+1. As mentioned on the side, this will negatively impact your conversion rate. But you don't need to leave it on forever, either; you can use it to get some breathing room.
The attacker may lose interest or move on to more fruitful targets if they find themselves blocked even temporarily. This is the "don't need to be faster than the bear" dynamic of online fraud: there are infinite targets and you don't need to perfectly shut out an attacker to make the ROI unappealing for them.
My thoughts on the scenario:
1. Chargebacks are not just a financial problem. There is no amount of money you can pay to regain the trust of your sellers (as it's a marketplace) or to change terms with your payment providers.
2. If the emails come from the same domain, can you block the domain? There are lots of throwaway domains, but it's effort for the attacker to switch them, too.
3. CAPTCHAs are increasingly ineffective between captcha solving services and multi-modal AI. I've heard in a few recent attacks that hCaptcha does a little better than Turnstile or reCAPTCHA.
4. Shadowbanning is good for wasting your attacker's time, which is really important to kill their ROI. You'll need to get your false positive rate low though to not piss off your actual good customers.
5. Your scenario (no API, browser required, no bot activity expected) is a really good fit for properly implemented device fingerprinting.
I'm the PM for Fraud & Security at Stytch and we do have a Device Fingerprinting product. It's harder to trial than the open-source ones, but the advantage is that attackers can't inspect the implementation to evade it.
Would you be interested in talking more? I'm happy to walk through your current controls and see if it makes sense to test Device Fingerprinting, shoot me an email at (first letter of my username) + (last four letters of my username) @ stytch.com .
alt Hacker News
+1. As mentioned on the side, this will negatively impact your conversion rate. But you don't need to leave it on forever, either; you can use it to get some breathing room.
The attacker may lose interest or move on to more fruitful targets if they find themselves blocked even temporarily. This is the "don't need to be faster than the bear" dynamic of online fraud: there are infinite targets and you don't need to perfectly shut out an attacker to make the ROI unappealing for them.
My thoughts on the scenario:
1. Chargebacks are not just a financial problem. There is no amount of money you can pay to regain the trust of your sellers (as it's a marketplace) or to change terms with your payment providers.
2. If the emails come from the same domain, can you block the domain? There are lots of throwaway domains, but it's effort for the attacker to switch them, too.
3. CAPTCHAs are increasingly ineffective between captcha solving services and multi-modal AI. I've heard in a few recent attacks that hCaptcha does a little better than Turnstile or reCAPTCHA.
4. Shadowbanning is good for wasting your attacker's time, which is really important to kill their ROI. You'll need to get your false positive rate low though to not piss off your actual good customers.
5. Your scenario (no API, browser required, no bot activity expected) is a really good fit for properly implemented device fingerprinting.
I'm the PM for Fraud & Security at Stytch and we do have a Device Fingerprinting product. It's harder to trial than the open-source ones, but the advantage is that attackers can't inspect the implementation to evade it.
Would you be interested in talking more? I'm happy to walk through your current controls and see if it makes sense to test Device Fingerprinting, shoot me an email at (first letter of my username) + (last four letters of my username) @ stytch.com .