10

I am an outsourcing person, not a programmer. My website is a shopping website (think eBay). My website will need a user suspension feature, in case a user violates the terms and conditions. The problem is to detect users who create a second account. Here are ways I've thought of:

  • IP address tracking
  • User information (email address or any information that is repeated on the second time of registration, after suspension)
  • session id cookies are also a way to identify the users after login

Any more creative suggested ideas? Is it possible to make it 100% impossible to prevent those bad users (frauds, spammers) from coming back?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
ahmed amro
  • 331
  • 1
  • 2
  • 10
  • It would be trivial to get around all of your ways of creating a second account. If the account is suspended a new email account can be used, they likely are already using a proxy, and session cookies can be wiped. – Ramhound Oct 25 '12 at 13:08
  • See http://security.stackexchange.com/questions/19251/how-to-verify-that-someone-is-who-they-say-they-are-online – David Wachtfogel Oct 25 '12 at 13:23

4 Answers4

8

There is no way to prevent multiple registrations.

I have two suggestions to offer

  1. Make multiple registrations undesirable, for example by charging a fee.

  2. Outsource the identity problem to someone else, for example my using Facebook or Google login instead of rolling your own.

ddyer
  • 1,974
  • 1
  • 12
  • 20
  • Thanks for your nice creative new tips =) can i ask you a question , do you think its hard to make a website which is 100% secure from hacking? like ebay ? the security issue worries me so much because its the main target , and i am an outsourcing and designer – ahmed amro Oct 25 '12 at 02:33
  • It's impossible to be sure, and it's very easy to make a huge mistake. Your best defence is to be a small and uninteresting target. – ddyer Oct 25 '12 at 06:21
  • you mean to be unknown because the more i am popular the more i am in danger? this means i should not make successful website then?! i am not going to be the programmer for sure because i will be a joker is if i say this. – ahmed amro Oct 25 '12 at 10:06
  • you mean to be unknown because the more i am popular the more i am in danger? this means i should not make successful website then?! i am not going to be the programmer for sure because i will be a joker is if i say this. i wont write the codes as i am 0 out of 10 programmer all what i am is owner of unique idea and psd design and very new ideas who need secure coding , do you think a developer with good skills can do a website like ebay very secure ? i had idea of hiring a freelancer developer and then hire hackers to try hacking it to find the holes ... any suggestions? – ahmed amro Oct 25 '12 at 10:12
  • 1
    security is a bottomless pit you pour money into. Having someone "skilled" "knowlegable" or some other reassuring adjective do the work is a good start, but no one can offer guarantees. Likewise hiring "white hat hackers" to evaluate your site is a good start, but no one can credibly guarantee the results. – ddyer Oct 25 '12 at 11:35
  • The bottom line is you have to scale your efforts to the realistic threat level. If you're obscure and have nothing worth wrecking or stealing, then you need not work too hard on security. Scale up from there. – ddyer Oct 25 '12 at 11:37
  • how much do you think a good white hacker freelancer can be hired for to inspect all holes according to his knowledge? how much do you rate ebay website secure from hacking as there is no 100% security and so go for paypal ? – ahmed amro Oct 25 '12 at 11:48
  • I can promise you that Ebay isn't 100% secure from hacking. I am pretty sure there have been security issues with both PayPal and Ebay. – Ramhound Oct 25 '12 at 13:10
  • how much do you score their security level , may be 80% ?? – ahmed amro Oct 25 '12 at 19:46
  • 1
    @ahmedamro There is no way to *score* security. – Philipp Sep 25 '14 at 10:33
6

No - given that most users come in from large ISPs, their IPs are not fixed for all time - the names they give to you certainly aren't fixed

Security is not a black and white issue - though it seems too many don't seem to understand that - it's an issue of making the cost of defeating it not worth the reward

