Lin-Manuel Miranda — “Hamilton” star, creator, certified genius and all-around national obsession — penned an impassioned plea in the New York Times this week asking for help to stop bots from taking over Broadway. Miranda shed light on how scalpers use bots to buy up tickets to plays, operas, concerts and other events in milliseconds, only to resell them for at least double their original price on sites such as StubHub.
As Miranda outlined, this activity is both super profitable and illegal, and apparently profitable enough to be worth it to some to break the law. But, one might wonder, how are they getting past the captcha — those squiggly lettered snippets specifically designed to thwart robo-buying?
They have a secret weapon: people.
According to the New York Attorney General’s office report that Miranda cites in his op-ed, one way that these bots are getting around the security measures designed to thwart them is by enlisting the help of humans. Some companies do use software, namely optical character recognition (OCR) programs that can convert an image to text — for example, making a scanned page of a book searchable. But the bots also send real-time feeds of the captchas (per Wikipedia, technically a backcronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") to have humans solve the puzzles that only humans are supposed to be able to solve.
From the report comes this picture of a somewhat grim career:
“[The] Bots transmit in real-time images of the CAPTCHAs they encounter on Ticketmaster and other sites to armies of “typers,” human workers in foreign countries where labor is less expensive. These typers — employed by companies such as Death by CAPTCHA, Image Typerz, and DeCaptcher — read the CAPTCHAs in real-time and type the security phrases into a text box for the Bot to use to bypass ticket vendors’ defenses and use their sites.”
This is far from a new tactic to get around captchas. In 2004, Cory Doctorow, co-editor at Boing Boing, reported that spammers were using free pornography sites to get people to solve the captchas for them. To unlock a video, a potential viewer would have to solve captchas piped in from other sites such as Yahoo and Hotmail, which spammers would then use to create oodles of e-mail accounts at a rapid pace to spam people.
And now there are companies devoted entirely to defeating captchas. Personally, I’ve had so much trouble with the squiggly things in the past that I’ve occasionally worried that I’m a robot without knowing it. But obviously, there are people who are very good at it who spend their hours deciphering those distortions or even beating more sophisticated measures — such as correctly identifying which shots among a grid of nine pictures have turkeys in them.
As long as we need security measures — which, to be clear, will be always — there will be people trying to get around those measures. What’s surprising is that it’s not always a high-tech arms race. Sometimes the thing that gets around your advanced security measure isn’t advanced countersecurity. Sometimes, it's just a person sitting at a computer clicking on pictures of wild fowl.