A lot of bots are written by really unsophisticated people though, often just following online guides. Raising the bar lowers the number of adversaries.
You can never eliminate the risk, but it's just one more point of friction which is also a not-so-unreasonable speed bump to enable for real users.
Maybe, but, no one gets my mobile number, not my bank, no one.
It's not in my name, I pay cash for it, I share my contacts with no one, etc.
I won't have it linked to me, and with how you can so readily be location tracked when someone knows your number, I am astonished so many people give it out.
Other people share your contact though, unless you exclusively associate with people equally paranoid. You simply can’t have an anonymous phone number these days unless you actively switch numbers all the time which if you get accused of something will be used as evidence against you.
I have a voip number forwarded for incoming. I have no caller id for outgoing.
Thus, even with google having my name linked to a number, it does not link to my cell phone.
Reply to comment below:
No one gets my real mobile number, so that is solved.
Why would I care if my VOIP number is in address books. That's the point of it, and why I have it
I'm not trying to hide from the government, I am preventing Google, FB, etc from linking my mobile to me, and preventing random people from tracking my location, which is trivial when they know your mobile number.
If you host your own pbx, you can consider it as a proxy to your cell phone, and even do it over vpn. You cant track that further than the pbx server ip
It only takes one contact to have your real number in your name, or even better also associated with your VoIP number in their address book, to lose your "anonymity".
That was my thought. The value of a piece of metadata is inherent in its context as a node within a network. You might have disparate pieces of information about a group of people, but weighing their connections by similarity/proximity/etc. allows you to develop assumptions about individuals, even if all you know is their phone number and who had that phone number in their contact list.
Specifically, from the point of view of network analysis, a missing or unknown node becomes suspect when various connections point to it. In the era of high connectedness, that seems like kicking a goal on your own team if you're playing the "be anonymous" game.
How does my VOIP number being in my friend's address book, enable Google to see that address book, and learn my mobile number?
My goal is not to ensure no one is capable of tracking me ; that's literally impossible. However, I do not want:
* Google to get my name, contact info, etc via my phone itself
* Google to link to me, by seeing my mobile phone in another person's contacts
This is why I give no one my mobile number.
If the Government, or if someone was suing me, or I was up to "no good", an exhaustive search would likely bear fruit. So? That's an entirely different animal.
Any toll-free number you call - at least within the +1 country code - can see your outbound number even if you hide it.
So if you’re in the USA and you have ever called your bank’s toll-free from your mobile they already have your cell phone number. you can try to sell yourself by googling for toll-free ANACs which will read your number back to you
This is helpful info, but I use voice on my mobile sparingly, and use my voip line most of the time. (I have a cordless + desktop voip phone at home and work).
And how might voice recognition play into this too? If you're not easily identified then you may draw more attention and more effort spent to determine who you are.
Do you mean SMS? I don't see a requirement that you use that. Yeah, that would be a pain. My SMS goes to a voip number that emails me the message, and that works most of the time, but a few jerky sites reject it. I just figured that the 2fa slows down requests to 2 per minute or whatever, the speed of TOTP codes changing.
I also don't know what a verified account is. If it's just email-confirmed then yeah, that is trivial. If it is a payment card that worked, or even further a shipping address that worked, that can be more annoying to game.
I had thought that it was only the Pi Zero series that had strict quantity limits, and that people were supposed to be able to buy lots of 4's if they wanted to.
Also, for most users (not all) there isn't really a pressing need for a 4, since the 400 has been plentiful and is basically a 4 in a different form factor, with an attached keyboard. I figured if I wanted a 4 before they became available again, I'd just get a 400. What I really want is some more Zeros and Zero W's, but I think those are both being replaced by the more power hungry and expensive Zero W2.
You dont need to hand over your mobile number, just get a raspberrypi, install freeswitch and sign up to a free voip number which happens to be in the range of numbers used by mobile phone operators.
https://www.sipgatebasic.co.uk/
I really dont know how they think they can use 2FA to stop all but the most basic of bots from buying up rpi's.
Unless you cycle across town every time you swap SIMs, I don't think this will help much. Just the fact that those two SIMs ping the same cell towers is enough for a bunch of data aggregators to correlate the numbers back to the same person.
2FA is not even remotely secure via sms, as shown 100 times over. The only reason google loves it so much, is it links your real life name to your accounts.
Use a seperate mobile number for all your 2fa, that way if one of your mates has say Truecaller - your number/name/email is not going to be out there with association.
This ads friction to the process of automating the buying process. Preventing bots is an endless cat and mouse game, every protection you put in place will be circumvented eventually. You just have to keep changing tactics and adding new layers. That’s what they are doing here.
Realistically the best protection that they could put in place is a rate/qty limit on the credit card being used. It can still be automated by using stolen cards, or one of the services that instantly creates new card numbers for you. But again it adds friction.
Also limiting the number of orders to delivery addresses would be a easy mitigation.
It wouldn’t surprise me if they are doing both of those already though.
These trivial mitigations at least filter out low-effort script kiddies. People gaming the system “for real” will put incredible effort into getting around your countermeasures. You always have to be one step ahead of them.
It may be “trivial” to someone with a high level of expertise. But the number of moving parts required in that automation does add a significant barrier to most the of “script kiddies” that are using bots.
You still need to automate account creation and setting up of a TOTP token, that’s not “easy” for a lot of people.
Low device limit per phone number/payment card, with the standard checks for VOIP would probably make things painful enough for most. Heck, outsource the bot checking and require a Facebook/Gmail/Apple/Twitter/whatever login. Intrusive as heck, but it works relatively well since those companies have already whacked a million moles.
You're misreading, you have to "verify" your account first as well as set up MFA.
Verifying just consists of confirming your email via a one-time token. Setting up MFA presumably just makes sure there's no impetus to hack a bunch of old accounts.
Perhaps for buying a ras-pi specifically, they'll require SMS verification.
SMS is hard to create large numbers of fake accounts because getting access to large numbers of phone numbers that aren't all in the same block is pretty hard.
There are several services that offer exactly this for 6-20 cents per verification, with a wide variety of numbers and geos, VOIP or Real ATT/Verizon Mobile etc, and easy to use API's.
Where in the world do they plan to hire people for these rates?
In India, the country with lowest the Big Mac Index as in [1], it would take 6.48h for the human-bot to pay for a Big Mac. And this excludes energy and internet bills and money transfer fees. The numbers just don't work.
That isn't the labor rate, that is the solve rate most captha are easy to automate. You are buying the image recognition and their random click like a human algorithm. Probably even have some intentional wrong clicks like someone who misses... they have a few humans (who make more than that rate) but only for the new ones that they haven't seen before, once they know that one it is automated.
I post the above in hopes that you realize captca isn't useful for anything and stop annoying me with them.
>The process of solving reCAPTCHA V2 Invisible is similar to the recognition of reCAPTCHA V2: we take the captcha parameters from the page in the form of the data-sitekey parameter and the page URL and transfer it to the 2Captcha service, where the employee solves it, after which the response is returned to us in the form of a token, which we need enter in the appropriate field to solve the captcha
I was under the impression these invisible "captcha" were much more difficult since a bunch of metadata just gets scooped off the device and sent in to some proprietary Google algorithm. I'd think it'd be hard for the service to generate enough unique fingerprints to prevent Google from detecting it's the same service solving them but maybe recaptcha just sucks
I'm guessing that most scammers haven't figured these exist yet. Or maybe the hit rate on scams is so low it isn't profitable anymore even at these rates?
You can never eliminate the risk, but it's just one more point of friction which is also a not-so-unreasonable speed bump to enable for real users.