Hi all I'm in the early stages of planning a web service. Because of the nature of the service, it's going to be targetted by scammers. To make life harder for them, i need to enforce a 'one account per person' rule. I know I'll never be able to acheive that but I want to make it as hard as possible. I thought about using credit card verification but I dont like it for several reasons: 1) it'll put people off signing up 2) I've made several enquiries and have yet to find a payment processer who can provide address verification for more than 2 or 3 countries. This'll mean a different payment processor for every country I want to operate in 3) Prepaid credit cards are getting more and more common. does anyone know of any other options? The solution needn't be perfect, just one which makes it difficult to sign up a large number of accounts. I have other anti-scammer measures which I'll be putting in place too. thanks for reading damien
^^ SAA You cant enforce OAPP system, but you may warn you members that if you dind two logins from the same IP they'd be banned and stuff! As asked by Rob, may I know what kind of services we are talking about here? Abhishek
Do email, and verify the email address. So after they sign up, send an email to their account, with a link they have to click to confirm. You process those clicks, and flag them in the database as legit, verified accounts. Anyone who does not verify their account does not get access, and is eventually dropped from the database. If you track the email addresses and don't allow duplicates, that's getting close to your goal. It's not perfect, of course. -Tony
thanks all for your suggestions. I don't want to say exactly what kind of service I'm working on but it's a financial product which is why I know it'll be a target for scammers. It's also why there has to be a bigger barrier to entry than a unique email or ip address. Something that can't be faked easily or acquired en masse. I think I'll have to stick with credit card verification. It's the only viable option at the moment
Email addresses are really a terible way to make OAPP, since I own every address from allroundnews.co.uk and its redirected to my gmail, I have infinate email address. Then of course there's '+ tags' for gMail, and gMail allows dots in your email address, so in reality, I own millions of variations of my email address. If your product is financial, wouldn't the user having a credit card be a good idea anyway? Also, I suppose you could snail mail the user an activation code... Its more time taking and expecive but unless the user has a lot of places to live, there's no way they can make multiple accounts.
I've not idea how Ip addresses work, but to my understanding, don't ISPs rotate IP addresses periodically? So IP method wouldn't really work, ne?
Make a system of different barriers. First and foremost, get email verfication. Next IP, Next CC, Next Address. What you can do, is just allow a certain IP to access a part of your site. So they login through IP and not username/password
IP, yes. But "not username/password," no. Do both. Log them in via username/password, and track not only that, but the IP as well. Lithium software does this. They have a forum software product. I might login via my laptop at home. Then I take the laptop to work, and login there, but it blocks me. It sees I'm at a new place, and it requires me to reauthenticate. -Tony
if you have some javascript and php skill, try this: make your signup-form and add a javascript which gets all the browser properties possible, like language, screen resulution, colours, os and version, browser and version - all this stuff and add it in a hidden field to your form. write all this values in one variable, something like $browservar=$os.$osversion.$browser.$browserversion.(everything you got) PHP: to make this string shorter and easier to handle, get the md5($browservar) PHP: add this value to an extra field in your user database. you can have about 11.000 different md5's for all the computers out there (but some more common than others; winxp with ie6 should be the most common), so if you get a lot of sign ups with the same md5 then there could be something wrong. here is a free database to translate ip-adresses to countries, but this could be useless if some spammers use proxies: http://www.maxmind.com/app/geoip_country hope this helps (on my hunt for green rep)