• OsrsNeedsF2P@lemmy.ml
    link
    fedilink
    English
    arrow-up
    35
    arrow-down
    2
    ·
    edit-2
    4 months ago

    I work in a related space. There is no good solution. Companies are quickly developing DRM that takes full control of your device to verify you’re legit (think anticheat, but it’s not called that). Android and iPhones already have it, Windows is coming with TPM and MacOS is coming soon too.

    Edit: Fun fact, we actually know who is (beating the captchas). The problem is if we blocked them, they would figure out how we’re detecting them and work around that. Then we’d just be blind to the size of the issue.

    Edit2: Puzzle captchas around images are still a good way to beat 99% of commercial AIs due to how image recognition works (the text is extracted separately with a much more sophisticated model). But if I had to guess, image puzzles will be better solved by AI in a few years (if not sooner)

    • parpol
      link
      fedilink
      English
      arrow-up
      40
      arrow-down
      2
      ·
      4 months ago

      deleted by creator

    • brbposting@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      22
      ·
      4 months ago

      I love Microsoft’s email signup CAPTCHA:

      Repeat ten times. Get one wrong, restart.


      iPhones already have it

      Private Access Tokens? Enabled by default in Settings  > [your name] > Sign-In & Security > Automatic Verification. Neat that it works without us realizing it, but disconcerting nonetheless.

      So, the spammers will need physical Android device farms…

      • OsrsNeedsF2P@lemmy.ml
        link
        fedilink
        English
        arrow-up
        17
        ·
        edit-2
        4 months ago

        More industry insight: walls of phones like this is how company’s like Plaid operate for connecting to banks that don’t have APIs.

        Plaid is the backend for a lot of customer to buisness financial services, including H&R Block, Affirm, Robinhood, Coinbase, and a whole bunch more

        Edit: just confirmed, they did this to pass rate limiting, not due to lack of API access. They also stopped 1-2 years ago

        • brbposting@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          No way!! Can’t find anything about it online - is this info by the way of insiders? Thanks for sharing, would have NEVER guessed. Not even that they’d have to use Selenium much less device farms.

          • OsrsNeedsF2P@lemmy.ml
            link
            fedilink
            English
            arrow-up
            4
            ·
            4 months ago

            Yup insider info they definitely don’t want public. Just confirmed the phone farms were to bypass rate limit, although they do use stuff like Selenium for API-less banks

      • StarLight@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        4 months ago

        Oh my god. I lost my fucking mind at the microsoft one. You might aswell have them solve a PhD level theoretical physics question

        • brbposting@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 months ago

          Just noticed the screenshot shows 1 of 5.

          So five wasn’t good enough… they had to double it. Do kinda respect that they’re fighting spammers, but wonder how Google does it with Gmail. They seem to have tightened then recently loosened up on their requirement for SMS verification (but this may be an inaccurate perception).

    • IphtashuFitz@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      I know some sites have experimented with feeding bots bogus data rather than blocking them outright.

      My employer spotted a bot a year or so ago that was performing a slow speed credential stuffing attack to try to avoid detection. We set up our systems to always return a login failure no matter what credentials it supplied. The only trick was to make sure the canned failure response was 100% identical to the real one so that they wouldn’t spot any change. Something as small as an extra space could have given it away.