Google Cloud Fraud Defence is just WEI repackaged

Posted by ribtoks 22 hours ago

Google Cloud Fraud Defence is just WEI repackaged(privatecaptcha.com)

677 points | 345 commentspage 2

spankalee 20 hours ago|

Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?

CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen.

So where do things go? Fewer services and infinite fraud?

JoshTriplett 19 hours ago||

> Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?

A combination of "regulate AI" and "The optimal amount of fraud is not zero". https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...

nazgulsenpai 20 hours ago|||

Yes, fewer services and infinite fraud is substantially better to me than the web being controlled by Google even more than it already is.

frankchn 20 hours ago||

It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.

nazgulsenpai 16 hours ago||

I agree in practice money will always win.

iamnothere 20 hours ago|||

This doesn’t even solve the problem thanks to device farms. There’s not really a solution for this short of aiming a camera at someone’s retina 24/7 plus a fully locked down hardware path. And even that would surely be compromised given enough incentives.

People are just going to have to find a new way to monetize. Maybe more things will become paywalled, or sponsored long-term like old TV shows. Again, there’s no good way to solve this, and the “solutions” on offer just contribute to the surveillance state without solving the problem.

phpnode 19 hours ago|||

Why do you continue to extend the benefit of the doubt to your former employer when they have shown themselves to be untrustworthy again and again?

spankalee 18 hours ago||

For one, I got to see how utterly insane and off-base many of the conspiracy theories around Chrome were compared to reality.

4289076290867 15 hours ago||

[dead]

zb3 19 hours ago|||

I don't know which activity you're referring to, but why are you trying to discriminate between humans and bots? Because bots don't pay? So demand payment.. Demand like payment per account creation, then set appropriate rate limits per account.

somat 18 hours ago|||

CAPTCHA is sort of a flawed concept in the first place. a machine to test if another agent is a machine. But I figure the future of this is give the test, but discard the answer, the truth is in how it is answered, behavioral analyses, see if their access patterns are human or machine like. A simple version of which is how fast they type, or speed items are clicked. A surveillance process that really creeps me out. I am undecided if it creeps me out more or less than fully automated agents spewing shit over the open web.

As a footnote i found googles recaptcha bitterly ironic, it was painted it in bright colors "this data assists in book scanning" or "this help our self driving cars recognize stop signs" but really designed to train models to do exactly what it's trying to prevent them from doing. and making life hell for the humans along the way. The modern single click version is doing behavioral analyses.

BiteCode_dev 6 hours ago|||

Make people pay money instead of watching ads.

righthand 20 hours ago|||

Captchas were never effective. It’s an arms race to the bottom.

4289076290867 15 hours ago|||

[dead]

cindyllm 15 hours ago||

[dead]

prima-facie 17 hours ago||

What Google has done is incredibly clunky and only serves its own interests. We already have methods to prove that we're human.

1. lots of laptops have fingerprint readers & TPM2 build-in

2. lots of folks own Yubikeys or FIDO2 keys - if these became the norm then the price would come down significantly.

Both of these methods only require a tap to authenticate to a website. Both provide public-key authentication, and both provide some level of proof of work / require human interaction, without revealing the identity of the end-user.

Why not use or standardise these? because there's no benefit to Google of course.

nerdsniper 17 hours ago||

Those don't prove that a human is present. A FIDO2 key can be automated by electronic relay. The only way to do this involves device attestation - locking devices down and utilizing hardcoded TPM/Secure Enclave esque chips. The best we can hope for would be an open standard for those chips so that people can use them with their own X.509 certificates that lets them choose their own CA.

nitwit005 16 hours ago||

Real hardware doesn't mean a human is present either, unfortunately. It just means that you have to spend on real devices to bypass these defences.

prima-facie 14 hours ago|||

This was exactly my point as well. Everything that can be automated will eventually be automated.

nerdsniper 14 hours ago|||

Maybe Worldcoin really was the answer after all XD

karlgkk 17 hours ago||

neither 1 nor 2 can prove you're a human. sorry

seba_dos1 15 hours ago||

neither can Google Cloud Fraud Defence, and yet we're here

karlgkk 12 hours ago||

ironically, some of the controls in gcfd have a good probability of detecting a human versus a robot!

btown 16 hours ago||

Do we know if this is immediately going to slot in wherever reCAPTCHA is currently used / is there a rollout plan? Or will site operators manually opt into the new system? Is there even a way to opt out?

