In a previous post, we broke the news that hackers have rigged the game Pokemon Go to allow thousands of software “bots” to play the game automatically. That post explains on a high level how FunCaptcha can prevent the damage without affecting average players at all. This post gets into more technical details.
How many Pokemon Go bots are here, and how do they work?
Sites that point to bot installers:
Discussion groups devoted to botting:
When should a FunCaptcha appear in the game?
This analysis by leading application testing company BugCrowd puts a finger on it: “Trading is going to have a huge impact due to bots. Maybe implement level requirement so Niantic has a data threshold to ban bots.” We extend this idea by saying that FunCaptcha should appear in the gray area between tolerance and the banning threshold.
For example, keep a running suspicion score per user. Raise the score when a time slice contains a highly implausible gain in XP, items, captures, wins, or the like. Drain the score over time so merely lucky players don’t remain suspicious. When the suspicion score crosses a threshold, and the user is not in the middle of something, and there has not been a challenge shown for a while, then show a single FunCaptcha challenge. If it is solved, suspicion is lowered. If not, suspicion is raised. Only when suspicion continues to climb should the user be suspended or banned.
The data threshold is simple and objective, but it can risk being accidentally too strict. This is okay because the consequent challenge is a minor inconvenience to a small number of super-high-performing players– far better than a sharp binary division of users between allowed and banned, which causes problems no matter where that line gets drawn. If the challenge is successfully solved, the developer has feedback that maybe the threshold was too strict, and needs a bit more tuning.
A user (or for that matter, a very tame bot) advancing at anywhere close to the speed of a normal user would never see the challenge.
Everyone hates CAPTCHAs, why is this not end of conversation?
Bad old CAPTCHAs are everywhere, but the new techniques demonstrated by FunCaptcha show real progress. We have proven that legitimate users can solve a well-made challenge, in seconds, with a 99% success rate, in a playful and appealing way.
Online games have always had bots, so why worry?
So what is the difference between bots in Pokemon Go and bots in many other games? We all know bots have been around a long time. For example, MMOs have long endured bots automatically “farming” in-game advancement. Why is Pokemon Go really different? Other games survived bots, so why panic about Pokemon Go and other AR games on the way?
This is the first big game that has new gaps between what the server can possibly know about its players, and what its players are actually doing as input. Exploiting that gap, bots do more damage while being harder to detect. This is for a few key reasons that differ between, for example, an MMO bot and a Pokemon Go bot.
|MMO bot||Pokemon Go bot||Gap|
|Speed that the avatar can possibly move through the world is known to the server, and everyone pretty much moves at this maximum.||Speed that the avatar (a real human) can possibly move through the (real) world is high, but everyone almost always moves well below this maximum.||A Pokemon Go bot moving at a speed much faster than an average human gets a big advantage… but can’t be outright banned, because it still might actually be a human.|
|An avatar always has to be realtime connected to the server, and as it moves, every bit of its movement is tracked on the server.||An avatar (a real human) can disconnect from the server (the app is off) and later reappear far away, plausibly after flying or driving there.||How large a jump, done how often, is enough to ban? What algorithm can effectively make a binary division between allowed and banned?|
|When an avatar has obstacles (mountains, buildings, walls, etc) preventing it from directly reaching resources, all obstacles are known to the server.||The avatar usually has a lot of obstacles (cars, crosswalks, buildings) slowing it down that the server does not know about. But the avatar might not have those obstacles, and can’t be blamed for moving at a brisk walk from one point directly to another and gathering the resource.||Another binary division can go very wrong. How efficient can an avatar be at gathering before a ban? What if a ban hits someone lucky enough to be free of obstacles for a while?|
These gaps are much larger for Pokemon Go and the coming wave of AR games than it has been for any other popular digital game ever made. A Pokemon Go bot can (and does) advance many times more quickly than nearly any human player, but can’t be banned in case it actually is a dedicated human. This means the impact both of the abuse, and of misfired ways of stopping the abuse, is vastly larger than any other game has suffered.
Won’t hackers make their bots operate at a speed just below the activity threshold?
The measures described here will limit the bots to a tiny fraction of their current speed, making the impact on the game economy and competition minimal.
Also, in the process of finding the threshold, a lot of hackers will slip over it, get challenged, fail to solve it, and get suspended or banned. The risk gets much higher and the reward much lower– that is victory when dealing with automated abuse.
