New reCaptcha requires approved phones to pass
64 points by sjamaan
64 points by sjamaan
From the perspective of user behavior security this seems like a huge downgrade. Now attackers can forge a reCaptcha QR code and take people to any destination. There is no assurance or expectation that ensures that these codes are real or not. There are already fake Cloudflare Turnstile pages that ask people to hit Windows + R and paste something in. How do we train people for this? It seems impossible.
It's a great way of attacking 2FA where the second factor is a phone. Now you are able to make both factors go to a place that you control.
"this is going to be indistinguishable from actual phishing, users will be pwned hard" seems like a good way to push back from an organization's perspective. tho who knows if they'll even listen if they're trying it anyways...
I was shocked when I first got this, I thought it was a poorly made phishing attempt.
It was also when I was using Tor - so scanning the code with my phone (linked to my Google account) would compromise my anonymity there. I was able to fall back to the visual captcha, but I'm afraid this will stop being possible sooner or later. This will make it so much harder to use the internet anonymously.
As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.
Also, that's bullshit. "AI-resistant"? Can they really not envision someone automating the process of scanning a QR code?
It was also when I was using Tor - so scanning the code with my phone (linked to my Google account) would compromise my anonymity there.
This is precisely the purpose. The end-goal is to lock out all devices with unfettered access to general purpose computing and de-anonymize all visitors.
Also, that's bullshit. "AI-resistant"? Can they really not envision someone automating the process of scanning a QR code?
Yes, obviously they are aware of this. However, as the article mentions, the process requires you to be using certain hardware. The point of this is that the hardware can be physically attested. The point of that is that it is expensive to scale: if they ban your phone, you have to get a new phone, not simply re-initialize your docker container.
(To be clear, I don't know anything about how the QR codes work, and I don't know if they're using a stable identifier. There's other less privacy-invasive options, like TPM counters, which they might be using. Or they might be doing something else entirely. But I'm pretty confident the point of requiring specific hardware is to allow hardware attestation.)
This is fulfilling basically the same goal as the web environment integrity proposal, just in a more annoying way. The outrage over WEI got them to stop trying that exact approach, but the problem it was aimed at solving (Sybil attacks) did not go away, and fundamentally you cannot have the web as it exists if unbounded Sybil attacks are ~free. So they're going to keep trying to solve that problem by any means they can.
I do my browsing mostly on a desktop or notebook computer, and I would never scan a QR code on a random website with my mobile phone. I will rather go somewhere else then.
Hmm, I have grapheneos and hopefully I can continue to use it :/.
Its starting to feel more and more that I'll need a secondary device just for banking apps and now capatchas. Such a waste.
How does this work? How do they verify what device i'm scanning the code with? I don't understand how this can work without being easily spoofable.