I can think of many sites where, for users that trigger captchas often, introducing a multi-device workflow is even worse for those users than clicking traffic light images. An automatic rollout would be hostile to those operators!

doug_durham 17 hours ago||

This seems to be an advertisement for Private Captcha. I don't know a lot about the service, but it seems inherently ablest. Does proof of work, support blind users? Does it is support special needs users with cognitive impairments? The QR code and photo support a wide variety of users. What not support a variety of methods. Why does it need to be one or the other?

jchw 21 hours ago||

Exactly my thoughts. I am unfathomably angry and I want to contribute to any effort to dismantle Google as a company.

pietervdvn 21 hours ago||

Yeah, same. It is hard; we start to need a collective boycott.

We can all do our part, by using their products as little as possible, contribute to open alternatives (OpenStreetMap, Fediverse, Linux, Nextcloud...) and by stimulating our (non-techie!) friends and family.

But it is a lot of work :(

7734128 20 hours ago|||

It should not be a "vote with your wallet" situation. It should be governments shattering that organization into appropriately sized companies.

quantummagic 20 hours ago|||

I wouldn't hold your breath. The government is reliant on them for surveillance, censorship, and propaganda. It is a synergistic relationship, not adversarial.

SilverElfin 19 hours ago||||

We cannot vote with our wallets because there’s no real competition. That’s the problem with the big tech companies and other monopolistic companies in other areas.

robin_reala 19 hours ago||

In what area is there no real competition? I can think of real competition in everything Google does with the possible exception of YouTube.

SilverElfin 19 hours ago||

Everything that gets money from ads. The network effects are too strong for competition against their ads platform and their ability to do targeted advertising based on data only they have. You can’t build a new ads platform and then use that to monetize your company’s other services, because the existing ad networks are so mature and established.

Phones. Your choice is Apple or Google.

As you said, YouTube. Again, they have users and creators in one place, so it’s hard for a new platform to compete.

There are also a lot of enterprise contracts that bundle many things together. Like cloud and their workplace apps (whatever it is now called).

But also, just their size is a problem. Look at their AI story. First off, many customers get forced into packages where they get Gemini included as part of the bundle (which means they’re paying for it automatically and have less of a reason to pay for something else). But also - Google was slow to build useful products here. Even though they are late and made many failed attempts like Bard, they can afford to take losses for years that no small company - or maybe even large companies that aren’t mega corps - can absorb. Those other competitors would go out of business and have to be careful and move slowly in spending. But Google’s capital lets them make mistake after mistake but still compete and eventually win. So it’s not a fair competition.

lotsofpulp 19 hours ago||||

It should have been the government providing an identity verification API, like they already do in the physical world with physical IDs. Governments dropped the ball, and so now Apple and Google get to be infrastructure.

coldacid 18 hours ago|||

"Don't worry! I'm from the government and I'm here to ~~help~~ identify you to everyone else on the planet."

That's no better, and in many ways far worse, than the corpos doing it.

lotsofpulp 18 hours ago||

Do you think identifies never need to be verified? Seems like a central function in operating an accountable society, hence birth certificates, passports, etc.

There should not be a requirement to verify identity, but if a website owner only wants to provide access to their website to people with verified identities, why is that not their right?

Dylan16807 17 hours ago||

> Do you think identifies never need to be verified? Seems like a central function in operating an accountable society, hence birth certificates, passports, etc.

