Problem isn’t a bot traffic. I run an Ecommerce site and scammers run python scripts to test 1000s of cards per hour if there is no captcha. I hate it, my customers hate it, scammers hate it, but it is the only thing that keeps my merchant account running. Any advise is welcome!

Logon forms are another whole issue. "Lock out the account" is just a DoS vector. People are quick to talk about systems that can defeat a captcha but if the brute force goes from 50 passwords/sec to one password/10 sec it's mission accomplished.

Can't you just put a 5 second "loading bar" delay instead of a captcha then i wonder?

Not easily: if it's enforced client side it may as well not exist, if it's enforced server side you just let anyone lock anyone else out of their account by running a constant brute force attack against their account (a DoS vuln). It also does nothing for attackers who try a giant list of accounts but only one or two passwords for each.

I worked on Google's system for solving this. It's a pretty sophisticated analysis that decides whether to demand CAPTCHAs or not based on a lot of factors. The CAPTCHA was needed (at that time) because it's the only way to slow down the attacker without bothering the real user, who won't be shown one.

Serverside of course, but i would think the loading bar can be per connection rather than be per account right? Like a connection is attempted, starting the loading bar, and then 5s later you only allow that connection to continue the load? I do non-web dev stuff so maybe i'm missing something but it sounds like should be easy enough.

What stops you dropping the connection the moment you realize you're being loading barred.

Presumably the point is that the user (or bot) wants to access the content, a connection would have to complete the load successfully to do what they came for. if they just drop it instantly then that's a bot turned away.

But you don't want to throw an arbitrary five second delay into login for every good user, they hate that sort of thing whereas the bot doesn't care.

> without bothering the real user, who won't be shown one.

bullshit

Lots of signals used to prevent people seeing captchas when their passwords were being attacked, but you never see it so never think about it.

If you do that on the server side, per account, it works. Small DoS risk, but it remains acceptable

If you do that on the server side, per account, it works. Small DoS risk, but it remains acceptable

would requiring a un/pw sent to an email address work￶?

> killing off the independent alternatives to Reddit/Disqus

I haven't encountered a captcha using Lemmy. There might be one on some servers for account creation.

What are you on about?

I've used Amazon from the same IP address for years and I still regularly get the "you look like a bot, solve this" crap.

Did you read the article? What you said directly goes against the study's conclusion.

I'm helping a neighbor to run a small e-commerce website with reviews. Review forms are being spammed by bots that get even through CAPTCHAs, and the owner needs to clean them up constantly. Without CAPTCHAs, it becomes unsustainable.

They don't get a lot of bots trying stolen credit cards, but mostly because they are pretty niche.

I can believe study's results on user interaction, but their "security analysis" section (6.2) is deeply flawed - it only looks at the best bots, and not at the average ones. Meanwhile, as many other people in this thread can attest, (1) most of the bots are not really sophisticated, and get stopped by CAPTCHa, (2) the defense does not have to be 100% efficient, as long as form spam goes from 100/day to 1/day, things are OK.

Of course authors really wanted to write their conclusion, so they just ignored all the practical considerations. It's really a shame on the part of paper's reviewers.

My thinking is that these days, the unsophisticated bots will still be stopped by literally any effort, like a hidden form field that causes the form to be rejected if it's filled in. Almost nothing will stop sophisticated bots, and nothing will stop a boiler room. This doesn't really leave a place for more sophisticated CAPTCHAs.

Sounds a heck of a lot like the bots are killing off these websites. Gross overuse of automated scraping is a fact of life but individual choice is intolerable. What if I told you they were the same thing?

Yes, bot traffic is killing the open web. What's your point?

Regulate against inaccessible and privacy invasive CAPTCHA (done and done in EU) and regulate against disruptive bot traffic (what's the hold-up there? Oh, I see, it requires actual competent law enforcement... That's a hard one). Me only half-joking while standing on my high EU horse.

Have you seen this: https://trog.qgl.org/20081217/the-why-your-anti-spam-idea-wo... ? You're proposing a legislative change, and bots in the US, Russia, China, whatever can care less about the acts of the EU parliament.

I also don't see how EU solves issues with CAPTCHAs. Anonymous CAPTCHAs are allowed in the EU.

Thank you for that, though I'd rather choose 'The police will not put up with it' and either 'The politicians are too incompetent' or 'Underestimate how much money there is in it'

Anonymous CAPTCHAs are fine so long as they're accessible for people with disabilities. I would not venture to say I know of such one as a service...

If you are a EU government wanting a no-captcha experience on your website you could solve it thusly:

* Don't have captcha.

* Make it illegal for bots to access.

* Block foreign ips.

* Make it illegal to provide a proxy for foreign bots.

Yeah, that's great until you're a european citizen who needs to access a government service while travelling in the US, or living in French Guyana, or any amount of exceptions to your clever idea.

If you travel to places unwilling to enforce basic rules of civility you should be willing to suffer additional consequences, rather than having the entirety of Europe continue to suffer because we are unwilling to do the right thing, which is to put an end to the far west of the internet.

Countries unwilling to sign regulations that would have them lock up scammers/DDoS botters and other toxic e-criminal, or unwilling to enforce their own laws when they exist, should not be allowed to continue to pollute the internet at large. Block them until they learn their lesson.

In the west, you can and will lose your access to the internet even if you are not doing this sort of shit on purpose but have an infected computer. See for example : https://it.slashdot.org/story/05/04/13/0320249/major-aussie-...

We enforce the rules on our own citizens, why are we tolerating this level of criminal traffic from China, India, and, the worst of them all, Russia, the country through which we are very much fighting a proxy war right now in funding Ukraine?

We can send missiles to kill russians but we can't cut them from the internet at large ? Really?

Internet access is not a human right. Just like driving on the roads is not a human right and terrible drivers get their license revoked.

I guess you could offer travelers a captcha. Also note that the fourth point didn't prohibit proxies in all cases, just proxying for bad things.

Also confirming that banning foreign traffic is the go-to eGovernment without CAPTCHA experience in Bulgaria.

Once regulations against disruptive bot traffic are effective enough that you don't need captchas, please ban captchas. But I don't see why you would do it the other way around. (Unless you secretly know that effective regulations against bot traffic are impossible.)

Oh I do believe they are possible. It is just high time that the units fighting against organised crime heavily expanded their scope to illicit online activities that actually cause financial harm by entities to entities smaller than the movie/music/publishing industries.

> (Unless you secretly know that effective regulations against bot traffic are impossible.)

Have you tried register your phone number in the DO-NOT-CALL list (or your local equivalent)?

Did it stop anything?