m0camb0
As you work in cybersecurity, you must be aware that our work is always a compromise between convenience and security, adding 3 captchas adds a lot of inconvenience to legitimate users. As someone who's been in the sneaker resale market for a few years, bots are very advanced and are capable of mimicking true user behavior with mouse movement and other random actions which can be configured, all head-less as well. 
 
What EVGA is doing right now(manual verification of orders), while tedious is the most effective way of detecting bots, especially when orders are not at a stage where they are in the thousands.  

dalten22
OP there were probably at least 10000 people smashing F5 trying to buy a total of 50 cards max.

Intoxicus

Unlox
                       Hey everyone,
 
   I work in cybersecurity and just wanted to point out an issue in the implementation of EVGA's current anti-bot CAPTCHA implementation. The CAPTCHA at login is easily automated using tools like Selenium, PhantomJS or Puppeteer (to name basic ones) when it is only accepting the checkbox input. Selenium and other tools are great and blowing past those, obviously, since in my research the one EVGA has in use currently spawned the simple checkbox authentication majority of the time. The ones Selenium can not blow through are the "please check three fire hydrants or street lights". Tools like CAPTCHA and reCAPTCHA are only effective when utilized as a buffer since dedicated free tools are out there to defeat them (example 2Captcha). The harder to solve captchas appear if you're using recaptcha a lot. Generally, low frequency users should only see the checkbox and not need to solve captchas. This issue has been around for a bit meaning since you have tons of bots ready to pounce they will most likely get the easy checkbox instead of the ones that will actually keep the bots out.
 
    EVGA your team would do well to implement a cascading solution to slow down the automated web scrapers since unfortunately you can't force CAPTCHA to always use a challenge image every time so most of the time you give the bots the easy CAPTCHA to get in. To combat this the team could toss in the normal CAPTCHA at account login, a reCAPTCHA v2 at add to cart, and a final reCAPTCHA v3 at time of purchase just for launch days as an idea. This cascading solution will offer more chances to your customers that the bots will have a higher probability of hitting a solution the bot will stall on. I hope this information is helpful in the future and maybe for the RTX 3090 launch as well since this code is easy to add to the specific webpages. 
 
    I'm new here and just wanted to offer up some help. Hope everyone has a wonderful day!

Damn, I thought Captcha was better than that?
Didn't realize it could be fooled that easily.

GTXJackBauer

Unlox

dalten22
OP there were probably at least 10000 people smashing F5 trying to buy a total of 50 cards max.

Oh I believe it, just wanted to speak up about the captcha thing however since I know it wasn’t all EVGA forum customers that purchased them. There definitely was a mass bot web scraping due to every other site experiencing it. Just some friendly suggestions for the team.

I'm no expert but it's clearly obvious something went on this morning not just from one or two e-tailers but several of them all at once.  

I say make it a federal offense if you're caught scalping. 

q5sys

GTXJackBauer

Unlox

dalten22
OP there were probably at least 10000 people smashing F5 trying to buy a total of 50 cards max.

Oh I believe it, just wanted to speak up about the captcha thing however since I know it wasn’t all EVGA forum customers that purchased them. There definitely was a mass bot web scraping due to every other site experiencing it. Just some friendly suggestions for the team.

I'm no expert but it's clearly obvious something went on this morning not just from one or two e-tailers but several of them all at once.  

I say make it a federal offense if you're caught scalping. 

People are bragging about using BounceAlerts Bot to buy cards through the Nvidia store, note the number of emails in the threads
42x
34x
17x
18x
14x
Im sure similar things went down elsewhere

Unlox

zeroseoul
In all fairness, bots will almost always get around whatever process you have. Take it from sneaker releases, it never got solved.

There is always a question of what level of control is the best level? 

We could go around and throw this or that at each other but in all honesty, its the luck of the draw. It sucks, yeah, but not everyone can win in a scenario with finite resources.

I wouldn’t say luck is involved when these specialized programs can poll the in-stock rate down to the millisecond and then execute and make the purchase (to put it in layman’s terms). The chances are effectively nill for normal people vs bots.

It’s like saying it’s down to luck if Usain Bolt challenged you to a race. There is clearly an imbalance there that needs to be rectified. It can’t be fixed in this situation but you can slow them down to give others a proper chance.