Verifying identity for specific services tied to your finances or body is a whole different topic.

> if a website owner only wants to provide access to their website to people with verified identities, why is that not their right?

I like the GDPR's general point of view that the right to privacy is more important than the right to trade privacy for access. An anonymous verification might be fine, but this system is not, and random websites needing your specific identity is not.

lotsofpulp 13 hours ago||

A mechanism to verify identity does not preclude a mechanism for anonymous verification of other attributes. I do not see why someone else should be able to tell you (a business or person) who you have to allow access to your computers and your bandwidth that you pay for. Costco has the right to verify my identity when I walk into their store, I don't see why computing resources would be different.

Dylan16807 12 hours ago||

> I do not see why someone else should be able to tell you (a business or person) who you have to allow access to your computers and your bandwidth that you pay for.

The spirit of the law isn't to tell you that, it's to limit how much you can track people without their consent.

> Costco has the right to verify my identity when I walk into their store, I don't see why computing resources would be different.

That falls under "Verifying identity for specific services tied to your finances or body". You bought a membership, they're checking your membership.

If it was a store without a membership, then for practical purposes in real life we let them look at your ID but they shouldn't be allowed to record any identifying data off of it. When it's all done by machines we should use cryptography to make it anonymous from the start.

vinyl7 18 hours ago|||

The US government is a feckless facade, the US is a corporation run economic zone. The nice thing about being corporate run is that the rulers are unelected and unaccountable!

troupo 19 hours ago|||

These days every time a government as much as thinks of imponging on a supranational corporation's right to do whatever the hell it pleases you'll hear no end of cries ranging from "overregulation" to "tyranny".

For an example, see EU's GDPR, DMA etc.

deaux 21 hours ago||||

It's less work than 10 years ago. So many much more mature alternatives.

buran77 20 hours ago||

The technical challenge is actually the smaller one. The real one is to get people to care. Don't be tricked by the HN/techie bubble. Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet. Any attempts to explain it makes you sound like a lunatic to some, or just a bit of a worrier to others.

Whether it's targeted ads, or training AI on their data, or verifying their age and implicitly identity, or "fraud defense", most people happily take it in exchange for a convenient freebie which is why things keep escalating.

It's understandable, people are assaulted with all kinds of abuses from every direction. There are more immediate threats that they can grasp more easily so this stuff has to wait its turn.

deaux 2 hours ago|||

"Technical" isn't really what I meant in the first place. It's about convenience/UX. Lots of OSS has been technically great but very lacking in that part, understandably.

The prime recent example of this is gamers. I've seen many people say a version of this: "I tried Linux before but it was too complicated/didn't run most games/when I ran into something I had no idea how to solve it, so I just went straight back to Windows. Now I installed Bazzite cause I was fed up with Win11 and I'm super happy with it. If I do run into a problem I just ask AI and it solves it".

I've genuinely seen dozens of comments similar to this. The fact is that there needs to be a very convenient and user-friendly alternative ready to go for the moment that some people do start to care. You need both just as much as each other. And until very recently, those alternatives didn't exist, not at the level of convenience required.

buran77 1 hour ago||

For me "technical" meant relating to the technology (tool, product, interface, ecosystem, etc.) rather than the person.

JoshTriplett 20 hours ago|||

> Most people don't understand the problem, or don't see it as a problem because nothing smacked them in the face yet.

Or don't approach the world with a fundamental mindset of having agency to (help) fix things they see as broken. Just because people see something as bad doesn't mean they inherently see a bright flashing line from that to "so I should do something about it rather than accept it".

afpx 18 hours ago||||

They're trying to block your ability to boycott. https://en.wikipedia.org/wiki/Anti-BDS_laws

BizarroLand 18 hours ago||

Those are specifically targeted to boycotts of Israel, which ties it to anti-racial discrimination law.

afpx 12 hours ago||

Exactly, didn’t you see who is behind this?

pessimizer 20 hours ago||||

> Yeah, same. It is hard; we start to need a collective boycott.

