Tens of thousands of users? Globally you mean? I doubt it's the user base size in Gaza but if that is actually what you meant, where did you pull that estimate from?
BitChat can send messages over Bluetooth, and it uses a mesh network to relay messages across nearby devices. This allows messages to hop from one phone to another, extending coverage beyond the normal Bluetooth range, though the number of hops is limited and depends on nearby devices. When a device in the mesh has an internet connection, certain messages can be published to Nostr, allowing them to move from the local mesh to the global network. Not all messages are automatically sent online, and purely mesh-local chats remain local. Messages sent via Nostr can also be accessed through clients like NYM (Nostr Ynstant Messenger). BitChat combines offline mesh networking with a decentralized protocol to enable both local and global communication.
I’ve always found it disconcerting that modern SaaS products advertise themselves as “spreadsheet replacements”. Actually, that’s the opposite of what I want.
Oh boy this was a major problem at our budding fintech. Here's what DIDN't work:
1. Browser fingerprinting or ip bans. They used advanced fingerprint-shifting browsers and residential proxy ips.
2. Phone number 2FA. Significantly slowed legitimate user access but still didn't fully stop credential stuffers.
What did work:
3. rate limits and carefully tailored scripts that detected usage patterns and autobanned. Eventually they gave up on us guess wasn't worth the trouble. However I'm sure we lost a few legitimate users too in the process.
What I would try in the future:
- Passkeys as 2fa. Most browser automation platforms can't handle passkey auth inside a VM.
I spent a year doing security for a highly targeted fintech-adjacent where credential stuffing was the primary security threat, and all non-phishing-resistant MFA was table stakes: all the real work was in combatting cred-stuffing attacks that had already defeated (usually through elaborate phishing) the MFA.
> 1. Browser fingerprinting or ip bans. They used advanced fingerprint-shifting browsers and residential proxy ips.
Don't you typically use that for valid users? As-in, you allow access when the fingerpint matches their existing fingerprint and when it doesn't you require additional information to be presented (i.e. security code).
So if somebody shifts their ip around they end up needing more information than just user+pass to login but somebody that doesn't (i.e. a normal person at home) does have the easy way to login.
Not sure why financial institutions still bother with passwords - every time i try to login to wise or something it requires email code/link. At that point just use the email auth.
There are a lot of dedicated anti-detect browsers, you can search for that term or fingerprint switcher, multi-accounting browsers, etc. Many of them are based on Chromium.
In my experience they're generally detectable by mismatches in various attributes compared to the "real" browser whose user agent they are spoofing (though of course, the ground truth of adversarial detection is always hard to know for sure).
