want, without having to compete with scalper bots. Other CAPTCHA providers can’t match the security nor the accessibility that FunCaptcha is able to provide.
We already have ticket software clients, and have elimated the bot problem for numerous other online businesses – so Jerry, Jeremy & Jordan, please get in touch, and we’ll help you out too.
Image Credit: Lynn Willis – Ticket Office
Did you know?
Theming your CAPTCHA for the holidays can increase conversion. Our research shows that festive themes help to create a strong emotional bond between the verification task and the people completing it.
That’s why we’re offering you our first-ever holiday CAPTCHA!
If you’d like to entertain your users and boost conversion throughout December, simply click below to contact our team and list the domains on which you’d like our holiday CAPTCHA to be activated.
Is it secure?
Of course! It’s powered by the same security technology that makes FunCaptcha the most secure CAPTCHA available on the market.
From our team to yours, we wish you a wonderful holiday season.