5

I would like to know the best way to increase security on a website so that the a single user can't create multiple accounts.

What all of a user can be traced? I'm thinking:

  • IP address
  • Mac address
  • Browser details
  • Computer name and its details

I know an IP address can be spoofed but is there a work around to still identify a banned user? Maybe a combination of IP, MAC, and computer details?

Can we ban users on the basis of their MAC address? Is there any other way to trace them to stop them creating multiple accounts?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
adam rai
  • 51
  • 1
  • 2
  • 4
    A website doesn't see the user's mac address. – CodesInChaos Apr 15 '12 at 11:39
  • 2
    If users with multiple accounts from one person are a problem for a web application I don't think there is a way to really stop them with network level code. I'd look at how Stack Exchange sites work, with limited privileges until you've been around long enough to have some creditability. There are a number of sites that I visit where I'd be glad to Paypal a dollar to be validated as a real person, so as to seperate real people from trolls. – Jim In Texas Apr 16 '12 at 18:27

3 Answers3

7

There is no effective way to prevent a dedicated attacker from creating multiple accounts. No matter what you do, the attacker will still be able to create multiple "sock puppet" accounts. The best you can do is raise the cost of creating additional accounts.

One approach is to require the user to provide a mobile phone number, authenticate the user's phone number (by calling it, speaking a random auth code, and having the user enter in the auth code into the web site, like Google Voice does). Then you can ensure that each mobile phone number is linked to at most one account. This does not prevent creating multiple accounts -- an attacker can still buy multiple disposable phones, for instance -- but it raises the attacker's costs and might be enough to convince him/her to bother someone else instead. The disadvantage is that it prevents some people from using your site, e.g., if they don't have a mobile phone, or if they are not willing to share their mobile phone number with you (people will probably be reluctant to share their mobile number with a site they don't already have a very good trust relationship with).

Another possible approach is to require the user to authenticate with a Facebook account, and rely upon Facebook to check uniqueness. This is also far from perfect: people can still create fake Facebook accounts. The disadvantage is that requiring people to log in via Facebook may prevent many people from using your site and is bad for privacy. It is unfriendly to people who don't want to log in with Facebook, don't use Facebook, or don't want to share their Facebook information with you.

See also How to prevent cheating (extra votes) in online contests? for more discussion about a variety of mitigations.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 4
    Both suggestions would stop me from using the website – CodesInChaos Apr 15 '12 at 11:38
  • @CodeInChaos, yes, I agree. I don't like those suggestions, either (for instance, I probably wouldn't use any site that imposed those restrictions). I've edited my answer to reflect this shortcoming. – D.W. Apr 15 '12 at 23:12
  • You have your OpenID options (ie where an individual may not like Facebook, they may be happy with one of the other providers...) – Rory Alsop Apr 16 '12 at 11:01
  • 1
    @RoryAlsop - well, yeah, but one can only allow other providers who we will try to ensure a "real names only", "one person, one account" policy. Facebook tries to prevent you from having multiple accounts (if they know of it). Many OpenID providers let people create as many accounts as they want, and that does not violate their terms of service. – D.W. Apr 16 '12 at 18:23
  • very true. My point was more of a 'there are others if you dislike Facebook' comment :-) – Rory Alsop Apr 16 '12 at 19:27
4

To sumpplement D.W.'s excellent answer...

You can't read the MAC address of a client across a router. A MAC adress can easily be changed (so easy it doesn't even dserve the 'spoofed' epiphet).

A browser user agent is not unique and again trivial to change.

The only 'Computer name' you'll see at server end is the DNS PTR record for the IP address - hence see discussion of IP address.

The IP address can be spoofed. Spoofing an IP address over a routed TCP stream without having access to the routers is hard to do, however a large proportion of users on the internet get temporary IP addresses from a pool, and an increasing volume of users will be sharing an IP address. Using the netname from the whois record can help with identifiying a user across different IP addresses - but using this on it's own will give a huge number of false positives.

You might want to have a look at this post on my blog talking about browser fingerprinting and the links to other sources, particularly evercookie however do bear in mind that this approach relies on subverting the security model of the browser.

Using a cookie based FSM and a Turing test will help with ensuring that there is a human being sitting at the remote end, thus preventing bot voting.

symcbean
  • 18,278
  • 39
  • 73
1

I'd try making multiple accounts less attractive alternative than having a single account. Maybe have users accumulate privilege like SO through good behavior (new accounts have little privilege but can do very little) so the effect of the ban is losing all privileges? Possibly only do silent bans, so banned users aren't aware they've been banned, but their activity isn't seen by anyone else?

If you have to ban a user and want to identify them somehow, I'd rely primarily on IP address recognizing that (a) savvy users will have multiple IP addresses and (b) could be sharing IP addresses with non-banned users.

I would not user browser fingerprinting like panoptclick.com (trivial to change the fingerprint - e.g., use a different browser (firefox/chrome/opera/konquerer/safari/IE) or computer, change your user agent string; install/uninstall fonts/plugins).

I would not use evercookie -- easily avoided by changing computers or virtual machines and somewhat unethical.

You also may want to build in a remedy for users who claim their IP address has been banned who have never misused your service. For example, today 100.101.102.103 is assigned to user A who got banned by your ISP, tomorrow it is assigned to user B who is good and should not be banned (especially common for mobile devices). Or you share a wifi router with several people in an apartment who want separate accounts, but all appear to have the same IP address on your account (e.g., your router uses NAT).

Remember, websites operate on TCP. So it is not trivial to spoof an IP address; your IP address is like a mailing address -- it contains routing information and TCP requires a back-and-forth handshake before sending information like a web page GET/POST request. So while its easy to lie in during the initial step of a TCP handshake and say I'm at fake IP address that resides California rather than your real IP address in New York, the packets will be end up being routed to some computer in California rather than yours in New York and since you'll never see the servers responses you won't get to complete the handshake and make the request (unless you control the computer in California (or an intermediate router) and forward the packets back to your computer or end up guessing the correct 32-bit integer (1 in 4 billion chance) from the server).

Granted it costs under ~$5 to legitimately get another IP address to set up a proxy and most tech-savvy people already have several IP address they could use. But it becomes less convenient for them to do so.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • 2
    "_Possibly only do silent bans, so banned users aren't aware they've been banned, but their activity isn't seen by anyone else?_" so that when they realise they were banned, they become extremely angry and try to pay back? – curiousguy Jun 25 '12 at 21:15
  • 2
    @curiousguy Reddit shadowbans all the time, and they haven't been firebombed. – Chloe Jan 26 '14 at 09:20