[samwillis]

This ads friction to the process of automating the buying process. Preventing bots is an endless cat and mouse game, every protection you put in place will be circumvented eventually. You just have to keep changing tactics and adding new layers. That’s what they are doing here.

Realistically the best protection that they could put in place is a rate/qty limit on the credit card being used. It can still be automated by using stolen cards, or one of the services that instantly creates new card numbers for you. But again it adds friction.

Also limiting the number of orders to delivery addresses would be a easy mitigation.

It wouldn’t surprise me if they are doing both of those already though.

[wyager]

This seems like an especially trivial-to-bypass mitigation.

[spookthesunset]

Like the poster said, it’s whack-a-mole.

These trivial mitigations at least filter out low-effort script kiddies. People gaming the system “for real” will put incredible effort into getting around your countermeasures. You always have to be one step ahead of them.

[samwillis]

It may be “trivial” to someone with a high level of expertise. But the number of moving parts required in that automation does add a significant barrier to most the of “script kiddies” that are using bots.

You still need to automate account creation and setting up of a TOTP token, that’s not “easy” for a lot of people.

[p1necone]

You'd be surprised at how big of an effect "trivial" mitigations like this have when you're defending against what amounts to a sea of script kiddies.

With a problem like this eliminating 80% of attackers gives you 80% of the benefit, it's not an all or nothing thing.

[azinman2]

What would you suggest?

[nomel]

Low device limit per phone number/payment card, with the standard checks for VOIP would probably make things painful enough for most. Heck, outsource the bot checking and require a Facebook/Gmail/Apple/Twitter/whatever login. Intrusive as heck, but it works relatively well since those companies have already whacked a million moles.

[yjftsjthsd-h]

Limits per shipping address?

[kube-system]

Maybe, but it's also just a good idea to do anyway, so might as well.