The principal barrier against automated abuse and spam are CAPTCHAs. They are the custodian of every website and app, deputed to tell human users and spammers apart.

The most common type of CAPTCHA challenges the user to type an obscured sequence of letters or digits that appear on the screen, or to discern abstracted images in a grid. For some, an encounter with a CAPTCHA is frustrating because everyday work is slowed down by distorted words that are difficult to read. However, to the diverse group of users who rely on assistive technology, this rudimentary user-identification procedure is chronically inaccessible. The Internet is a place for everyone, and yet many of its corners remain closed to the very people it intends to serve.

People of varied abilities, such as those with vision impairment or reduced fine motor skills, can face many difficulties when trying to complete seemingly straightforward tasks – like signing up to a new website, sending a message to a loved one, or buying tickets to a favourite band. These tasks rely on a CAPTCHA to prevent abuse, but they also rely on technology and challenges that cannot be overcome by people of varied abilities. For example, many common CAPTCHAs do not provide a text alternative for their controls, which prevents vision-impaired users from using screen readers to proceed. Additionally, users with reduced fine motor skills may not possess the dexterity needed to type an arduous sequence of letters. In this moment, people of varied abilities are often given few fall-back options and are forced to abandon their task.

Now, as the world becomes increasingly more connected, it is both our privilege and duty to ensure that all people are given equal opportunity to be a part of the online community. FunCaptcha is committed to providing these opportunities; championing accessibility support to position FunCaptcha as the most accessible CAPTCHA available on the market, in line with Section 508 Standards.

Accessibility Support in FunCaptcha

FunCaptcha controls include a text alternative.

This allows instructions and controls to be read by screen readers.

FunCaptcha provides an audio alternative.

This allows users with vision impairment to complete verification by listening to a sound file.

FunCaptcha does not require JavaScript.

This ensures all content and functionality is both accessible to, and controllable by, assistive technology.

FunCaptcha does not require any additional apps or plugins to be completed.

This means the normal functionality is natively available to the user agent (browser) on-the-spot.

FunCaptcha is navigable without a pointing device.

This allows controls to be tabbed through on desktop, as well as touched on mobile.

FunCaptcha does not use repetitive navigation links.

This ensures instructions and controls are placed in their focus order, and users begin at the main content.

We will always strive to ensure the verification experience of FunCaptcha remains accessible to people of all abilities. We’re also mindful that accessibility standards can be challenging to get right for everyone, so we’ll be paying close attention to feedback from our diverse group of users. If you’d like to suggest an improvement, or request additional support, we’d love to hear from you.

Today people have started seeing this message in Pokemon Go: “You’re going too fast! Pokemon Go should not be played while driving”.

This matches a prediction we made in a previous post, that as Niantic tries to limit the damage done by bots, they will start to monitor and challenge users who have a particular suspicious behavior pattern. But in the play experience of us and others, this appears as a false positive: we were playing the game normally. It’s impossible to draw a sharp line like this without mis-categorizing either bots or humans. This illustrates the point made in our earlier post about how game developers need to use FunCaptcha techniques to avoid the binary separation of users into totally permitted and totally prohibited, filling in the gap between those extremes with FunCaptcha.Niantic briefly stopped bots by encrypting its API. However, as we predicted, unfortunately this brought only temporary relief and now the bots are back. This Ars Technica article has a good summary of that.

In a previous post, we broke the news that hackers have rigged the game Pokemon Go to allow thousands of software “bots” to play the game automatically. That post explains on a high level how FunCaptcha can prevent the damage without affecting average players at all. This post gets into more technical details.

How many Pokemon Go bots are here, and how do they work?

Sites that point to bot installers:
http://hackaday.com/2016/07/26/pokemon-go-bot-edition/
https://github.com/PokemonGoF/PokemonGo-Bot
http://necrobot.net/

Videos showing bot software from install to run:
https://youtu.be/iqx4NRNkeVc
https://youtu.be/3bdAdVXNKDE
Bonus: This guy has a super charming accent!

Discussion groups devoted to botting:
https://www.reddit.com/r/pokemongobotting/
http://www.ownedcore.com/forums/pokemon-go/pokemon-go-hacks-cheats/
http://hackforums.net/forumdisplay.php?fid=358

When should a FunCaptcha appear in the game?

This analysis by leading application testing company BugCrowd puts a finger on it: “Trading is going to have a huge impact due to bots. Maybe implement level requirement so Niantic has a data threshold to ban bots.” We extend this idea by saying that FunCaptcha should appear in the gray area between tolerance and the banning threshold.

