Geek Answers Handbook

How to prevent users from creating multiple accounts on a free daily limited service

The idea is that we have a free website

but there will be a daily limit of daily downloads for each user (say, 5 dl per day per user) so there will be users with multiple accounts.

  • IP discovery is not good; because I have many users from one ip (users from one organization).
  • Email verification and a unique email account are not good; u can create multiple accounts.
  • sms confirmation is not good; users can use their friend’s cell phone number to register another account.

I saw a website that solved this problem (partially) www.gameknot.com

They find users by computer name or MAC address or something else that I'm not sure. I registered 3 users there, they found me, said: "These three users use the same computer" !! and blocked all three accounts.

When I reinstalled the other windows, the problem is solved, I have one user.

So I asked myself, “How did they do this?”

Are there any suggestions as to how I can deal with this problem?

+5
accounts
source share
6 answers

If I implemented such a system to have only one signon per user or something similar, I would do something like this:

1: create an IP based machine identifier, perhaps using JavaScript / Java Applet / Flash, you can get a MAC or I don’t know what things are being considered. For simplicity, let me say that I compute the host id as follows:

 ID = MD5(PUBLIC_IP) + MD5(LOCAL_IP) + MD5(MAC)

2: Log in to User1 and let me pretend that I calculated host ID = 666. We are looking at a table in the database, let's say table_hosts that contain this data (user, host_id)

3: User1 used all 5 downloads (track them using a session or records from the database)

4: User1 try to log in as User2, and now we calculate ID = 666, the same ID = 666, we look at table_hosts and find out that the same host ID was used by User1 during this day. Now we can ban accounts with this identifier, give warnings, like 20%, before the ban, etc.

I hope I can help, but remember, be creative, that all this is important!

LE. Since other users discuss shared computers, the identifier can be calculated as follows:

 ID = MD5(PUBLIC_IP) + MD5(LOCAL_IP) + MD5(MAC) + MD5(NameOfLoggedOnUser)

But it also has a drawback, an attacker can create two or more accounts on it. In any case, I repeat creativity, and yes, we must not forget that any lock can be locked.

+3
source share

If it was a MAC address, reinstalling Windows will not change the situation - it is a hardware address.

Did they set cookies from your machine? The disadvantage of this is that the user who clears his cookies will have public access.

Even binding it to one machine has drawbacks - what if it is a common machine (in a home or even an Internet cafe).

There is probably no perfect solution, because you will have cases where someone legitimately does something that looks quirky and quirky people that may look legit.

+1
source share

The main question here is to find a balance between control and annoyance. Will more control over you lead to more annoyance for your users?

Keep in mind that a user may have failed downloads for many reasons. Do you allow resuming the download or restarting it without punishing the user?

You mentioned email verification and a unique email account as not very good. But don't forget that creating a new email account just for this purpose is a problem for most users. So sign up for a new account even with existing email. So yes, some users will get a little more than they should, but will they have serious negative consequences for the business?

If you want them to pay for additional downloads, there will be two types. Those who value their time and hate skirmishes. Calm down for them and they will gladly pay! These are your customers that you want to take care of.

Another group is those who invent new tricks so as not to pay, no matter how hard you do it. Will you find your computer? Then they will go to the online store with many other computers, so that you will not achieve anything. There is simply nothing you could do against these users. But is it worth it to worry about?

So in conclusion, perhaps trying to make it easier for users who are happy to pay is worth more than worrying about those who will not pay anyway. Here are some more usability discussions .

EDIT.

Just noticed this answer , showing that getting fake emails is even easier than I thought. However, how many users find out about this service?

+1
source share

They probably used tracking cookies or IPs that are easy to beat. As with all security issues, this is a matter of accessibility and security.

If this is really, really important, you can use sms verification. This is probably as safe as I am going ... But this is a pretty non-trivial thing to solve, especially with users from non. I would just go with IP logging (so you can search periodically to see any weird patterns) and cookies.

0
source share

Well, StackOverflow seems to be using Open ID to solve this problem, if not fix it.

0
source share

I am running a free website where people register accounts, and I had some similar problems that you had. I need an email check and I registered the IP addresses, but people will always find a way to play the system. The only solution is to really monitor your site to make sure nothing abnormal happens. I had a case when three verified accounts were registered from the same IP address a few minutes after each other, and all performed the same action. I wrote to one of the users who complained: "Oh no, it's just me, I don't know what you're talking about." I ended up pausing this user account and all three accounts became inactive at the same time.

I also had another case where someone created fake email accounts, but did it in much the same way, using the same password every time and a similar email address. It caused problems on the site, so I banned all of his accounts, and he eventually stopped.

Just control and look for patterns. Besides being really confused, that’s almost all you can do.

Good luck

0
source share

More articles:


All Articles