views:

175

answers:

3

We're looking for a good way to stop fraud on our website. We have a site with constant traffic coming in - we have regular access to the normal info (IP, session, cookies etc), plus info that the users have provided.

We need to be able to detect duplicate users in real time. Basically, people are coming in pretending to be different people in order to earn money on each account. We have to stop duplicate users and robots from entering our system.

To stop or slow robots, we implemented a CAPTCHA. This helped a bit.

To try preventing duplicate accounts, we created an IP trending system. It temporarily (and silently) suspended any account with duplicate activity within the past 10 minutes. It also incremented a "duplicate" counter on all accounts with activity on that IP - this flag lights up accounts quickly if they have too much duplicate activity.

However, the above fix doesn't work when someone comes in a day later. It also doesn't work if people use proxy servers or different IP's. It generates tons of false positives with AOL accounts (and other ISP's that use shared IP addresses). Is there anything else that we can do to help slow or stop duplicate and robotic fraud in real time?

If we can stop them in real time, we can keep our advertisers happy (fraud never happens). If we can stop them within a few days, we can at least stop payment to these duplicate accounts, making it pointless to keep trying.

Any help on an automated solution detecting this fraud will be appreciated.

+1  A: 

I hope you are doing email verification(?).

If you are not already doing it then you can introduce mobile verification. Where in the user should verify a code during registration. Since this is too much work (?) for users who try to create duplicate accounts it will reduce some duplications.

I dont think you will be able to eliminate duplication 100% ;-) Unless call/investigate every user and verify the details.

BTW what is the advantage of having multiple accounts? Will the users earn more?

Shoban
A: 

This is kind of a shot in the dark, not knowing what your system is backed up by and my not being an expert in the fraud field (I mean fraud prevention, ahem). I've seen demos of SQL Server Data Mining deployed successfully for this job. The DM is trained on a history of valid, non fraudulent activities (extracted from the OLTP data into fact tables), it uses factorial analysis to cluster patterns of behavior, and is then capable of categorizing a new transaction, in real time, whether it falls into one of the known clusters of behavior or is a 'deviant'. Deviant transactions are usually suspect ones.

Remus Rusanu
A: 

You need to decide on a balance between annoying your users and preventing bots. Occasionally on Google or SO I get a captcha, but it's fairly rare. Any sufficiently motivated person can bypass a bot detection filter. Here's a list of common barriers:

  • Registration
  • OpenID
  • Email verification
  • Invite only
  • CAPTCHA
  • Txt/SMS verification
  • Credit card
  • Micropayment

The alternative on your side is writing clever algorithms and/or having support staff flag bots. Unfortunately, there's no simple algorithm like running a FFT over your time-stamps which will identify all bots.

brianegge