News

Text CAPTCHA AI Threatens to Make the System Obsolete Soon

Written by Bill Toulas
Published on December 18, 2018

A new machine learning algorithm developed by the Lancaster University in the UK and the Peking and Northwest Universities in China shows an unprecedented comfort in breaking text CAPTCHA tests. The “GAN” (Generative Adversarial Network) AI was tested in 33 popular websites, featuring success rates that were never achieved before by other researchers.

As researchers point out, their new AI is capable of solving a CAPTCHA within 0.05 seconds, using a typical desktop PC. Considering the fact that the success rates within this short time are higher than 85% for the majority of the websites tested, we have practically reached the end of using CAPTCHAs as a “human or bot” discerning tool.

captcha test

From the Lancaster University report

This was only a matter of time though, and as reliable as CAPTCHAs have proven to be in the past, there’s nothing that machine learning can’t learn nowadays. The researchers who developed this new GAN AI have used sets of CAPTCHA data (200000 synthetic CAPTCHAs) to train their tool in recognizing various security features that fall in the anti-segmentation and anti-recognition categories. Whether it’s rotation or distortion of characters, or overlapping letters and complex background, the GAN learned to see through them in the way humans do, only much faster really. While previous systems of this kind could generate a lot of iterations to unlock a CAPTCHA, their approach finds the right answer in a couple of tries (if not on the first try), minimizing the risk of getting locked out by the website.

captcha comparison

From the Lancaster University report

So, with a tool like GAN, which is cheap and easy to train, attackers could now launch coordinated DDoS or spam-posting attacks on websites that were previously protected adequately by their CAPTCHA systems. Making them even more complicated isn’t likely to help for much longer, and some implementations are already confusing enough even for real people. Google has an answer through their recently launched “reCAPTCHA 3”, which instead of making us fill out text forms it monitors users and defines their risk rating by evaluating their behavior. This seems to be a good solution, for now, empowering web admins further, and making the lives of regular visitors easier.

Where do you stand on the above topic? Let us know of your opinion in the comments section below, and don’t forget to like and share this story by visiting our socials on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: