Preventing Spam and Fraud

Welcome to Syntax. In today's Monday Sanity treat, we're gonna be talking about preventing fraud and spam.

Wes Scott this really great question from James who said, what are some steps that you take to prevent spam and fraud in your apps? I recently launched a survey app for a small research group and have been amazed by the level of responses coming from the time zones and IP addresses outside of the US. I know CAPTCHAs and Cloudflare can help with bots and scrapers, but where do you start when protecting an app against people? This is so funny because I personally have had, you know, owning a a a business that had open subscriptions and things like that. I've had my fair share of, spam and scam and people trying to test credit cards on our site and stuff. So we're gonna go through all of the different ways and, strategies that you can enable to prevent spam and fraud on your website. My name is Scott Tolinski. I'm a developer from Denver. And with me as always is Wes Bos. What's up, Wes? Yeah. I'm I'm excited to talk about this because

we're gonna give you our our best knowledge. But the the real answer is that the companies that stop you from doing things on their platforms, they do not talk about how, how they do it. Because it's as soon as you tell them why there's an issue, even if you put it in the error message, then you tell people how to how to Scott get around it, and it's just this constant cat and mouse game.

And, honestly, it's getting much worse.

The experience as a legitimate user is getting very frustrating, I find, on the Internet. I logged in to chat g p t the other day, and they put me through 9 or sorry. 6 steps of this, like, fever dream, like, select the horseshoe when there's this Sanity. And it showed a picture of these, like, Alice in Wonderland, like, Dumbo.

What what what was that? Was it Pinocchio where Wes Node. He has, like, that dream? I remember seeing that as a kid and just being, like, awful.

Anyways, that was the, like, awful, awful CAPTCHA that they're having to do because we had somebody submit a question last week and say, hey. I wrote a I wrote a bot to defeat CAPTCHAs.

Yeah. Yeah. Like Yeah. I know. And you know what, Wes? Somebody who uses a a VPN, typically, I I use, like, moleVAD. And Yeah. Yeah. I get a lot. Every single time you do a Google search, every single time you try to use chat g p t, it's like, hold up. Let's make yourself a CAPTCHA for the 1 hundredth time to the point where it's like, alright. I'll just shut the VPN off because it's, absolutely tanking me. And it's a frustrating experience. But you know what also is a frustrating experience, Wes?

Tell me.

Bugs?

Bugs. Is it bugs? No. It's bugs. Bugs. But, yeah, actually, you know, even bugs in your spam prevention could be a very frustrating experience because you're already frustrating your users, and then you get a bug in there, double frustration.

Yeah. I've been actually, you know, diving deep into Sentry quite a bit. I I add Sentry to all my projects. But you know what? It's really the best. Sanity atsentry.io.

It's really the best place to log, find, store, capture all your bugs, and solve them. But not only just bugs, performance issues, slow queries, slow routes, things that just make your users miserable. So this this episode will have some things that we're going to say which may make the experience a little bit more miserable. So, you know, we don't wanna have too many miserable things when using your app. So fix your bugs with century.century.ioforward/syntax.

Alright. I hold on. I had a century issue. This is probably a couple years ago, but, when I rolled out recaptcha on my site Oh, man. Yes. There was there's that dreaded recaptcha, like g recaptcha is not defined because you just assume that it's this globally available variable, and, it was not loading. And I had because people were blocking it. Right? Like, a lot of people block all Google from the thing. But if you block all Google, then some you can't use a lot of these things that use CAPTCHAs.

So I had to, write a little catch in there to check if recapture was not defined. And if it's not, then you have to throw something up and say, hey. Hey. This site needs Captchas to keep going.

Yeah. But alright. Let's let's go through it. We're not going to spend too much time on Captchas because, like, that's clearly one way to to stop bad people. But the question was more about, like, how do you stop just, like, bad bad people? Not necessarily bots and scrapers, but

just bad people in general. So Well, yeah. Yeah. I mean, I think CAPTCHA is a good place to start though Yes. Because JS far as CAPTCHA's go, I've used the the Cloudflare CAPTCHA service. Is that h CAPTCHA, or is that a different one? I believe that No. No. H CAPTCHA is like the open one. Cloudflare has their own version of CAPTCHA, which they are trying to

steer away because, I think a a lot of the answers we're gonna have today is you have to use a service that captures data, and a lot of the CloudFlare stuff will not even give you a CAPTCHA. Sometimes they'll throw you to just a website for a couple seconds and then and keep directing you. And what they're doing there is they're checking things that are in your browser and checking your trail across the Wes, I assume.

