A lot of bots are written by really unsophisticated people though, often just following online guides. Raising the bar lowers the number of adversaries.
You can never eliminate the risk, but it's just one more point of friction which is also a not-so-unreasonable speed bump to enable for real users.
Maybe, but, no one gets my mobile number, not my bank, no one.
It's not in my name, I pay cash for it, I share my contacts with no one, etc.
I won't have it linked to me, and with how you can so readily be location tracked when someone knows your number, I am astonished so many people give it out.
This ads friction to the process of automating the buying process. Preventing bots is an endless cat and mouse game, every protection you put in place will be circumvented eventually. You just have to keep changing tactics and adding new layers. That’s what they are doing here.
Realistically the best protection that they could put in place is a rate/qty limit on the credit card being used. It can still be automated by using stolen cards, or one of the services that instantly creates new card numbers for you. But again it adds friction.
Also limiting the number of orders to delivery addresses would be a easy mitigation.
It wouldn’t surprise me if they are doing both of those already though.
You're misreading, you have to "verify" your account first as well as set up MFA.
Verifying just consists of confirming your email via a one-time token. Setting up MFA presumably just makes sure there's no impetus to hack a bunch of old accounts.
Perhaps for buying a ras-pi specifically, they'll require SMS verification.
SMS is hard to create large numbers of fake accounts because getting access to large numbers of phone numbers that aren't all in the same block is pretty hard.
There are several services that offer exactly this for 6-20 cents per verification, with a wide variety of numbers and geos, VOIP or Real ATT/Verizon Mobile etc, and easy to use API's.
colechristensen|4 years ago
You can never eliminate the risk, but it's just one more point of friction which is also a not-so-unreasonable speed bump to enable for real users.
devwastaken|4 years ago
im3w1l|4 years ago
b112|4 years ago
It's not in my name, I pay cash for it, I share my contacts with no one, etc.
I won't have it linked to me, and with how you can so readily be location tracked when someone knows your number, I am astonished so many people give it out.
So there goes the easiest 2fa....
samwillis|4 years ago
Realistically the best protection that they could put in place is a rate/qty limit on the credit card being used. It can still be automated by using stolen cards, or one of the services that instantly creates new card numbers for you. But again it adds friction.
Also limiting the number of orders to delivery addresses would be a easy mitigation.
It wouldn’t surprise me if they are doing both of those already though.
unknown|4 years ago
[deleted]
wyager|4 years ago
evan_|4 years ago
Verifying just consists of confirming your email via a one-time token. Setting up MFA presumably just makes sure there's no impetus to hack a bunch of old accounts.
londons_explore|4 years ago
SMS is hard to create large numbers of fake accounts because getting access to large numbers of phone numbers that aren't all in the same block is pretty hard.
pauldd7|4 years ago
udia|4 years ago
cft|4 years ago