Won’t hackers keep an eye on their bots and solve challenges manually?
If the bot is advancing superhumanly fast, and therefore gets a challenge once in a while, a human operator of the bot who is watching out can indeed solve it manually and keep the bot going. However this costs a bit of the most irreducible thing on the Internet: human attention. That user could not run multiple high-speed bots 24/7 as is presently the case. A speed bump won’t stop a bike, but it sure will mess up a rocket car.
How can FunCaptcha techniques adapt to fit smoothly into Pokemon Go?
FunCaptcha poses challenges that tap into innate human powers of visual recognition, but are impractical for computer programs to solve. This can be as simple as turning an image the right way up, or as complex as proprietary techniques we are developing for a wide variety of systems. The challenge built into Pokemon Go may hardly appear to be a CAPTCHA at all– it will be just another brief, fun activity players do for a reward.
Bot writers are saying they won’t write bots that fight in gyms, so the damage won’t be that bad…
It is too late to save Pokemon Go?
No! Present bot activity levels are nothing compared to what will build up over time, so immediate action will stop the worst damage. Also, as the game is expanded, it will add new resources, new currencies, and new pillars and tiers of the advancement economy. These will be free of the stain of today’s bot abuse, if it is stopped now.
Besides, this discussion is not just about the first, revolutionary game in this genre. Sequels will come. Other games will follow the stunning success of Pokemon Go. Working on bot-reducing measures now will stop the rot from spreading.
Who is Boris?
To get attention for this urgent issue, we did a silly thing: we made a video that lots of people would share. This worked amazingly well. Take a look and share it yourself to shine a spotlight on this problem!
29 Jul 2016
Hackers have rigged the game Pokemon Go to allow thousands of software “bots” to play the game automatically. Instead of walking around catching Pokemon and items, lazy hackers scoop them up without getting out of bed. In the past few days this has been getting a lot of attention from gaming site Polygon, popular site Vice, tech site Ars Technica, and more.
UPDATE: Polygon spoke with us about Pokémon Go bots ruining the game, and how our unique CAPTCHA can stop them with visual puzzles that blend into normal gameplay.
Why should we care? This abuse floods the in-game economy and out-competes real players– the world’s first level 40 player is a bot. Real players get no chance to win at competitive Pokemon “gyms”, so the game’s main goal is ruined by the cheaters. This threatens to pop the bubble of the most popular game app ever made. Listen to this guy, who I found after just a few minutes of asking around. His friend is using a Pokemon Go bot right now, and he’s mad about it:
The game’s developer Niantic made a similar game, called Ingress, that is being attacked the same way. In the effort to stop bots, the company banned suspected cheaters, but their inexact method also banned honest players, causing a huge uproar. History repeats with Pokemon Go, at a scale many thousands of times greater.
We propose that Pokemon Go should embed a simple, playful CAPTCHA to catch cheater bots while leaving real players unaffected. CAPTCHA is any kind of digital activity that only humans can complete, to distinguish between people and programs. FunCaptcha protects major game and social sites and apps against millions of bot attacks per day.
Will I have to solve a CAPTCHA as I play Pokemon Go?
No you won’t. FunCaptcha would pop up in the game only for players who are beyond the upper limit of how fast a human could possibly be progressing. This is a fuzzy line, and super-devoted players should not get banned on a whim, so the gray area gets filled by FunCaptcha. Even if a hugely successful real player has a great day and sees a FunCaptcha, he or she will be able to solve it in seconds, having a bit of fun doing it, and even get a little in-game reward for their trouble, like getting a bonus PokeStop.
Won’t hackers make their bots operate at a speed just below the activity threshold you set?
We have learned a lot about hacking over the years and see this as a victory, not a problem. Even if hackers stay just on the safe side of the line, that will limit the bots to a fraction of 1% of their current speed, making the impact on the game economy and competition minimal. To give up because hackers are slowed instead of stopped is like saying, “Some marathon runners buy really expensive sneakers to give them an edge, so let’s scrap all the rules and let runners wear rocket skates.”
Also, in the process of finding the threshold, a lot of hackers will slip over it, get challenged with a FunCaptcha, fail to solve it, and get suspended or banned. The risk gets much higher and the reward much lower– that is victory when dealing with automated abuse.