I I don't know this for sure, but they're checking and say, oh, yeah. This person visited this website and this website, so they're they're legitimate. Or this person has this thing in their in their local storage, so they're able to go through. And Captcha's trying to or sorry. Cloudflare's trying to go away from the annoying having to play these games to keep going.

Let me tell you. If you're out there and you're choosing your CAPTCHA, you're saying, I need to CAPTCHA, don't use the Google one. Man, that thing is the single worst thing on the Internet where you have to, like, click all the pieces of the the traffic light, and then it tells you that it's not right. I rather do the puzzle one where you you slide it. Slide the puzzle piece, twist the thing, tell how many what row this person is sitting in in the movie theater. Literally, any of them except for the Google Google CAPTCHA. Don't use that one. It is awful. And, who is it? Adam Argyle might have told us a good way to get past that if it's not accepting your thing is to move the mouse around a lot because it, like, tracks your mouse movement. That's that's one of the points I have here is Yes. Maybe let's go into that Node. Is the best way to stop

people is to use a service that collects information about you. And one of the things that they use to check if you're a human or a bot is things like keyboard strokes or mouse movements. Did you actually press a a key down and up and fire those events, or did you just, like, set the value of an input and, oh, boom, the whole thing is is actually set? Or if you are moving a mouse around, is it, like, to some sort of, like, curve that is, like, mathematical, or is it literally just random? Like, did you move your did you move your mouse in a in a perfect straight line, or was there a bit of wiggle as you went through it? So we're seeing this with, like Stripe Radar does a really good job at this.

Stripe Radar is both server side as well as, like, a client side JavaScript library, and they're they're collecting all kinds of little nuggets about you as you're going through, which is kind of upsetting as well because we want privacy on the web, but we also want people to not spam.

But they're collecting all of that information, and they're using that to make a Stripe Radar score.

What your credit card is is from this country, and you're trying to buy something from this country. Right? That legitimate use cases, but also illegitimate use cases. So they'll take all of those pieces of data and then calculate some sort of score.

And then based on that score, you can set limits to say, alright. If this person has under a Sanity score, then block it or put a 2 hour delay on it so we can see if it's real or not. Yeah. I do like that Stripe has that built in. When I did Braintree payments,

man, I I had I had to go to CAPTCHA because that was the only thing that would stop people from what they do is they test credit cards. So they they get, like, a list of all these credit cards. Right? And then they find a service that they can even as far as create an account, go to the login process, you know, they can automate all of that with with bots to then plug in the credit cards. And if the charge goes through, they know that credit card's good. So they'll just have a giant spreadsheet. And we were getting hit with that. I remember I woke up, and there Wes, like, a100 credit card charges at LevelUp, and I was like, oh, this is not good. And the the solution for that was a caption, fortunately. And if I would have been using Stripe, I wouldn't have had to deal with any of that.

Yeah. It's a a bit of a bummer that that type of stuff happens, but it it certainly does. Especially when you're selling, like, low value items, people will often use your website as a way to just test 1,000 credit cards, and they'll they'll try to rack it up. And you if you don't catch them, and somebody disputes it, then you get a $15 fee. So, Yep. Like, you can you can be out 1,000 of dollars, if you don't have that stuff in place.

Yeah. And we tried a lot of these things. So in another one so CAPTCHA ended up working for us, but another option JS, like, rate limiting people. So it's funny how many of these things on this list I tried before a CAPTCHA just kinda put an end to it. So rate limiting is you're detecting a certain amount of traffic from a certain location, and you're limiting them to say, alright. You are doing too much from this specific IP.

You're doing more than what's possible essentially from a a human or a typical user or the way that somebody is typically using your service. So we're going to say, woah. Woah. Woah. Let's, let's stop you. Yeah. You often will see people rate limit. They'll say, alright. You may try to sign up or you may try to reset your password

3 times in 5 minutes.