For example, keep a running suspicion score per user. Raise the score when a time slice contains a highly implausible gain in XP, items, captures, wins, or the like. Drain the score over time so merely lucky players don’t remain suspicious. When the suspicion score crosses a threshold, and the user is not in the middle of something, and there has not been a challenge shown for a while, then show a single FunCaptcha challenge. If it is solved, suspicion is lowered. If not, suspicion is raised. Only when suspicion continues to climb should the user be suspended or banned.

The data threshold is simple and objective, but it can risk being accidentally too strict. This is okay because the consequent challenge is a minor inconvenience to a small number of super-high-performing players– far better than a sharp binary division of users between allowed and banned, which causes problems no matter where that line gets drawn. If the challenge is successfully solved, the developer has feedback that maybe the threshold was too strict, and needs a bit more tuning.

A user (or for that matter, a very tame bot) advancing at anywhere close to the speed of a normal user would never see the challenge.

Everyone hates CAPTCHAs, why is this not end of conversation?

Bad old CAPTCHAs are everywhere, but the new techniques demonstrated by FunCaptcha show real progress. We have proven that legitimate users can solve a well-made challenge, in seconds, with a 99% success rate, in a playful and appealing way.

Online games have always had bots, so why worry?

So what is the difference between bots in Pokemon Go and bots in many other games? We all know bots have been around a long time. For example, MMOs have long endured bots automatically “farming” in-game advancement. Why is Pokemon Go really different? Other games survived bots, so why panic about Pokemon Go and other AR games on the way?

This is the first big game that has new gaps between what the server can possibly know about its players, and what its players are actually doing as input. Exploiting that gap, bots do more damage while being harder to detect. This is for a few key reasons that differ between, for example, an MMO bot and a Pokemon Go bot.

MMO bot Pokemon Go bot Gap
Speed that the avatar can possibly move through the world is known to the server, and everyone pretty much moves at this maximum. Speed that the avatar (a real human) can possibly move through the (real) world is high, but everyone almost always moves well below this maximum. A Pokemon Go bot moving at a speed much faster than an average human gets a big advantage… but can’t be outright banned, because it still might actually be a human.
An avatar always has to be realtime connected to the server, and as it moves, every bit of its movement is tracked on the server. An avatar (a real human) can disconnect from the server (the app is off) and later reappear far away, plausibly after flying or driving there. How large a jump, done how often, is enough to ban? What algorithm can effectively make a binary division between allowed and banned?
When an avatar has obstacles (mountains, buildings, walls, etc) preventing it from directly reaching resources, all obstacles are known to the server. The avatar usually has a lot of obstacles (cars, crosswalks, buildings) slowing it down that the server does not know about. But the avatar might not have those obstacles, and can’t be blamed for moving at a brisk walk from one point directly to another and gathering the resource. Another binary division can go very wrong. How efficient can an avatar be at gathering before a ban? What if a ban hits someone lucky enough to be free of obstacles for a while?

These gaps are much larger for Pokemon Go and the coming wave of AR games than it has been for any other popular digital game ever made. A Pokemon Go bot can (and does) advance many times more quickly than nearly any human player, but can’t be banned in case it actually is a dedicated human. This means the impact both of the abuse, and of misfired ways of stopping the abuse, is vastly larger than any other game has suffered.

Won’t hackers make their bots operate at a speed just below the activity threshold?

The measures described here will limit the bots to a tiny fraction of their current speed, making the impact on the game economy and competition minimal.

Also, in the process of finding the threshold, a lot of hackers will slip over it, get challenged, fail to solve it, and get suspended or banned. The risk gets much higher and the reward much lower– that is victory when dealing with automated abuse.

Won’t hackers keep an eye on their bots and solve challenges manually?

If the bot is advancing superhumanly fast, and therefore gets a challenge once in a while, a human operator of the bot who is watching out can indeed solve it manually and keep the bot going. However this costs a bit of the most irreducible thing on the Internet: human attention. That user could not run multiple high-speed bots 24/7 as is presently the case. A speed bump won’t stop a bike, but it sure will mess up a rocket car.

How can FunCaptcha techniques adapt to fit smoothly into Pokemon Go?

FunCaptcha poses challenges that tap into innate human powers of visual recognition, but are impractical for computer programs to solve. This can be as simple as turning an image the right way up, or as complex as proprietary techniques we are developing for a wide variety of systems. The challenge built into Pokemon Go may hardly appear to be a CAPTCHA at all– it will be just another brief, fun activity players do for a reward.

Bot writers are saying they won’t write bots that fight in gyms, so the damage won’t be that bad…

This voluntary self-limitation won’t last. This thread is a good example of how a downward spiral of reasoning leads to that next inevitable step. UPDATE: As predicted, it’s probably happening now.

It is too late to save Pokemon Go?

