> What's wrong if a bot buys some of your inventory, pays for it and everything?
100% of the time, a bot buying things from a store is doing so to test a database of stolen credit cards the bot's owner has purchased/stolen. Accepting those sales means you'll get hit with chargebacks a few weeks later as the real owners of those cards see their statements. Then your store gets shut down for exceeding the maximum 1% chargeback ratio mandated by Visa and MasterCard. So preventing this scenario matters a lot, and when someone targets one of my stores for testing like this, enabling a CAPTCHA on the payment page is one of several, often-essential mitigations. Blocking IPs, blocking whole countries, including a nonce in the form, etc are on their own insufficient most of the time: the readily-available tools for this kind of attack already handle rotating IPs, retrieving a new form nonce on each try, spoofing the proper referrer, etc.
maybe this is related to some other heuristic they're using for determining whether or not to show recaptcha (although this is in a no-extension Chrome on a residential IP address).
Right, they have that at registration but it's either superfluous or it only catches the really easy stuff because they rely on an army of human moderators who spend all day cleaning up after bad actors able to click buses.
In practice it is a major pain to keep up to date, and bots slip through all the time, at least on the subreddit I help moderate. It's a lot of manual volunteer work.
100% of the time, a bot buying things from a store is doing so to test a database of stolen credit cards the bot's owner has purchased/stolen. Accepting those sales means you'll get hit with chargebacks a few weeks later as the real owners of those cards see their statements. Then your store gets shut down for exceeding the maximum 1% chargeback ratio mandated by Visa and MasterCard. So preventing this scenario matters a lot, and when someone targets one of my stores for testing like this, enabling a CAPTCHA on the payment page is one of several, often-essential mitigations. Blocking IPs, blocking whole countries, including a nonce in the form, etc are on their own insufficient most of the time: the readily-available tools for this kind of attack already handle rotating IPs, retrieving a new form nonce on each try, spoofing the proper referrer, etc.