It is so easy to see how to turn a Pokemon the right way up– why can’t a bot do it?
The human brain has amazing powers of pattern recognition. What you find very easy (like seeing that this is a Picachu and you know which way to stand it upright) is hard for a software program. It’s not impossible, but the kind of work and intelligence it takes to write and train a program to recognize Pokemon is much better spent on an activity far more profitable than Pokemon Go abuse. These are PhD-level challenges, and need more than a fast-food wage to justify the work.
By protecting thousands of sites and apps, our development team has overcome all kinds of challenges. Some of the things we know about how to complicate “machine vision” attacks are secrets we can’t share here. For proof, witness the years of attacks we have overcome.
Why say that competing at gyms the main goal in the game, over catching Pokemon?
We hear from many players who feel their interest waning because gyms are hopeless. Every gym we try leaves us with no XP and no effect on the big battle. Lately we are playing less because we think, what’s the point? Without a reason to even try a battle, we don’t get to see our beloved little creatures do what they are made to do.
After all, the original Pokemon show had at least one battle in every 30-minute episode. The Pokemon card game was all about fighting. The Pokemon games on the Nintendo GameBoy had battle after battle. The generation who grew up with Pokemon battled a lot in every kind of game so far. Now, it seems like nobody we know ever gets to win at any battle, and we are all getting disheartened.
Another way to think about it is how many of Pokemon Go’s game assets and features have to do with fighting. Tap a Pokemon in the game and see nothing but stats that have something to do with winning battles: hit points, attack type, combat power, and how much candy and stardust you need to make those stats better. Nearly all the animations and detail of a Pokemon can only be seen during a battle. Most of the things you get while walking around are about battle– including the Pokemon you catch that are weaker versions of what you already have. When you run out of room, you transfer them to the Professor… why? To get the item that makes your lead Pokemon more powerful. To give up on battling “cuts the game loop” that makes the rest of the game feel worthwhile.
Why so serious? It’s just a game.
Have you met a Pokemon Go fan? But to prove we’re not too serious, here’s a funny video we made to illustrate the problem.
We want to help Niantic address this problem before the world’s most successful app has its bubble popped. It’s too great a game to be ruined by lazy hackers, especially when the solution is already at hand. Help us spread the word by liking the video above or on YouTube!
04 May 2016
Every day, users from all around the world attempt more than 200 million CAPTCHAs – but nearly half of those may include a language that is foreign to them. We think traditional CAPTCHAs are hard enough as it is, let alone trying to figure them out in another language! That’s why we’ve been working tirelessly to deliver more localized language support. In fact, FunCaptcha now speaks more than 96% of the languages used on the Internet:
|1. Arabic – ar
2. Chinese (Simplified) – zh
3. Chinese (Hong Kong – Traditional) – zh-hk
4. Chinese (Taiwan – Traditional) – zh-tw
5. English – en
6. French – fr
7. German – de
8. Indonesian – id, in
9. Japanese – ja
10. Korean – ko
11. Portuguese (Brazil) – pt-br
12. Russian – ru
13. Spanish (Latin America) – es-mx
14. Swedish – sv
|15. Italian – it
16. Thai – th
17. Czech – cs
18. Danish – da
19. Greek – el
20. Spanish (Europe) – es
21. Portuguese (Europe) – pt
22. Finnish – fi
23. French (Canada) – fr-ca
24. Hungarian – hu
25. Dutch – nl
26. Norwegian – no
27. Polish – pl
28. Turkish – tr
Over the coming months, we’ll continue to work closely with our users to ensure our verification experience holds an authentic localized voice. We know language can be tough to get right, so we’ll be paying close attention to our feedback and performance across the globe. If you’d like to suggest an improvement, or request a new language, we’d love to hear from you.
17 Mar 2016
Over the last year, we’ve expanded our localized language support to an increasing number of countries across Europe, Asia and South America. The growing demand for translation has made it possible for FunCaptcha to advance into foreign languages that have been previously unsupported by most CAPTCHA providers, and to craft a verification experience that is meaningful to our global users.
Today, we’re rolling out Chinese (Simplified) – our biggest language yet – which will support more than 700 million users around the world with localized instruction and feedback. This achievement is made particularly notable because unlike most popular CAPTCHAs, FunCaptcha is not blocked for users in Mainland China.
