How to defend against users with Multiple Accounts?

Question

We have a service where we literally give away free money.

Naturally said service is ripe for abuse. To defend against this we do the following:

• log ip address

• use unique email addresses (only 1 acct/email addy)

• collect more info like st. address, phone number, etc.

• use signup captcha

• BHOs (I've seen poker rooms use these)

Now, let's get real here -- NONE of this will stop a determined user.

Obviously ip addresses can be changed via a proxy (which could be blacklisted via akismet) but change anyways if the user has a dynamic ip or if more than one user is behind a NAT'd network (can we say almost everyone?)

I can sign up for thousands of unique email addresses each hour -- this is no defense.

I can put in fake information taken from lists for street addresses and phone numbers.

I can buy captchas from captcha solving services (1k for $5).

bhos seem only effective for downloadable software -- this is a website

What are some other ways to prevent multiple users from abusing the service? How do all the PPC people control click fraud?

I know we could actually call the person but I don't think we are trying to do that anytime soon.

Thanks,

Answer 1

I think only way is to bind your users accounts to 'real world' information, like his/her passport number, for instance. Of course, you'll need to make sure that information is securely stored and to find some way to validate it.

Answer 2

It's pretty difficult to generate lots of fake phone numbers that can send and receive SMS messages. SMS verification could go a long way towards cutting down on fraud. Of course, it also limits you to giving away free money to cell phone owners.

Answer 3

You have to bind their information to something that is 'real world', as Rubens says. Of course, you also need to be able to verify this information (I can just make up passport numbers all day if you don't check to make sure they're correct).

How do you deliver the money? Perhaps you can index this off the paypal account, mailing address, or whatever you're sending the money to?

Answer 4

Sometimes the only way to prevent people abusing a system is to not have the system in the first place.

If you're doing what you say you're doing, "giving away money to people", then surprise surprise, there will be tons of people with more time available to try to find ways to game the system than you will have to fix it.

Answer 5

Re: signing up for new email accounts...

A user doesn't even need to do that. Please feel free to send your mail to [email protected], or [email protected], or [email protected], or [email protected]. I haven't registered any of those email addresses, but all of them will work.

Those domains are owned by ManyBrain, and they (and probably others as well) set the domain to accept any email user. ManyBrain in particular then makes the inboxes for those emails publicly accessible without any registration (stripping everything by text from the email and deleting old mail). Check it out: [email protected]'s email inbox!

Others have mentioned ways to try and keep user identities unique. This is just one more reason to not trust email addresses.