And then after that, you have to wait 5 minutes. Some of the rate limitings are really interesting Wes every time you have a like, if you're trying to reset a password, every time you do it, they add 30 seconds onto that. So if every time you try it 5 times, all of a sudden you're at 2 and a half minutes, you know, and you try it 50 times, so the amount just kinda keeps on growing. The rate limits are usually tied to IP addresses, which is a thing you can Scott get around. Often, they'll also use, like, tokens that you need to get in the browser as well because, like, people can just simply spin up a Npm, and every single time you send a request, it's coming from a brand new IP address. I did use IP address to rate limit my receipt printer one. Mhmm. Because, like, the first thing people try to do once you post it online is Spam it. Oh, let me just write a loop that submits this form every single second. Right? So I simply just put a rate limit on where I took their IP address, and I said that that IP address can only send pnpm every 30 seconds, something like that. And and I had a a JavaScript map, just put it in memory, and every all the keys were their IP address, and then, the last sent would be updated every time they sent 1. And if it wasn't 30 seconds, then they wouldn't be able to do it. You do kinda have to be careful because there's there's laws around storing people's IP addresses and and using those, then you have to throw up a cookie banner and all these annoying type of things, but that's the that's the web.

Yeah. No kidding. Yeah. At some point, we had tried, the shadow ban technique. And the shadow banning is basically where you aren't giving the spammer, the ability to see that they are like, have access to certain things. So, you know, like Reddit, for instance, when they shadow ban you, you leave a comment. Nobody sees that comment. The experience for this user is different than the experience for other users. The way I did it on level up tutorials is if you had, like, let's say, 5 failed charge attempts from the same IP address in a certain amount of time, what we would do is we would assign you a role. We would assign the user a role, and that role would then hide any of the buttons. It would hide any of the routes, and it would act like you were logged in even though you were not logged in. So it it was interesting or I know they were logged in, but it would act like they weren't logged in. So they weren't able to purchase because they weren't logged in in the UI, so therefore, they they weren't able to click on anything with their their bots.

I've I've always wanted to, like like, increasingly, every time they visit a page, decrease the opacity by just a little bit or do random things. Like, random clicks would, like, not work, or, like, when you hover over a button, move the button. Or take you to a different URL or Yeah. Yeah. Yeah. All kinds of stuff like that or or throw a lemon party up, but it's too risky because with all of these systems, good people get caught in them by accident.

So Wes I have, like, measures against this type of stuff, I'll often throw a I'll throw a code in there that when they contact support, the support will know, okay. This is the code that was thrown up. They might be trying something nefarious. They might have just been caught in in the system, unfortunately, and you have to ask a couple further questions to see what's going on. I I got a lot where people were like, hey. I'm on vacation. So I tried to use my credit card. I'm from the UK, but I'm vacationing in Hawaii, and it set off some alarm bells. And then you got you gotta say, oh, okay. I understand. So you you can push them through and and allow it. Yeah. You don't wanna ruin someone's vacation by sending them to a lemon party or something. Yeah. Yeah.

Email verification, obviously, another, another easy one to do. I run a list of it's called burner email accounts. If you just Google Wes Boss burner email accounts.

And it's a massive list of temporary throwaway email addresses.

It's starting to become kind of hard because there's literally, I don't know, 20,000 email addresses, and we have to go through and prune it all the time. And it's just a a constant battle of trying to fight it. And now that Apple has rolled out the ability to have single use email addresses, Like, you can't you can't block Icloud email addresses. You know? And even then, like, I have a couple guys, like, maintaining the list for me. And a couple times, like, good email addresses have snuck through and, like, taken down some fairly large websites. Not taken down, but, like, I've gotten some, like like, Sanity emails on a weekend before being like, hey. Your list includes, like, this thing that everybody from this country uses this. For some reason, it got merged, and I had to, like, quickly take it out. So it's I kinda regret making this list public because now I'm like the the like, David Heinemeier, Hansen, Basecamp. They have this hey.com, and they rolled out the ability to have generated email address. And somebody added it to the list, and we merged it and whatever. And then there was this big fight like Oh, yeah. Hey.com is legitimate, but you can also just use it to sign up and get throwaway email addresses. So you can to a certain point, you can filter out the throwaway email addresses, but it's becoming a losing battle.

Yeah. Totally.

Yeah. Another one would be tying to your your actual, like, legitimate accounts. You can think of this like OAuth. Right? So if you log in with Gmail, you log in with Apple, you log in with GitHub, you log in with any of these, then that says, like, you have an actual service somewhere else that has,

by all accounts, stronger verification, right, than what you're probably doing. That's honestly as much as we hate having to lean on larger companies for this type of stuff, they have it figured out much better than we do, and it is much harder to spin up a 100,000 Gmail accounts.

