CAPTCHA Doesn't Stop Bots
This article is provided by mcrdy455 from earth2.market - he is a BOTs developer for a living and knows a thing or two about stopping bots. This is part one of a two part article.
First of all, I want to make something clear:
In this article I’ll talk from the point or view of a software developer. I’ll bust some myths and provide some evidence and examples of what I mean in the form of screenshots and code which you can test by yourself. Lets start with the Hottest topic:
Bots and the premium marketplace.
The earth2.market project was born, because the official Marketplace was flooded with bots, scripts and you could easily get scammed. I got scammed on my first week and on my first attempt of buying a second-hand land.
The scam was as follows:
You buy a tile, put it for sale for lets say 10$, get its ID, get your x-csrftoken and sessionid cookies, create a simple 1 line of code - set the price to 0.01$ and then back to 10.01$, and set
an interval to repeat that action 1000 times per second. I tried it with an Alternative account (the.vlad.kos).
(I won’t provide a code for this scam, since its long patched, but the results were shocking)
You can clearly see that the owner got the money, but the property never changed ownership, until I bought it for the higher price intentionally.
Very soon after this discovery, I created a post, which I was hoping to get to the DEVs attention… But after a week or so, this still wasn’t implemented...
The primary reason I created the earth2.market website, was to prevent such scams. The slower refresh rate, meant that such properties will either not appear on the earth2.market or will appear with the higher price, which will not trick anyone, like me.
However, a few days later they finally fixed the issue… The main problem is that I initially invested 100$ and being scammed like this for 10% of my investment on my 2nd day in the game, made me think before investing more, and I never did...
I started a war with the bots, which I’m still fighting.
Soon after the earth2.market website became much better than the official marketplace, I noticed some unusual user activity. I had HUGE spikes in the page view count. Which, considering the unique user count, was suspicious, due to inconsistencies. I started banning users making too many requests, and requesting them to contact me. At the end of the day they all told me the same thing - they were using chrome auto refresh, to have the offers update whenever a new one pops up. Even while my market updated once every 30 minutes, they preferred it to the official marketplace.
However, they were all nice people and I banned-unbanned them a few more times, before the premium marketplace was born. It was not my idea, it was a requested feature, and people suggested making it. (I thought ads was the way to monetize)
You can clearly see the results. All constant refresh - which slowed my server a lot, was gone in 2 days. Those who still tried to snipe the old fashioned way, had no more luck and gave up.
Initially, the premium market refreshed as rare as once every 90-180 seconds, but then API bots started popping up. Duc, Dworak - most of you probably know them, they returned all properties if they were sold by mistake. However those are only a few examples. I tried writing a short code testing how easy it was to build such a bot, and here is the first example:
This code may look alien to some of you, but it is a beginner solution to the problem. Basically what it does is it sets your cookies, chooses the property ID and sends a single Post Request to earth2.io… In the past you didn’t need to add the captcha solution, but even now
Captchas slow humans more than bots..
I’ve explained this many times to many users.. But here is what I mean visually:
The code above is what the BOT needs to go through to solve google recaptcha. - This is what earth2 uses…
(You’ll need to register for the anti-captcha service and use your own api key)
Also note that once a bot goes through this process, the token is VALID FOR 5 MINUTES, which means the bot can solve the captcha, wait for a property to appear and instantly buy it… If no property appears, it doesn’t matter because solving 1000 captchas costs 2$ which is enough for 4 days… The computer will use up more electricity running the bot, than the captcha solving service will charge the developer… And the Discord chat highlighted to the left is what a user has to go through - SLOW AND PAINFUL process of solving each captcha even for an action they didn't initiate...
I hope you can clearly see that the advantage is clearly in favor of the bots on the earth2.io website… The right choice of captcha for earth2.io is the older - Image To Text, which is reportedly solved by humans faster than bots in 99.9% of the cases, compared to google recaptcha, where its somewhere around 50% - based on luck and settings, and since recent changes bots on earth2.io have a much much higher chance to be faster...
In Part 2 of this article, I'll go over the solution to the bot problem and my suggestions to the Earth 2 team.
"Destroy All Humans" by brunkfordbraun is licensed with CC BY-SA 2.0.