1

I would like to provide some free tokens to users on registration, I don't want bot accounts to register and get free tokens. Is there any way to prevent this?

I would like to use phone verification, but I am not sure if it's obsolete. I was able to find services that provide virtual numbers such as Twilio. So not sure if phone verification is enough.

Do I have other options? GCP and AWS force credit card registration but that's very inconvenient to the user.

Edit:

Can bots make fake phone numbers for verification? Can bots make fake credit card numbers for verification? Is there any other similar method that can make it expensive for bots to make registrations.

Shravan S
  • 13
  • 3
  • 5
    Does this answer your question? [How can I detect and block bots?](https://security.stackexchange.com/questions/4759), [Good ways to prevent spammers from registering](https://security.stackexchange.com/questions/30273), [Is there a true alternative to using CAPTCHA images?](https://security.stackexchange.com/questions/29571). In general, the efforts you need to take and the inconvenience for your users depend a lot on the value of the registration for the spammer/bot, so you need to find the right balance for your specific use case. – Steffen Ullrich Jun 27 '21 at 16:25

2 Answers2

3

No. There are no guarantees.

There are lots of things that can make it more difficult for bots to register, but as you said, you have to balance that against the inconvenience to your users.

The better option is to be ok with some bots getting free tokens or to change your business model so that this is not an issue for you.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Can credit card numbers or phone number be faked for registration? What is the most user friendly way to make it expensive for bots to make registration (should cost the bot at least 5$ per registration)? – Shravan S Jun 28 '21 at 06:05
  • 1
    Numbers can be faked. But the function of the numbers cannot. – schroeder Jun 28 '21 at 07:28
1

Many users are reluctant to provide a phone number - for good reasons. Unless this is part of the registration process and already accepted by the users. Indeed virtual/disposable phone numbers are readily available, even for free. Phone verification is not foolproof.

Have you tried available options like captcha ? Unless the tokens have redeemable value that is not negligible, you may be worrying too much.

What you should probably do is monitor the number of requests/day/IP address and there should be some form of rate-limiting. If many requests come from a single IP address this could be a sign of abuse.

You could also delay the granting of the tokens - subject to a manual overview. What you need is some kind of page/report you can run on a daily/hourly basis, that shows E-mail addresses, IP addresses etc, and highlight duplicates and suspicious signups. And then you release the credits in one click, except the suspicious entries you want to investigate further. For this, you use checkboxes so you can tick or untick specific users.

It is a slight inconvenience for users, but on the other hand this could act as a filter and help attract users who are motivated enough and willing to wait for a reward.

I think that one way or the other, you need to monitor the activity. At a minimum, you could get a notification by E-mail every time someone signs up to your site. If there is a sudden influx of registrations you will quickly notice.

If you remove the instant and automated allocation of tokens to users, there is less of an incentive for people to cheat. Also, they are alerted that registrations are being monitored and reviewed by a real human being. This is a put-off for profiteers.

That's the reality of business, not everything can be easily automated. The solution does not always have to be high-tech.

E-commerce ventures in the real world also have employees who spend time behind the scene vetting the new users, and also the not so new when for example certain orders are deemed to be out of usual patterns and trigger an algorithm. Sometimes they even pick up the phone and call customers. It's all about risk management.

Kate
  • 6,967
  • 20
  • 23