Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
derekdahmer 2 days ago

As someone who implemented phone verification at a company I worked for, it’s 100% for preventing spam signups intending to abuse free tiers. API companies can get huge volumes of fake signups from “multiplexers” who get around free tier limits by spreading their requests across multiple accounts.

jiveturkey 2 days ago | parent | next [-]

I would caution any reader to generalize your statement. Just because you used it at your company to limit abuse, and yes that is a lazy approach and 100% what's going on with Anthropic and most API companies, doesn't mean that every company uses phone number gating for this purpose.

The (probably) most famous example being https://www.eff.org/deeplinks/2019/07/fixed-ftc-orders-faceb...

And it's not enough to say "well we don't use it for that". One, you can't prove it. And two, far more important, in an information leak, by taking and saving the phone number (necessarily, otherwise there's no account gating feature unless you're just giving fake friction), you expose the user to risk of connecting another dot. I would never give my phone number to some rinky dink company.

Now that said, I don't use lazy pejoratively. Products must launch.

anonym29 2 days ago | parent | prev | next [-]

Because SMS verification is so cheap (under a dollar per one-time validation, under $10/mo for ongoing validation), this approach really only makes sense for ultra-low-value services, where e.g. $0.50 per account costs more than the service itself is worth.

Because of this low value dynamic, there are many techniques that can be used to add "cost" to abusive users while being much less infringing upon user privacy: rate limiting, behavioral analysis, proof-of-work systems, IP restrictions, etc.

Using privacy-invasive methods to solve problems that could be easily addressed through simple privacy-respecting technical controls suggests unstated ulterior motives around data collection.

If your service is worth less than $0.50 per account, why are you collecting such invasive data for something so trivial?

If your service is worth more than $0.50 per account, SMS verification won't stop motivated abusers, so you're using the wrong tool.

If Reddit, Wikipedia, and early Twitter could handle abuse without phone numbers, why can't you?

derekdahmer 2 days ago | parent [-]

Firstly, I can tell you phone number verification made a very meaningful impact. The cost of abuse can be quite high for services with high marginal costs like AI.

Second, all those alternatives you described are also not great for user privacy either. One way or another you have to try to associate requests with an individual entity. Each has its own limitations and downsides, so typically multiple methods are used for different scenarios with the hope that all together its enough of a deterrence.

Having to do abuse prevention is not great for UX and hurts legitimate conversion, I promise you most companies only do it when they reach a point where abuse has become a real problem and sometimes well after.

anonym29 2 days ago | parent [-]

>Firstly, I can tell you phone number verification made a very meaningful impact. The cost of abuse can be quite high for services with high marginal costs like AI.

Nobody has made the argument that it's not a deterrent at all. The core argument is that it's privacy-infringing when it doesn't need to be, and the cost posed to attackers is extremely low. If your business is offering a service at a price below your business' own costs, the business itself is choosing to inflict cost asymmetry upon itself.

>Second, all those alternatives you described are also not great for user privacy either.

This is plainly and obviously false at face value. How would blocklisting datacenter IP's, or doing IP-based rate limiting, or a PoW challenge like Anubis be "also not great" for user privacy, particularly when compared to divulging a phone number? Phone numbers are linked to far more commercially available PII than an IP address by itself is, and PoW challenges don't even require you to log IP addresses. Behavioral analysis like blocking more than N sign-ups per minute from IP address X, or blocking headless UA's like curl, or even blocking registrations using email addresses from known temp-mail providers is nowhere remotely close to being as privacy-infringing as requiring phone numbers is.

The privacy difference between your stated practice and my proposed alternatives isn't a difference of degree; it's a fundamental difference of kind.

Being generous, this is lazy, corner-cutting engineering that seeks to impose an unknown amount of privacy risk from the perspective of end users by piggybacking off an existing channel that only good-faith users won't forge (phone number), at the possible expense of good-faith users' privacy, rather than implementing a better control.

Of course, there's no reason to be generous to for-profit corporations - the much more plausible explanation is that your business is data mining your own customers via this PII-linked registration requirement through a coercive ToS that refuses service unless customers provide this information, which is both entirely unnecessary for legitimate users and entirely insufficient to block even a slightly motivated abusive user.

...not that you'd ever admit to that practice if you were aware of it happening, or would even necessarily be aware of it happening if you were not a director or officer of the business.

AlexandrB 2 days ago | parent | prev [-]

This makes sense for free tiers of products, but if you provide CC info for a paid tier, you shouldn't also have to provide a phone number. One or the other.

moduspol 2 days ago | parent | next [-]

I think people can use stolen / one-time use / prepaid / limited purchase size credit cards fairly easily, too. And you might not find out until after they've racked up a non-trivial amount of costs.

xur17 2 days ago | parent [-]

Then accept stablecoins.

whatevaa 10 hours ago | parent [-]

Then you go back to fraud free tier account problem.

xur17 9 hours ago | parent [-]

Require a phone number for free tier, make stablecoins a path for paid only access.

derekdahmer 2 days ago | parent | prev [-]

Theoretically yes but a few issues:

- Account creation usually happens before plan selection & payment. Most users start at free, then add a CC later either during on-boarding or after finishing their trial.

- Virtual credit cards are very easy to create. You can signup with credit card with a very low limit and just use the free tier tokens.