how to prevent users from create multiple accounts on free-daily limited service

Question

The idea is we have a website for free downloads

but there will be daily limit of daily downloads for each user (say 5 dl per day per user) so there will be users with multiple accounts.

1. IP detection is not good; cause I have many users from one ip (users from one organization)
2. email verification and unique email account is not good; u can create more than one account
3. sms confirmation is not good; users can use his/her friend cell phone number to register another account

I saw a website that solved this issue (partially) www.gameknot.com

They detect users by computer name or MAC address or something else I am not sure, I registered 3 users there, they detected me, said :"these three users are using same computer" !! and banned all three accounts.

When I reinstalled another windows the problem solved, I have one user there.

So I asked myself, "how they did this"?

Is there any suggestion as to how I can handle this issue?

Answer 1

They probably used cookies or IP to track, both easy to defeat. As with all security problems it's a matter of availability vs security.

If it's really, really important, you might want to use sms verification. It's probably as secure as it's going to get... But that's a pretty non-trivial thing to solve, especially with users from non-. I would just go with IP logging (so you can do a search periodically to see any strange patterns) and cookies.

Answer 2

If it was the MAC address, reinstalling Windows wouldn't change things - that's a hardware address.

Perhaps they were setting a cookie from your machine? The downside to that is that a user clearing their cookies will get open access.

Even tying it down to a single machine has disadvantages - what if it's a shared machine (in a home or even an internet cafe).

There's probably no ideal solution because you'll have cases where someone legitimately does something that looks dodgy and dodgy people who can look legitimate.

Answer 3

If I would implement such a system, to have only one signon per user or something like that I would do something like this:

1: create an ID of the machine, based on IP, maybe using JavaScript/Java Applet/Flash you can get MAC or I don't know what things in consideration. For simplicity let's say I compute the host ID like this:

ID = MD5(PUBLIC_IP) + MD5(LOCAL_IP) + MD5(MAC)

2: User1 log in and let's pretend I computed host ID = 666. WE look up a table in DB let's say table_hosts that containt this data (user, host_id)

3: User1 used all 5 downloads (keep track of them using session or records from database)

4: User1 try to login as User2 and now we compute the ID = 666, the same ID = 666, we lookup out table_hosts and find out that the same host ID was used doring that day by User1 too. Now we can ban the accounts with that ID, give warnings like 20% until ban etc

Hope I could help, but remember be creative, that's all that matter!

LE: Because others put in discussion shared machines the ID may be calculated like this:

ID = MD5(PUBLIC_IP) + MD5(LOCAL_IP) + MD5(MAC) + MD5(NameOfLoggedOnUser)

But this have it's disadvantage too, the abuser may create 2 or more accounts on it's machine. Anyway I repeat be creative and yeah we should not forget that any lock can be lock picked.

Answer 4

Well, StackOverflow seems to use Open ID to address this issue, if not eliminate it.

Answer 5

great suggestion!

what is the difference between PUBLIC_IP and LOCAL_IP ??

I think, there is no way to detect MAC address of the users,btw.

Answer 6

I run a free site where people register accounts, and I've had some similar problems that you've had. I've required email verification and I've logged IPs, but people are always going to find a way to game the system. The only solution is really to monitor your site frequently to make sure nothing abnormal is going on. I had a case where three verified accounts were logging in from the same IP just minutes after one another and all performing the exact same action. I wrote to one of the users who complained "Oh no, it's just me, I don't know what you're talking about." I eventually suspended that user's account and all three accounts simultaneously became inactive.

I also had another case where someone was creating fake email accounts, but was doing so in pretty much the same way using the same password each time and a similar email address. He was causing problems on the site, so I banned all his accounts and he eventually stopped.

Just monitor and look for patterns. Aside from getting really tricky, that's pretty much all you can do.

Good luck!