And if you tie it directly to a Gmail or if you verify it via some other way, it's it's a bit easier.

Another step is you literally tie it to a real identity. This is more for financial things. And in Canada, we have this rule, which is, like, know your client.

And if you're doing anything with finance, you have to know your client. You have to you have to talk to them. Hey. Why are you investing this money? Why are you creating a bank account? Often, they'll ask you to take a picture of your, driver's license. And even recently, like, I was doing the Stripe approval for Twitter.

Like, Twitter pays if you if you have a tweet that gets, like, a 1000000 views or whatever, you get, like, $100 or whatever for for for the views. And in order to have that payout, you have to verify your identity.

And the last time I did it, it was really interesting because they made you take a photo of your driver's license. Oh, wow. And then they made you take a picture looking left and then looking right. But each time I did left and right, it goes, oops. Something went wrong, and they made you do it again so that you're not spoofing it. So I don't think it actually went wrong. I think they wanted 2 photos of you looking left to make sure that you didn't just take a photo of someone looking left and try to upload it. Interesting.

I thought and, again, it's like these little sneaky sneaky ways that they're going through it. And another and they have to I'm guaranteed they match it up with the face on the driver's license as well.

Yeah. You know what? One thing they do a lot in the states, I don't know, like, DocuSign or if I'm doing anything with my accountant, they'll send you a link, and it makes you answer, like, 4 very secure Wes.

Like, which of these cities have you lived in? You Node, Social Security number kind of stuff. And I get those kind of questions can be, like, light, but oftentimes, these are really questions that only you would know the answer to, and then they would sprinkle in some, you know, honeypot ones where it's like a you you haven't done any of these things. You haven't been in any of these places. You're you're not associated with any of these addresses.

And it's always crazy, the addresses or cars or things that they pull from your history. Yeah. Like, sometimes I'm like, oh, yeah. I I did live there. I I lived at that address. So, yeah, that was the address. They're they're pulling,

like, credit score or something like that. I had it with, like, Wise, the bank. They had some data leak. And as as part of that, you get free credit monitoring for for a year. So I signed up for that, and they ask you a whole bunch of questions about, like, hey. Where which of these addresses have you lived in the last 20 years? And it's I was like, oh, shit. There's there's a lot a lot of info on me out there. And Yeah. Yeah.

I hope it's in the right hands, but I don't think it is. Yeah. It never is. Yeah. No. You're you're screwed. A lot of this stuff, I I Node, we're, like, kind of, like, glossing over. I know you mentioned it briefly just how detrimental a lot of this stuff is to your privacy on the Wes, but I think that's that's kind of the world we're living in right now. And so, like, what what do we do? What are we what are the solutions here that actually work? And I think you can I think you know, I personally I don't want to implement anything that is that invasive? So I'm gonna start with the least invasive things and then increasingly add invasive things if those aren't working. That's, like, my strategy, I suppose.

Manual approval is is another one.

Specifically in Shopify, we have this where often we'll have people from, Cuba, Mexico, Puerto Rico, Dominican. They'll try to buy, like, a Cintac shirt, but they won't ship it directly there because the shipping is too expensive or they simply cannot or they don't trust their local mail delivery. Like, believe me, I've I've sent many thousands of envelopes of stickers, and I know the post offices in some of these countries is are rough. So they will ship it to a, like, a forwarding address that is in, like, Miami or something like that. And then what they'll do is they'll simply just, like, bring it over the border. It's we have it in Canada as well. We have all these services that will ship it to Buffalo, and you can either go drive to Buffalo and pick it up yourself, or you can pay a truck to drive it over the border and you go pick it up in Canada.

So it's a pretty popular thing to do these forwarding, and Shopify will flag it when somebody tries to ship it to one of these forwarding addresses because it's also used for fraud. You know? Somebody will take a stolen credit Yarn. They'll buy 7 Playstations, and they'll they'll send it to this forwarder.

And, hopefully, they get it forwarded to them in another country before somebody realizes that it's on their their credit card has been charged for 4 Playstations.

So we will often get those, and we'll go into Shopify. And you sort of have to, like, look at it and or you do a little Google on the name and you say, oh, this is actually a developer. You Node, they follow me on Twitter, and you can approve it. Or almost always, it's it's totally fine. You can kinda understand, oh, they live somewhere out just outside of the US, and they wanna get it shipped over to them.