Feelgood slactivism. They don't care about your boycott. They finance their own alternatives because they know what makes you shut up.

kogasa240p 18 hours ago|||

IMO the biggest issue is that some non-tech people will occasionally be straight up hostile and will whine about not having "features", but then again it only takes a small amount of people taking action inflict real change. Also medium term we need to start making phones (smart OR dumb) that are FOSS as possible. > Linux Open/FreeBSD too, we need to have more redundancy.

leoc 20 hours ago|||

But remember: once again, don't simply get angry at Google the institution. Get angry at Page and Brin personally. They have the power to prevent this, a power they were careful to preserve when they gave Google its IPO. They are fully responsible for Google's choices here. But, partly because they aren't constantly jumping up and down drawing attention to themselves on social media, they've tended to escape the same personal scrutiny given to eg. Elon Musk. That needs to end.

greatgib 20 hours ago|||

On that topic, I would highly recommend you to switch to Kagi!

Search is still their workhorse for ad revenue. Less search, less users, in addition to users now just asking chatgpt and co, will hurt them well

tom1337 20 hours ago||

Wouldn’t installing an adblocker basically hurt them as much / more as I still cost them compute but don't get them that sweet ad money?

JoshTriplett 19 hours ago||

You think systems that have adblockers installed will keep being able to pass WEI / Google Cloud Fraud Defence checks?

This is an attestation scheme. Attestation is about controlling what software you are and aren't allowed to run. If a future version of this allows desktop browsers rather than just phones, it will almost certainly try to do similar forms of attestation, and prevent you from controlling your own software stack.

SilverElfin 19 hours ago|||

The problem is this type of controlling move, that will be used to benefit their company, is one among many things a company like Google can do that is unethical. They won’t stop. They are too powerful and can get away with it repeatedly. Even if this one thing is stopped, there will always be another dark pattern or another privacy violation or another anti-competitive thing.

We really need brand new legislation that makes it much easier to break up companies that are too big, and also to tax mega corporations at a much higher rate than all other companies. Then we can have fair competition and the power of choice. But the existing laws end up with no real consequence for these companies, and even if there’s some slap on the wrist, it takes years in court. New laws must make it very fast and low cost for society to take action.

revscat 19 hours ago||

[dead]

opengrass 19 hours ago||

For merchants who don't want geeks as customers, cool

As a web-wide captcha replacement, not cool

Velocifyer 15 hours ago||

Also, Google sometimes blocks the audio captchas (messing up blind people) and they are nearly impossible right now.

stronglikedan 19 hours ago||

Why should I even care anymore? I no longer need to access random websites to find information since I can just ask the AIs.

a2128 19 hours ago||

Are you genuinely asking? To pay your taxes, order items online, access your bank account, log into your favorite AI service, there are very often CAPTCHAs involved. Try going a month with CAPTCHAs blocked in uBlock Origin, and you will find yourself unable to do many basic things.

fg137 18 hours ago||

Not saying this is any better, but IRS partnered with id.me to enforce ID + face recognition before you can log in to view your records. We are truly doomed.

garciansmith 18 hours ago|||

Even besides services you might need to access, as pointed out in another response (e.g., banks, shops), how are you going to check the veracity and understand the context of the information you seek without going to the (possibly hallucinated!) sources? But I guess a lot of people who are into using AI like that just don't care.

AntonyGarand 19 hours ago|||

Where do you think the AI gets this information?

They also need to browse the web, and are more likely to be blocked by these measures than humans

raincole 17 hours ago||

> are more likely to be blocked by these measures than humans

In other words these measures work as intended...?

biennvops 20 hours ago||

Thankfully I haven't met reCAPTCHA that often nowadays, thanks to other providers being more competent.

(And no, not you Microslop!)

NegativeLatency 18 hours ago|

Very funny that if you want to start a bot farm you also go and buy a bunch of random android devices.

More comments...