How to defend against users with Multiple Accounts?

Question

We have a service where we literally give away free money.

Naturally said service is ripe for abuse. To defend against this we do the following:

• log ip address

• use unique email addresses (only 1 acct/email addy)

• collect more info like st. address, phone number, etc.

• use signup captcha

• BHOs (I've seen poker rooms use these)

Now, let's get real here -- NONE of this will stop a determined user.

Obviously ip addresses can be changed via a proxy (which could be blacklisted via akismet) but change anyways if the user has a dynamic ip or if more than one user is behind a NAT'd network (can we say almost everyone?)

I can sign up for thousands of unique email addresses each hour -- this is no defense.

I can put in fake information taken from lists for street addresses and phone numbers.

I can buy captchas from captcha solving services (1k for $5).

bhos seem only effective for downloadable software -- this is a website

What are some other ways to prevent multiple users from abusing the service? How do all the PPC people control click fraud?

I know we could actually call the person but I don't think we are trying to do that anytime soon.

Thanks,

Answer 1

It's pretty difficult to generate lots of fake phone numbers that can send and receive SMS messages. SMS verification could go a long way towards cutting down on fraud. Of course, it also limits you to giving away free money to cell phone owners.

Answer 2

I think only way is to bind your users accounts to 'real world' information, like his/her passport number, for instance. Of course, you'll need to make sure that information is securely stored and to find some way to validate it.

Answer 3

Re: signing up for new email accounts...

A user doesn't even need to do that. Please feel free to send your mail to brian_s@mailinator.com, or feydr.asks.a.question@spamherelots.com, or stackoverflow@safetymail.info, or my_arbitrary_username@zippymail.info. I haven't registered any of those email addresses, but all of them will work.

Those domains are owned by ManyBrain, and they (and probably others as well) set the domain to accept any email user. ManyBrain in particular then makes the inboxes for those emails publicly accessible without any registration (stripping everything by text from the email and deleting old mail). Check it out: admin@mailinator.com's email inbox!

Others have mentioned ways to try and keep user identities unique. This is just one more reason to not trust email addresses.

Answer 4

First, I suppose (hope) that you don't literally give away free money but rather give it to use your service or something like that.

That matters as there is a big difference between users trying to just get free money from you they can spend on buying expensive cars vs only spending on your service which would be much more limited.

Obviously many more user will try to fool the system in the former than in the latter case.

Why it matters? Because it is all about the balance between your control vs your user annoyance. I see many answers concentrating on the control part, so let's go through annoyance, shall we?

• Log IP address. What if I am the next guy on the computer in say internet shop and the guy before me already used that IP? The other guy left your hot page that I now see but I am screwed because the IP is blocked. Yes, I can go to another computer but it is annoyance and I may have other things to do.

• Collecting physical Adresses. For what??? Are you going to visit me? Or start sending me spam letters? Let me guess, more often than not you get addresses with misprints at best and fake ones at worst. In fact, it is much less hassle for me to give you fake address and not dealing with whatever possible spam letters I'll have to recycle in environment-friendly way. :)

• Collecting phone numbers. Again, why shall I trust your site? This is the real story. I gave my phone nr to obscure site, then later I started receiving occasional messages full of nonsense like "hit the fly". That I simply deleted. Only later and by accident to discover that I was actually charged 2 euros to receive each of those messages!!! Do I want to get those hassles? Obviously not! So no, buddy, sorry to disappoint but I will not give your site my phone number unless your company is called Facebook or Google. :)

• Use signup captcha. I love that :). So what are we trying to achieve here? Will the user who is determined to abuse your service, have problems to type in a couple of captchas? I doubt it. But what about the "good user"? Are you aware how annoying captchas are for many users??? What about users with impaired vision? But even without it, most captchas are so bad that they make you feel like you have impaired vision! The best advice I can give - if you care about user experience, avoid captchas as plague! If you have any doubts, do your online research first!

See here more discussion about control vs annoyance and here some more thoughts about being user-friendly.

Answer 5

You have to bind their information to something that is 'real world', as Rubens says. Of course, you also need to be able to verify this information (I can just make up passport numbers all day if you don't check to make sure they're correct).

How do you deliver the money? Perhaps you can index this off the paypal account, mailing address, or whatever you're sending the money to?

Answer 6

Sometimes the only way to prevent people abusing a system is to not have the system in the first place.

If you're doing what you say you're doing, "giving away money to people", then surprise surprise, there will be tons of people with more time available to try to find ways to game the system than you will have to fix it.

Answer 7

I guess it will never be possible to have an identification system which identifies fake identities that is:

• cheap to run (I think it's called "operational cost"?)
• cheap to implement (ideally one time cost - how do you call that?)
• has no Type-I/Type-II errors
• is scalable

But I think you could prevent users from having too many (to say a quite random number: more than 50) accounts.

You might combine the following approaches:

• IP address: can be bypassed with VPN
• CAPTCHA: can be bypassed with human farms (see this article, for example - although they claim that their test can't be that easily passed to other humans, I doubt this is true)
• Ability-based identification: can be faked when you know what is stored and how exactly the identification works by randomly (but with a given distribution) acting (example: brainauth.com)
• Real-world interaction: Although this might be the best one, but I guess it is expensive and not many users will accept it. Also, for some users/countries it might not be possible. (example: Postident in Germany, where the Post wants to see your identity card. I guess this can only be faced in massive scale by the government.)
• Other sites/resources: This basically transforms the problem for other sites. You can use services, where it is not allowed/uncommon/expensive to have much more than 1 account
  • Email
  • Phone number: e.g. by using SMS, see Multi-factor authentication
  • Bank account: PayPal; transfer not much money or ask them to transfer a random (small) amount to you (which you will send back).
• Social based
  • When you take the social graph (vertices are people, edges are connections), you will expect some distribution. You know that you are a single human and you know some other people. So you have a "network of trust" (in quotes, because I think this might be used in other context as well). Now you might not trust people / networks how interact heavily with your service, but are either isolated (no connection) or who connect a large group with another large group ("articulation points"). You also might not trust fast growing, heavily interacting new, isolated graphs.
  • When a user provides content that is liked by many other users (who you trust), this might be an indicator that there is a real human creating it.