Special rate-limiting strategies could also be leveraged to help EVGAs customers out as well as other things.

q5sys
 
 
People are bragging about using BounceAlerts Bot to buy cards through the Nvidia store, note the number of emails in the threads
42x https://mobile.twitter.co...us/1306621909413502976
34x https://mobile.twitter.co...us/1306644324160090112
17x https://mobile.twitter.co...us/1306629763927171072
18x https://mobile.twitter.co...us/1306618636480778246
14x https://mobile.twitter.co...us/1306615634361376768


Im sure similar things went down elsewhere

GTXJackBauer

q5sys
 
 
People are bragging about using BounceAlerts Bot to buy cards through the Nvidia store, note the number of emails in the threads
42x https://mobile.twitter.co...us/1306621909413502976
34x https://mobile.twitter.co...us/1306644324160090112
17x https://mobile.twitter.co...us/1306629763927171072
18x https://mobile.twitter.co...us/1306618636480778246
14x https://mobile.twitter.co...us/1306615634361376768


Im sure similar things went down elsewhere

That's insane!

q5sys

the_Scarlet_one

q5sys
 People are bragging about using BounceAlerts Bot to buy cards through the Nvidia store, note the number of emails in the threads
42x
34x
17x
18x
14x
Im sure similar things went down elsewhere

I have never seen anything like this.  Now everyone needs to barrage NVidia specifically about this, as all of the BounceAlerts sales are showing from NVidia store, and see about getting these accounts banned.  If other stores had be hit this way, I would assume other would show which stores were hit as well. 
 
I really hope NVidia would cancel all of these orders in mass, and ban the account of the users that used a bot.  NVidia could easily, and I really regret saying this, force people to use GEForce Experience to sell the cards, and verify the user.  This would allow NVidia to ban any user that buys more than the allotted cards in a set amount of time, or perma ban those that are obviously screwing others out of the ability to purchase.

This has been a legit problem with other industries. The one most people know of is Sneakers Releases, but it happens with tons of items.  There are a couple automation purchase systems that I'm aware of with all sorts of modules for various retailers.  krs is another one.  People use them to buy from all sorts of retails when there is a limited edition of anything coming out.

Anyone can technically pay and sign up, get linked into the system and then use whatever accounts they want at whatever retailers.  The main issue is that some developers have turned creating these systems into a career.  Monthly subscriptions to these services keep money flowing in for them to continue to work against any limitations that are developed by retailers.  It doesn't even require tech skill for an end user to utilize them, just find out about these services and pay the monthly fee.  Depending on how much money you want to throw at it, you can order 1 or 20 of something to flip quickly for profit.  Repeat the next month when the next industry has a release.  While one individual industry may have only one or two big launches a year, there's so many retail industries that there is constant 'limited release' items coming out every month.   I have a friend that uses krs for buying shoes for himself and his fam.  He doesn't use it for flipping goods, just being able to make sure he gets what he wants.
 
The individual sales will use the individual user accounts, the bouncealert people are simply building the infrastructure to do it.  Lets say JohnQPublic signed up and bought 10 cards from some retailer, even if lets say NewEgg bans his account... that person can create a new account to use for the next big launch.  There is no BounceAlert account for NewEgg to ban.  The developers of BA and KRS, are using the same retail method of ordering, but its all scripted... with variables so their clients can input their own details for payment/shipping.  Scripting is just way than a normal human and since its all being run in a datacenter... the system running the scripts has way better site response time from retail servers than what regular consumers would have.  


 

Unlox

Intoxicus

Unlox
                       Hey everyone,
 
   I work in cybersecurity and just wanted to point out an issue in the implementation of EVGA's current anti-bot CAPTCHA implementation. The CAPTCHA at login is easily automated using tools like Selenium, PhantomJS or Puppeteer (to name basic ones) when it is only accepting the checkbox input. Selenium and other tools are great and blowing past those, obviously, since in my research the one EVGA has in use currently spawned the simple checkbox authentication majority of the time. The ones Selenium can not blow through are the "please check three fire hydrants or street lights". Tools like CAPTCHA and reCAPTCHA are only effective when utilized as a buffer since dedicated free tools are out there to defeat them (example 2Captcha). The harder to solve captchas appear if you're using recaptcha a lot. Generally, low frequency users should only see the checkbox and not need to solve captchas. This issue has been around for a bit meaning since you have tons of bots ready to pounce they will most likely get the easy checkbox instead of the ones that will actually keep the bots out.
 
    EVGA your team would do well to implement a cascading solution to slow down the automated web scrapers since unfortunately you can't force CAPTCHA to always use a challenge image every time so most of the time you give the bots the easy CAPTCHA to get in. To combat this the team could toss in the normal CAPTCHA at account login, a reCAPTCHA v2 at add to cart, and a final reCAPTCHA v3 at time of purchase just for launch days as an idea. This cascading solution will offer more chances to your customers that the bots will have a higher probability of hitting a solution the bot will stall on. I hope this information is helpful in the future and maybe for the RTX 3090 launch as well since this code is easy to add to the specific webpages. 
 
    I'm new here and just wanted to offer up some help. Hope everyone has a wonderful day!

Damn, I thought Captcha was better than that?
Didn't realize it could be fooled that easily.

Yeah it’s pretty wild! Go and google “Force challenge image for captcha” you’ll find many people that explain how there is not a flag to force captcha behavior it’s wild. Plus selenium and others can easily fool the checkbox captcha.