No! Present bot activity levels are nothing compared to what will build up over time, so immediate action will stop the worst damage. Also, as the game is expanded, it will add new resources, new currencies, and new pillars and tiers of the advancement economy. These will be free of the stain of today’s bot abuse, if it is stopped now.

Besides, this discussion is not just about the first, revolutionary game in this genre. Sequels will come. Other games will follow the stunning success of Pokemon Go. Working on bot-reducing measures now will stop the rot from spreading.

Who is Boris?

To get attention for this urgent issue, we did a silly thing: we made a video that lots of people would share. This worked amazingly well. Take a look and share it yourself to shine a spotlight on this problem!




Over a drink at a recent meetup event, a usually savvy online developer seemed to think that two-factor authentication is a valid replacement for CAPTCHA. We’ve had a number of conversations like this recently and it’s troubling. It illustrates that even professionals in the online security field do not understand the inherent differences in how the two technologies should be used. Essentially: they solve very different problems.

2fa-blurry-1024x512

Two-factor authentication (referred to as 2FA) is a security process that combines two security components to properly identify an individual looking to carry out a task – usually when logging into a secure account or performing a specific action within a secure account. For example, your bank may send an approval code to your phone when you send a large money transfer. It is used to doubly verify that you are authorised to perform that action.

It does not prove that there is a human completing this action. In fact, two-factor authentication is quite easy to bypass with bot automation. Our white hat partners have illustrated just how easy it can be to acquire the phone numbers necessary to automate abuse.

Take this example: you’re a ticket scalper looking to buy tickets in bulk for an upcoming show. If there is no CAPTCHA, all you would have to do is login once to each account (complete the 2FA if required, or automate that also) and then have your bots use those accounts to snap up as many tickets as possible. Without a CAPTCHA preventing the bots from accessing the actual ticket sales pages, 2FA is no help at all to preventing the tickets being purchased faster than humans can complete the same actions.

But CAPTCHA is a test to provide human verification and a good CAPTCHA will prevent bots from automating such actions.

solve_different_problems

Other concerns when considering 2FA as a CAPTCHA alternative are conversion and privacy. Not everyone will want to provide a phone number, or install an authentication app for each new website they visit. Conversion rates plummet when 2FA is implemented, which is bad for business.

So please… When considering security  for your web business, ensure that you understand the primary strengths of all available options. Two-factor authentication is not a valid replacement for CAPTCHA, whenever privacy, conversion or human verification are priorities.

bloomberg_title

How much of your audience is fake? This is the question Bloomberg Business recently asked in a terrific piece called “The Fake Traffic Schemes That Are Rotting The Internet”. It discussed how ad tech companies around the world are employing deceptive tactics (i.e. click fraud) to generate inflated traffic numbers for their clients in an attempt to generate revenue. It’s a scathing piece that outlines a clear issue that many in the digital industry have known for years: something needs to change for digital advertising to grow into the powerhouse it was predicted to be.

However, I was slightly disappointed that it didn’t go into detail regarding potential solutions being worked on around the globe. Yes, big brands are taking digital ads in-house, using their own software and cutting out potentially harmful middle-men but that’s where the article stops short. It doesn’t provide much information in the way of potential solutions to tactics such as click fraud and I felt I needed to help expand on this topic a little further. In short: providing verified, authentic and engaged human traffic is something that FunCaptcha specializes in. In fact, we’ve already discussed the repercussions of NHT (Non-Human Traffic), so allow this to be an extension of that discussion.

The security aspect of FunCaptcha is second to none – we are the most secure CAPTCHA service on the Internet. We protect over 35,000 websites, blocking 1,500,000 bot attempts every day and in doing so, help keep online communities, forums and websites safe. This is great for web hosts and users alike – but what does this mean for advertisers? It means that every impression we serve is verified as a human.

If we serve an ad, it will be to a human.

This is made possible by how we’ve implemented advertising into our CAPTCHA system. Other CAPTCHA providers show advertising before the security process is completed. This may result in inflated impressions but as the Bloomberg piece points out, is it all human? This is actually a key distinction to make and something I’m proud of: the only way for a FunCaptcha to serve an ad impression is for our security process to first be completed – which is something only a human can do. If we serve an ad, it will be to a human. Every time.

Digital advertising is an industry that is beginning to see much-needed innovation and I’m proud to say that FunCaptcha is at the forefront of that innovation.

Thanks for reading,
Kevin Gosschalk
CEO and Co-Founder

Thanks to Bloomberg Business for a great article and specifically, the writers of the piece: Ben Elgin, Michael Riley, David Kocieniewski, and Joshua Brustein.

We pride ourselves on being CAPTCHA experts. It’s what we do, so we try to keep up with emerging industry trends as much as possible.

