8

As part of a promotional campaign, my company wants to launch a site where users (and potential users) of our product will be required to register and vote for certain choices. Depending on how successful it is this might become a regular feature. Since the proposed prizes will not be insubstantial, naturally we are concerned about voter fraud. How can we detect the usage of proxies, Tor and various other methods that might be used by unscrupulous users looking to game the system? For example, how does https://check.torproject.org work? Are there any ready-made scripts we can use, not just for Tor but in general?

I see that Stack Exchange has held competitions in the past based on online voting, so I am hopeful of getting some good answers here.

Thanks,

Samuel

Samuel
  • 81
  • 1
  • 2
  • 3
    If they are required to have a user account then limit the account to a single vote. If you are required about a single user creating multiple user accounts, that is a different problem, not connect to the online voting. – Ramhound Feb 13 '13 at 16:48
  • Related/potential duplicate(?) [is this question](http://security.stackexchange.com/questions/10601). Although I'm somewhat biased, having the answer with the most votes. – Clockwork-Muse Feb 13 '13 at 22:37
  • Why is use of Tor a problem? For that matter, when you say "voter fraud", can you define what you mean by that term? What are the requirements/assumptions that you are most concerned about? – D.W. Feb 14 '13 at 00:30
  • @D.W.: Thank you for your comment. By "voter fraud" I mean multiple sock-puppet accounts being created for the sole purpose of voting for a single user. – Samuel Feb 14 '13 at 17:24

5 Answers5

7

Voting systems are "gamed" by people voting more times than should be normally allowed (e.g. voting several times). The only way to prevent this is to have a way to identify voters and to prevent multiple votes.

Reliable methods entail authenticating users, e.g. with passwords, but this has two drawbacks, namely that 1. users don't like it, and 2. this does not really solve the problem, but moves it to a prior "registration phase".

Unreliable methods are about heuristically detecting frauds by tracking IP addresses (but this fails with dynamic IP address -- a user can change his IP, and this happens more or less automatically with many ISP -- and also with NAT -- several distinct users sharing the same IP) or with other methods. Simply sending an "has voted" cookie in the user's browser will deter the basic, low-tech wannabe fraudsters; there are more thorough methods, but all of these can be circumvented by a technologically savvy attacker. Tor is a tool which deals with anonymity, a closely related subject, and shows that you are trying to fight a losing battle.

StatckExchange itself faces the same issue, which it calls sock puppets. They finally took a relaxed attitude, with (unpublished) scripts for detecting the most blatant gaming attempts, and mostly ignoring the rest.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thank you for your answer. I know a 100% detection rate is impossible to achieve, but concrete suggestions for weeding out the most obvious attempts would be appreciated. Basically, I am looking for quality published scripts that we can tweak and use. – Samuel Feb 14 '13 at 17:28
4

Restricting one-vote-per-IP, can seriously limit B2B participation. Most businesses are behind proxies or NAT which presents the whole organization as a small range of IPs.

Given there's real money and real prizes involved, linking an account to a difficult-to-mass-produce alternate identity can really limit abuse. Examples might include your work email address, or your business phone number.

When their name is drawn from the contest, it is easy to disqualify contestentry23423@gmail.com, or to look through registered domains to spot somebody who's reused their corporate address e.g., joe+123@example.com, joe+124@example.com... Additionally a clause "Contest winners will be notified by phone", means stuffing the ballot isn't going to win you any prizes.

Captchas on the registration form would keep automated registrations from crapflooding your database, but your real protection from false registrations is checking for reasonable email addresses (validate the address and ban stuff like mailinator) combined with the disincentive of false registrations not winning any prizes.

Lastly... although there are theoretical attacks on this kind of system, in practice somebody's going to have to really dislike you to be that persistent.

mgjk
  • 7,535
  • 2
  • 20
  • 34
2

You can require voters to have an old facebook (or twitter) account that was created prior to the voting start, this is something that will make it impossible for someone to register just to vote, and the possibility of someone having allot of accounts on those social networking site is very small, and can probably be handled by other methods, like monitoring ip addresses or cookies and checking proxies

There are a large variety of php scripts to check for users using proxies, but you might want to google them or ask at stackoverflow.

sharp12345
  • 1,969
  • 3
  • 13
  • 23
  • 2
    The age of an account is not a barrier if the prize is significant. From [Douglas Crockford's long game post](https://plus.google.com/118095276221607585885/posts/CuBQjT38Gss): "Four years ago yesterday I approved a membership. Yesterday, that member account posted spam. They waited exactly four years to the day before spamming.
    Many reputation systems will consider length of membership when granting capabilities to members. That works when bad actors begin acting badly immediately. But it has no effect against the long game."     – Mike Samuel Feb 13 '13 at 21:16
  • Interesting suggestion, thank you! Although my namesake above makes some valuable points, wouldn't this still help since it is unlikely that someone has multiple old accounts on standby for occasions such as these? (Although I suppose it is possible for a hacker to have multiple hacked old accounts available for misuse.) – Samuel Feb 14 '13 at 17:36
2

Why would proxies and Tor be a sign that a user is unscrupulous? Tor is a sign that someone is privacy conscious, or lives in a country that restricts access to information. A proxy is a sign that someone is logging in from a business network more than a sign they are up to no good.

I assume you are trying to prevent a single individual from creating multiple accounts using fictitious identities to skew the results. In reality there is no way to prevent this - anyone who has enough time and inclination can do it without you having visibility of it. It's one of the great problems of the internet, and if you solve it you'll make billions.

There are some ways you can make it a bit more difficult for people to set up multiple accounts, mostly by increasing the effort it takes:

  1. Don't allow an API call to create accounts, make everyone have to do it manually on the page.
  2. Put in capchas and use other techniques to make sure it's a human creating an account. Ask for the solution to a simple math problem, put it in a graphic rather than text
  3. Validate all email addresses, and make them change their passwords every 90 days
  4. Inspect the password hashes to find identical passwords, if you have 20 accounts using the same password then chances are good it's a lazy person trying to game you. You won't know what the password is of course, but it gives you a starting point.
forest
  • 64,616
  • 20
  • 206
  • 257
GdD
  • 17,291
  • 2
  • 41
  • 63
  • Yes, I understand that proxies and Tor have perfectly justifiable uses. Your assumption is correct, we are trying to prevent sock puppet accounts being used to game the system. – Samuel Feb 14 '13 at 17:39
0

I think a good way to limit the online voter fraud is by requiring the users to enter their credit card details, or to verify their ownership of a paypal accounts.

This way you can also verify that names are unique, so that even if a single user has multiple cards, you will be able to limit it by the card holder name.

The main limitation to this method is that you need to have the users trust you enough to share with you their credit card information.

Requiring too much information or steps from the users will lead them to not voting at all.

If you or the users are worried about security, you can use a trusted third party service to handle the credit card, just ask them to pay the smallest possible payment, which is enough to verify their owner ship of a credit card and to know their real name.

I do not recommend this method, but its the most secure in terms of preventing voter fraud in my opinion.

sharp12345
  • 1,969
  • 3
  • 13
  • 23