Forget security – Google's reCAPTCHA v2 is exploiting users for profit | Web puzzles don't protect against bots, but humans have spent 819 million unpaid hours solving them
Web puzzles don't protect against bots, but humans have spent 819 million unpaid hours solving them
Research Findings:
reCAPTCHA v2 is not effective in preventing bots and fraud, despite its intended purpose
reCAPTCHA v2 can be defeated by bots 70-100% of the time
reCAPTCHA v3, the latest version, is also vulnerable to attacks and has been beaten 97% of the time
reCAPTCHA interactions impose a significant cost on users, with an estimated 819 million hours of human time spent on reCAPTCHA over 13 years, which corresponds to at least $6.1 billion USD in wages
Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set
Google should bear the cost of detecting bots, rather than shifting it to users
"The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service," the paper declares.
In a statement provided to The Register after this story was filed, a Google spokesperson said: "reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear. Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring. Even if a site were still on the previous generation of the product, reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling."
I’m actually 100% for rolling your own… almost everything.
20 years ago I made an e-commerce website for a client. Looking at the code now I’m embarrassed how insecure it is. However, because it was totally custom no one ever found the bugs and it has never been cracked. (Knock on wood) that’s the benefit of not using a prebuilt solution that isn’t a target for mass exploits.
100% success rate isn't even moderately useful if it costs $5 per pass. The discussion is completely pointless without a concrete, documented analysis of the actual hardware and energy costs involved.
Did you read the article or the TL:DR in the post body?
The paper, released in November 2023, notes that even back in 2016 researchers were able to defeat reCAPTCHA v2 image challenges 70 percent of the time. The reCAPTCHA v2 checkbox challenge is even more vulnerable – the researchers claim it can be defeated 100 percent of the time.
reCAPTCHA v3 has fared no better. In 2019, researchers devised a reinforcement learning attack that breaks reCAPTCHAv3's behavior-based challenges 97 percent of the time.
So yeah, while these are research numbers, it wouldn't be surprising if many larger bots have access to ways around that - especially since those numbers are from 2016 and 2019 respectively. Surely it is even easier nowadays.
researchers were able to defeat reCAPTCHA v2 image challenges 70 percent of the time
that doesn't answer the question?
researchers devised a reinforcement learning attack that breaks reCAPTCHAv3's behavior-based challenges 97 percent of the time
i'd argue "bespoke system, deployed in a very limited context, built by researchers at the top of their field" is kind of out of reach for most people? and any bot network scaled up automatically becomes easier to detect the further you scale it
the cost of just paying humans to break these already at or below pennies per challenge
"Traffic resulting from reCAPTCHA consumed 134 petabytes of bandwidth, which translates into about 7.5 million kWhs of energy, corresponding to 7.5 million pounds of CO2. In addition, Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set."
There might be a tiny chance they're not interested in changing things.
Don’t know why you’re being downvoted… My employer sees a lot of bot activity on our sites, which are hosted in AWS and protected by Akamai. It’s Akamai that informs us when a bot visits our site, and Akamai that lets us block it. Google never sees this traffic.