With this in mind, it’s with amusement (and concern) that we’ve noticed an interesting trend on Twitter this week. It appears that reCAPTCHA’s “No CAPTCHA” challenge has replaced the “check box” solution by instead resorting to a #CABBAGE test.

Why cabbage? Are cruciferous vegetables now a secret weapon to fight spammers? The hidden algorithms must have settled on this green leafy vegetable for a reason…

What we are certain of is that the challenges presented are hard. Have a look for yourself and see if you can pick the cabbage, and only the cabbage!

ReCAPTCHA Cabbage

To get a picture of just how often this is happening, simply scroll through the Tweets about reCaptcha cabbage.

The idea of a simple “tick the box” CAPTCHA solution, in theory, was great. The problem arises when more and more people start to get presented with the second step involving ambiguous images.  This is reminiscent of the same major usability issue that the original reCAPTCHA had – auto-generated challenges are often too difficult for humans to solve. When the object of the test is to easily advance humans, but stop bots – you simply must provide a challenge that is easy for humans, or site usability & conversion suffers.

But who are we to argue with innovation? To stay ahead of the game it was obvious that we needed our own super-food version of human verification.

So behold, the FunCabbcha. You’re welcome Internet.

Click Verify to play #FunCabbcha and prove you’re not a Cabbage.

Our founder and CAPTCHA expert Matthew Ford elaborates on what spam posting is, how massive companies like Blizzard still suffer from it and how these websites can stop it – not with annoying letters (or secretive black boxes), but with skill.

FunCaptcha is the only company dedicated to providing an interactive and engaging mini-game style CAPTCHA service that also completely stops spam posting. We can even generate revenue – if you’re into that sort of thing.

Watch the above, try us out or even sign-up from our homepage in a few easy steps.

Did you know that FunCaptcha is the only company in the world that is 100% focused on improving human verification via CAPTCHA? We really are the CAPTCHA experts!

With great power comes great responsibility, so one of our founders, Matthew Ford has taken it upon himself to solve the world’s CAPTCHA problems one video at a time.

First up, he explains a topic we’ve briefly touched on: why and how bots are getting through traditional text CAPTCHAs – a problem that’s easily solved by switching to FunCaptcha.

On Saturday morning, Matt Ford and I visited the place where FunCaptcha was first envisioned – Startup Weekend at River City Labs. It’s a great event where entrepreneurs can create a business in one weekend with the guidance of investors, mentors and experienced developers.

Whilst there, we were lucky to meet Australia’s Prime Minister, Tony Abbott! The PM was visiting the competition in an effort to better understand startups, their culture and the importance of their success for Australia’s economy.

Founders Kevin Gosschalk and Matthew Ford meeting with Prime Minister Tony Abbott

We spoke at length with Mr Abbott about how we’re protecting websites internationally and generating revenue for publishers who integrate our CAPTCHA software. He was intrigued with FunCaptcha’s unique gamified approach to security and loved hearing that federal initiatives like Entrepreneurs’ Infrastructure Programme and Accelerating Commercialisation have helped to establish our business.

We’re glad that the government is increasing focus on assisting the startup community. Because without receiving such help, and assistance from forward thinking investors like Richard Moore & Bruce Stubbs at R&R Strategic – our journey as a startup would have been much more difficult. I’m humbled by the level of success my team at FunCaptcha has achieved so far and feel that more innovative Australian startups deserve the same opportunities.

So thanks Tony, it was great to meet you. And thanks to everyone that continues to contribute to the FunCaptcha story.

Kevin Gosschalk
Co-Founder & CEO

Incoming Bot

The purpose of a CAPTCHA is simple: protect a website from malicious attacks (i.e. spammers) by being difficult/impossible for bots but easy enough to let humans through. But what happens when the most commonly used CAPTCHA service can be solved with 97%+ accuracy by the very bots it was designed to beat?

For over a decade, text based CAPTCHAs have been the popular choice for this task. They grab a word (usually English), warp it into a shape not commonly seen and then ask users to type the words they see. Some text CAPTCHAs even use a random assortment of letters and numbers in an attempt to hinder the bots even more. The issue? Programs that utilize Optical Recognition Software, known as OCR, read the distorted text and allow bots through to websites that relied on the security service to prevent that very thing happening.

recaptcha-distorted-text

This, unfortunately, is a common problem. By design, text CAPTCHAs have a shelf life – in order for them to remain difficult for bots, they have to become increasingly harder for humans. It appears that we’ve reached the ceiling for text CAPTCHA effectiveness, which is a big motivation for our creation of FunCaptcha.

The internet was built on innovation and that’s exactly what we’re doing with FunCaptcha – innovating an area of web security that sorely needs it.

Update: watch co-founder and CAPTCHA expert, Matthew Ford, go into detail on this topic in our new video series!