In the general scenario you're describing, captcha might help - for the dumb ones it defeats them - for the more sophisticated, they may not care to waste the machine cycles, at least for spammers

email won't do you any good - i'm a nice guy and i still have an excessive number of email accounts, and it's really easy to get more these days

summarizing, stop looking for a black and white solution - instead, look for a solution where the costs to legitimate users are acceptable, but the costs aren't acceptable for the given reward for someone overriding your safeguards

and take a page from the stack overflow world - reputation is something you can bind to accounts - then you at least have a way of 'scoring' users

Mark Mullin
  • 381
  • 2
  • 9
  • Mark thanks for this i already thought of good ideas about it to motivate the users to be good and care about their image. but some frauds are really abusive and do not follow the terms and conditions. – ahmed amro Oct 25 '12 at 02:28
3

You could prevent multi-registration by increasing your identity proofing (See OMB M-04-04). Of course by doing so, registration is now much more difficult for your legitimate customers. So while you could prevent multi-registration, you probably don't want to. (Please note, I'm not seriously suggesting that you upgrade your identity proofing. Increased identity proofing answers the specific question you asked, but I don't think it is a practical solution to your problem).

I believe your real challenge is to design a registration system that discourages fraudulent users but is relatively transparent to legitimate users. If I were in your shoes I would probably @Mark Mullin's suggestion that you bind some reputation to the account with federated identity. Federated identity means that you don't register users; you allow them to use credentials generated by a third party. For example, I use my google credentials to log into stack exchange. The "how to" on federated identity is a bit more complicated than I think is appropriate in a Stack Exchange answer, but you may wish to consult Google's Relying Party site. Two of the primary implementations are OpenID, and Shibboleth, and I know that Kingsley Idehen has posted extensively on "how to", including code samples (that last link is to his G+ profile; I don't have a better way to contact him).

I think that there is much merit in Mr. Mullin's suggestion that you create reputation and link it to the user's account. Assign a reputation score based on the number of transactions the user has participated in, or the total value of the transactions, or like ebay, on the feedback from other participants in the transaction.

And to echo someone else's comment, no, it is not possible to make a website 100% secure. That is a fundamental principle of security; the best you can hope for is to mitigate the risk to an acceptable level. If you're really doing security design for a website that involves monetary transactions, I would urge you to obtain a security architect. Security is complicated. Your security architect needs to have a lot of fundamental knowledge that can't be picked up through google searches. If you are conducting monetary transactions without a security architect you are exposing your company to considerable risk. The risk of losing money, the risk of being sued by customers who have lost money or personal data, and potentially criminal liability, depending on where you're located. This isn't something that can be learned through a month of internet research.

MCW
  • 2,572
  • 1
  • 15
  • 26
  • Thank you so much for this . but the users are worldwide so its really hard to collect such information. i looked through it and those kind of application how they could be applied to a brand new website may be you wont trust? and how would your risk personal important information might be hacked! – ahmed amro Oct 25 '12 at 11:01
  • 1
    I'm not sure what global scope has to do with it. Federated identity isn't tied to geographic scope; the most popular federated identity provider is google, and they're pretty much global in scope. I'm afraid I don't understand the last two sentences of your comment; could you rephrase? – MCW Oct 25 '12 at 11:11
  • can you sorry explain how to apply what you sent to the users ? because i am lost too haha =) – ahmed amro Oct 25 '12 at 11:27
  • @ahmedamro - You still are not making a great deal of sense. What exactly are you sending to users? – Ramhound Oct 25 '12 at 13:11
  • 1
    That answer is much larger than is appropriate for stack exchange. – MCW Oct 25 '12 at 13:16
1

There is a way you can make it extremely difficult for a user to re-register more than a certain number of times without disrupting legitimate user registration. Just follow the money...

As a shopping website, your users must be using some kind of payment system. If they are putting their financial information into your system (not using a 3rd party like paypal) you can ban their credit/debit/bank account info. You'll have to make the financial information mandatory as part of the user registration process, but Apple does the same thing with the app store so it's not likely to be perceived as unreasonably burdensome to legitimate users.

Now, a nefarious user can only register once for every payment account they have. If they start constantly changing their account numbers by opening and closing cards or accounts they risk attracting unwanted attention from financial institutions or regulators.

RajanPB
  • 66
  • 3