The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
... You... think... it would be a good thing.
Don't you...
I do. It has downsides of course, but what's the alternative at this point?
Depends on your specific problem. Usually redesign your system not to need to care if the other end is a bot or not.
How though? Can you also avoid DDoS simply by designing your system to not care if the requester is a bot or not.
Let's say I'm running https://grep.app/ for example. AI bots start heavily using it, costing me a ton of money. How would you magically design this so it doesn't matter if the end bots are using it?
Rate limit individual clients.
Let's play this out: how do you determine individual clients? By ip? By seasionid?
How do you "determine" individual clients to show them CAPTCHAs? Yes, you can, and probably should, make some use of IP addresses, although that would work better if idiots hadn't polluted the Internet with quite so much NAT.
But you don't have to, and you definitely don't have to completely rely on it. Look for a cookie. If you don't see it, route the client through a page that sets it.
Yes, this is subject to flooding attacks... in exactly the same way that every CAPTCHA system is subject to flooding attacks. But it actually uses fewer resources per request than showing the CAPTCHA would.
I suspect that the HN crowd is somehow insulated from the river of crap and fraud that is the internet experience for a majority of the population.
Just show us your face and transactions history, it's about the kids.