We value FunCaptcha as ‘the CAPTCHA for everyone,’ and place great importance on making sure our service scales into new languages with grace and function. These advancements are underpinned by our core beliefs of usability and accessibility, which guide us toward translations that are enriched by native character. With that said, it is our sincere pleasure to welcome the second biggest language on the Internet to FunCaptcha –欢迎!
22 Jan 2016
We’re excited to announce a change to our account system – specifically, how accounts are created and how they are reviewed for Partner status.
Historically, a user would sign up and add any site(s) he/she wished. Our support team would closely observe the traffic of the ever-growing list of domains and if they met the requirements for Partner status, they were contacted and invited to join the program. Up until now, this has been a feasible process.
This is changing.
Moving forward, we’re streamlining the review process, meaning that clients will get a clear indication of where their domains stand in the Partner program pipeline. If their domains aren’t eligible for Partner, they have the option to join our Plus program.
On sign-up, clients can now select specific options that give us a better indication of their needs, allowing us to tailor our service to them – right from the get go.
For our current customers: those who have been “Under Review” will see their Dashboards change to reflect their account status more accurately.
We’re committed to revolutionizing the moment of CAPTCHA and look forward to providing a more streamlined service for current and future users.
If you have any queries, please feel free to Contact Us.
05 Jan 2016
The worldwide sneaker market has become a pretty cutthroat place. Brands like Adidas are collaborating with artists like Kanye West to produce limited edition sneakers for a large audience. Demand is high, the prices are higher and it’s become common place for shoes to be instantly sold out when they “drop” online. Why? The usage of sneaker bots by both avid customers and reselling market places.
Just like ticket scalpers, sneaker resellers are using sneaker bots to snap up rare sneakers the second they go on sale. The available supply drops, demand sky rockets and then they resell them through their platforms for much higher prices (and profits). In 2014, Complex was educating sneaker fans on how to snag their favorite sneakers without having to resort to sneaker bots.
Unfortunately, no amount of basic plugins or page refreshes are going to beat dedicated, automated systems designed to purchase large quantities of rare merchandise. Nike, just like Adidas, has been seeing the same issues and their retailers are even forced to delay sales due to swarms of bots.
They’ve implemented CAPTCHA systems but their level of security is unfortunately sub-par.
FunCaptcha is the logical solution to the dangers of sneaker bots. We specialize in beating the bots which ensures genuine customers are getting access to the limited number of sneaker releases currently dropped. Further, we streamline a process that many currently find tense and sometimes stressful. We can provide analytics for any customers engaging with FunCaptcha and we can even be customized to fit a big brand’s aesthetic – for example…
Want to protect your sneaker merch from bots and open the door for your customers? Get in touch.
Banner Image: Nana B Agyei
16 Dec 2015
We recently read an article by Deadline’s Jeremy Gerard with Jordan Roth, President of Jujamcyn Theatres. They discussed the recent news of Jerry Seinfeld’s six-month residency at the Beacon Theatre in New York City and theorized that ticket scalping is the result of prices not matching demand for the show.
Their theory is, that if theatres charge only $100 for a show that people are willing to pay $300 for, it makes economical sense for ticket resellers to step in and make a profit. Roth makes it clear though: just because it makes financial sense, doesn’t mean that resellers should be able to do so en-masse with illegal software – something we wholeheartedly agree with.
Nevertheless, bot abuse is what makes scalping so incredibly efficient: in fact, in 2010, three men plead guilty to making nearly $25 million dollars by using bots to purchase and resell tickets. Because of cases like this, ticket buying bots are actually banned in 13 states of the USA. The Foo Fighters even resorted to manually selling tickets to ensure that only genuine fans were able to purchase tickets at a fair price.
In the article, they suggest that theatres could simply charge the $300 from the very beginning. This would bring the “profit” back to the actual performers/stockholders instead of the pockets of scalpers. However, this comes at the cost of possible negative blowback because the theatres might seen to be “gouging”. And we’re not so sure it actually makes sense, as it is scarcity that drives demand. People are only willing to pay triple the price when there are no tickets left, and it feels like the show is very popular – the same customers very well could balk at paying such a price on the day the show is announced and while there are still thousands of available seats. What may make more sense is the hotel/airline model where tickets become more expensive, as fewer are left for sale.
