Google Cloud fraud defense, the next evolution of reCAPTCHA

Posted by unforgivenpasta 21 hours ago

Google Cloud fraud defense, the next evolution of reCAPTCHA(cloud.google.com)

348 points | 364 commentspage 5

graphememes 18 hours ago|

yeah im not doing that

donmcronald 15 hours ago|

You don’t need to. As long as the dumb majority goes along with it, your options are to capitulate or get locked out of society.

orion7 10 hours ago|||

An increasing percentage of the dumb majority are opting for dumb phones and plenty of people still use laptops, it doesn't have to be anywhere remotely close to a majority for many analytics-obsessed site owners to see the drop in sales and opt for another solution.

In any case, sites using an extremely restrictive mode of recaptcha during ddos attacks will just be one segment of a very fragmented digital future, not society as such

userbinator 14 hours ago|||

Your only option is to sway the "dumb majority" in the other direction.

koala-news 4 hours ago||

Feels like we accidentally built a web where proving you’re human now requires approval from 3 different corporations.

mattstir 2 hours ago|

I don't think there's much that's accidental about it. The giant corporations with near-monopolies in web-related markets (browsers, search...) are going to be incentivized to put restrictions in place that protect that monopolistic status. As with other facets of life, they can dress up the changes as "protecting users/kids/etc" and mostly get away with it. The same companies are the ones championing the very technologies that make human attestation more and more necessary.

mafriese 9 hours ago||

As someone who is working in incident response and malware analysis I have to say that is one of the worst ideas I have ever seen.

A lot of companies have issues with ClickFix [1] and other social engineering campaigns and now Google wants to teach users that they should scan QR codes to proceed on a website.

How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can't. I wish we could - but those people don't work in tech, they will never know and I can't really blame them because at the end of the day they are just happy that they don't have to deal with tech after work.

We have spent years of behavioural conditioning to prevent QR-code based phishing attacks (some people call it Quishing but I hate that term) and since the QR code is being scanned from a mobile device (99.99% of the time the private device), we have no EDR visibility on those devices and can't track what's happening if people scan it.

This is more of an invitation for threat actors than it is something that holds them back.

[1] https://www.kaspersky.com/blog/what-is-clickfix/53348/

Kim_Bruning 13 hours ago||

the mobile phone requirement would mean I end up avoiding sites that use that method. I'm not sure how many friends and family can be convinced, but I can try . (most people tend to give up any and all security measures if it means getting to see the fluffy kitten though, so my hopes aren't very high)

x3sphere 18 hours ago||

I ditched reCaptcha and switched to Cloudflare Turnstile recently. It’s been a lot more effective. Not sure about this but I won’t be switching back for the time being.

duskdozer 8 hours ago||

Why not hcaptcha or anubis? I had to block Cloudflare JS due to abuse, so I can't use any sites that require it.

g-b-r 16 hours ago|||

It's hard to say which one is more maddening annoying

doublerabbit 17 hours ago||

From one egg basket to another; both are flawed in design.

2001zhaozhao 15 hours ago||

Inb4 Google 2027: "we sold 30% more Android devices YoY!"

(The extra devices are cheap $30 phones all going into reCAPTCHA solve farms)

mayama 20 hours ago||

The site doesn't mention this. But, are they locking down QR code auth for only safetynet authenticated devices and with mobile number verification?

bobbiechen 20 hours ago||

Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).

But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.

Hizonner 20 hours ago||

... You... think... it would be a good thing.

Don't you...

IshKebab 19 hours ago||

I do. It has downsides of course, but what's the alternative at this point?

Hizonner 17 hours ago|||

Depends on your specific problem. Usually redesign your system not to need to care if the other end is a bot or not.

IshKebab 17 hours ago||

How though? Can you also avoid DDoS simply by designing your system to not care if the requester is a bot or not.

Let's say I'm running https://grep.app/ for example. AI bots start heavily using it, costing me a ton of money. How would you magically design this so it doesn't matter if the end bots are using it?

Hizonner 17 hours ago||

Rate limit individual clients.

bryan_w 11 hours ago||

Let's play this out: how do you determine individual clients? By ip? By seasionid?

Hizonner 1 hour ago|||

How do you "determine" individual clients to show them CAPTCHAs? Yes, you can, and probably should, make some use of IP addresses, although that would work better if idiots hadn't polluted the Internet with quite so much NAT.

But you don't have to, and you definitely don't have to completely rely on it. Look for a cookie. If you don't see it, route the client through a page that sets it.

Yes, this is subject to flooding attacks... in exactly the same way that every CAPTCHA system is subject to flooding attacks. But it actually uses fewer resources per request than showing the CAPTCHA would.

intended 18 hours ago|||

I suspect that the HN crowd is somehow insulated from the river of crap and fraud that is the internet experience for a majority of the population.

comboy 18 hours ago||

Just show us your face and transactions history, it's about the kids.

super256 13 hours ago||

Looks like Cloudflare has the only user friendly captcha of them all.

throwaway85825 13 hours ago|

Google has a lot of fraud because they have absolutely no standards when it comes to advertising scams and frauds as the first result. Google is a services company for the global crime industry.

More comments...