The issue with this is that you won’t have a scapegoat if people do continue to roll through credit cards. With ReCaptcha, you just say “all of these attempts had verified captchas” and the CC processor is unlikely to personally blame you/the company for the activity since ReCaptcha is widespread. With a custom solution or other captchas, they can just block you due to insufficient protections when they see you have higher fraud rates than merchants utilizing ReCaptcha.
If you disable anonymous checkout work so that you have to have a registered account and be logged in to check out stop these credit card rolling attempts? Shut down any account it occurs. Probably whack-a-mole, but is it effective enough to not deploy a captcha system and not have the merchant account suspended?
Bots in the business of CC fraud are often written specifically for that website, so you might have bots register a few hundred accounts a day to try the CCs. All I’m saying is that ReCaptcha is a scapegoat, other big websites and services get away with doing their own fraud detection (Stripe, Shopify) because they’re good at it and have a team dedicated to constantly improving it.
Proof of work is horrific. Means someones old phone has a meltdown trying to load the page while a warehouse in china with the latest GPUs cranks out billions of proofs per second. You could even utilize botnets to get random laptops and fridges to do your PoW.
If this was a mining situation, then yes, it would be dumb.
Is that what this is actually doing though? Is it PoW for a mining operation, or just causing some electrons to be moved around to prove your not a bot? I didn't read too far into what the PoW actually is since their demo shat the bed.
> or just causing some electrons to be moved around to prove your not a bot?
The problem is spam networks have more computers and more power than your phone does so any proof that you can do, spammers can do 1000x faster. PoW can sort of work when your attack to defend against is a ddos situation where an attacker has to make far more requests than the average user, but most captchas try to defend against bots being able to use the site at all which PoW can not do.
how does doing computation without human interaction prove you're not a bot? It only proves you're running a browser with javascript enabled on average hardware.