Luckily, FunCaptcha’s security service provides online ticket sellers with a fast, secure and highly converting solution that would not only completely prevent any sort of automated abuse but also enable fans access to the tickets they want, without having to compete with scalper bots. Other CAPTCHA providers can’t match the security nor the accessibility that FunCaptcha is able to provide.
We already have ticket software clients, and have elimated the bot problem for numerous other online businesses – so Jerry, Jeremy & Jordan, please get in touch, and we’ll help you out too.
Image Credit: Lynn Willis – Ticket Office
07 Dec 2015
Did you know?
Theming your CAPTCHA for the holidays can increase conversion. Our research shows that festive themes help to create a strong emotional bond between the verification task and the people completing it.
That’s why we’re offering you our first-ever holiday CAPTCHA!
If you’d like to entertain your users and boost conversion throughout December, simply click below to contact our team and list the domains on which you’d like our holiday CAPTCHA to be activated.
Is it secure?
Of course! It’s powered by the same security technology that makes FunCaptcha the most secure CAPTCHA available on the market.
From our team to yours, we wish you a wonderful holiday season.
05 Dec 2015
Mobile friendly web design is a necessity for any website. Why? Google punishes a website’s page rank if the domain isn’t mobile responsive. That’s because 51% of all internet traffic is now from mobile devices – and growing. This is something we maintain as a priority when refining FunCaptcha. Here’s three big reasons why FunCaptcha is the mobile CAPTCHA.
Built to Scale
FunCaptcha is built on HTML5, meaning it works on any platform. Desktop, Tablet, Mobile Phone – FunCaptcha is built with flexibility in mind. This means installing FunCaptcha is easy and maintaining your website’s mobile compatibility is even easier.
With our mini-game based approached to security, domains are secured through a format that’s inherently mobile friendly. No hard to read text – just drag ‘n’ drop or tap-to-rotate games that can block the bots and welcome the humans.
The above means that websites can focus on refining their offering, whether it be engaging content or a valuable day to day service. FunCaptcha allows brands to rest easy knowing they’re online assets are protected but also welcoming for their intended audience.
Next time you’re needing to protect your site, please your users and ensure your website is ready for the mobile revolution, head to our homepage and install FunCaptcha. It only takes a matter of minutes.
30 Nov 2015
The purpose of a poll is simple: learn about the interests of your audience. Whether you’re a politician campaigning for election, a multinational entertainment brand or a respected news organization, knowing what your audience is thinking is invaluable. For example, the CNN poll below asked its audience who they think won a recent democratic debate. The information provided allowed CNN’s editors to both display and form a narrative around the current Presidential election. On top of this, a poll allows users to see how their opinion stacks up with other users in their online community.
While the convenience of Internet polls is evident, the anonymity that comes with them should have organizations asking an important question: how reliable are they at reflecting genuine opinion? With FunCaptcha – very.
Accuracy is king
A news organization’s reputation goes hand-in-hand with the accuracy of the information they relay. If a news outlet consistently provides inaccurate information, they will soon find themselves losing their audience. Online polls are no different – the threat of bots swarming a poll (or petition, in Uber’s case) and distorting the data is very real. By blocking these bots, FunCaptcha can ensure that only genuine humans are engaging with their polls and thus, ensure the accuracy of their data.
Legitimacy is longevity
If polls are accurate and authentic, those who participate in them feel as though their opinion has contributed to a wider discussion. If a poll is swarmed with bots, false votes and muddled data, this leads to genuine participants feeling dissatisfied about their contribution. People don’t want to feel as though their input has been wasted. If a brand can’t garner genuine audience engagement, their polls are meaningless and the brand itself is thrown aside as unreliable. For news organizations especially – it’s a death sentence.
High Conversion, Better Engagement
Maintaining both the accuracy and legitimacy of an online brand’s polls is crucial but in the past, the only way to do this was with outdated, ugly CAPTCHAs. FunCaptcha not only maintains a supreme level of security but it can also offer a much higher level of engagement. It can be branded to fit a website’s aesthetic and it doesn’t annoy genuine users who actively want to engage with the brand.
Online polls are a valuable resource and FunCaptcha allows them to stay that way.