Word. Next pnpm. Every single ISP out there, both your home Internet as well as, like, digital ocean or any any any host out there that has servers has something called an ASN, and that is a number that is assigned to them. And sometimes you if you want to be able to block known VPNs, you can simply just grab a list. I have a huge list of them. Not that I'm blocking VPNs, but I'm blocking VPNs that are known for nefarious activity.

You know that these these people that who run these data centers are fine with having bad actors on them. Scott of these things like DigitalOcean and Hetzner, they will not let if you're doing anything remotely sneaky on even if you're running a VPN on there, they will kick you off immediately because they do not want that those type of bad actors goofing up their IP addresses and and on their servers. So you can grab a list of bad ASNs and simply just block them or throw a CAPTCHA in front of them. Because CAPTCHA's kinda nice because, like, you know, some there's some legitimate people on them, but there's also some really bad people on them. Yeah. That's the hard part about VPNs. Right? You want

that, privacy that comes along with the Npm. But in the same regard, it makes the web very, very hostile because everybody is has the list of all the you know, whatever the VPN provider is. There's no VPN provider out there that isn't, like, you know, all of their IPs are, you know, kind of spent in that way. So it's like, alright. Now you're on some IP address that's flagged, and you're gonna have to deal with it. Yeah. It's it's obnoxious.

Definitely. The real move is you gotta get a buddy who has, like, a, like, a home server and runs it on, like, a legitimate home ISP, and, you can run it through there. But but then again, you're letting some random or at least you hope you trust your buddy to

run their traffic through your Internet. Yeah. Interesting stuff. Another one you can do is a honeypot field, which the way this works is basically you're having an input that is non visible to the user. If that input becomes filled out in any sort of regard, you're able to then recognize that if this is a bot. Right? Because a bot is able to see those things if they're using something to scan the DOM or go through the DOM, fill out all the inputs, hit submit. Right? Yeah. I personally have found Node matter what I name my honeypot, I I feel like they get around it. I don't know if it's just because it's non visible or what, but

I have not had any success with a honeypot field. Honestly, like, we have API in the browser. Check visibility is a method on an element. You know? Like, I was always wondering that. Like, oh, bots can't tell if a input is visible or not. Like, of course, they can. You know? And that was a thing for a long time, but, like, there's probably other honey Scott that you can do. It's like Node it based on whatever, but then use other tells to then hide it, you know, if they move their mouse or there's there's all kinds of little tells you can use to figure out if this is a real person or Scott, but, again, it's it's kinda tricky.

Yeah. For sure.

And then last 1 is SMS verification. There's plenty of services out there that will give you a temporary number, but I believe you can look up a number to see, is this a especially these large companies, they will have databases of SMS numbers, and you can tell, oh, was that number registered by a, SMS renting company, or is is that a a phone number that somebody has owned for for 19 years and and they're using it? So that's SMS will get you a little bit. But with all of these things, there's ways to to sorta get around it. And then I I said manual approval as well, but there's also, like, Mechanical Turk. I wanna write a submission for the syntax website where people can submit their potluck questions. Yes. And, like, I think, like, obviously, we can put a lot of these things in place, but at a certain point, people are just gonna put garbage in there and hit submit, because they can do that. So I think manual approval is going to be 1. We just have a button that we can click that just trash it. You know?

Yeah. Yeah. That's gonna be it. Right? Wes, I think, ultimately, I think we probably end up having to do a CAPTCHA. I don't know if Yeah. Whereas the Google Form currently does probably do a CAPTCHA or at least has a conditional CAPTCHA? So we'll probably have to do something in that regard, but that'll be a fun project to work on when we get there. Yes. Everybody loves hosting their own forms that could potentially be spammed. Like that. I I love this because, like, every time we talk about forms,

everybody says, just use this SaaS. And, like Oh, yeah. Just use a Google form or whatever. And it like, it's very hard to have a form that without signing up or doing anything, you can just submit. Right? Totally. So we'll have to we'll have to see how we do it.

Yeah. For sure. Yeah. I always ESLint to not pick a SaaS, so we won't be picking a SaaS for that. But, yeah, that's it. Thank you so much for listening or watching wherever you are, and, we will catch you on Wednesday.

Peace.