Spammers Use The Human Touch To Avoid CAPTCHA

An illustration of a CAPTCHA. NPR illustration.

"The whole premise behind the CAPTCHA is you want to allow users to access your service as long as they're an actual person," Professor Sefan Savage says. NPR Illustration hide caption

itoggle caption NPR Illustration

Try to buy some concert tickets or create a new e-mail account, and you're usually confronted with a puzzle of sorts.

A box appears with a distorted word — that sometimes isn't even a word — and you have to re-type it. If you tilt your head or squint your eyes, you can usually just make it out.

That's the point, of course. The puzzles are called CAPTCHAs, and a human can decipher them but a computer can't. It's a way to thwart bad guys from, say, creating hundreds of fake e-mail addresses to spam you from. Or buying up all the tickets to that concert you want to see. But the spammers have found a low-cost, low-tech way around the device — human beings.

Spammers and mass-ticket purchasers have outsourced CAPTCHA solving to teams of low-wage workers in places like Russia and Southeast Asia. Many of them don't even speak English. They don't have to, according to Stefan Savage.

"The beauty of most modern CAPTCHAs is that they simply take Latin characters — so they don't actually need to understand what the words mean — they simply need to be able to look at the symbols and type the appropriate ones on their keyboard," he says.

Savage is a professor in the department of computer science and engineering at the University of California San Diego. He recently co-wrote a paper on the economics of this underground CAPTCHA trade.

Savage tells NPR's Liane Hansen that these CAPTCHA-solving teams are "effectively sweatshop labor, where people will just sit and be given these images to solve and will type them in all day."

Despite a lack of English-language skills, the workers are fast. "Generally speaking, [they] can turn around a CAPTCHA in between 10 and 20 seconds. They're probably a little better at it than we are, because they do it all day," Savage says.

The faster they are, the better — because the going rate is about 75 cents per 1,000 CAPTCHAs solved. "It's about $2 or $3 a day," Savage says.

"It's really in line with some of the lowest paid textile work around," he says, "although probably the quality of life is slightly better than being in a textile mill."

It's unclear if any laws are being broken by these CAPTCHA sweatshops. Savage says that there's nothing illegal about solving a CAPTCHA, even if what the solvers are doing supports fraudulent activity.

It does make you wonder why sites still bother with the cryptic fragments. Savage says even though CAPTCHAs don't ultimately prevent abuse, they still serve a purpose.

"On the one hand, CAPTCHAs do not keep the bad guys out, but at the same time, they actually are effective at keeping the problem in control," he says.

"So even at that very low cost," he says, "they have to be able to make enough money, send enough spam from each one of those accounts that it ends up being worthwhile. So even that very low drag turns out to be enough to weed out a huge number of the people who would play this game."

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.