1

I appreciate that there's never going to be a perfect answer for this, but I was wondering how far you could go, using PHP+MySQL to automatically flag/identify an individual who had two accounts on your website.

Say for example on this site, they could use one account to 'boost' the other accounts reputation - which would be a nono.

At the moment I have an IP field that is updated upon each login with their remote server IP, which is far from perfect. Are there any better solutions (aside from detailed logs and comparing trends between users' actions) that could give you a quick 'hint' at a glimpse to suggest that this might be going on by means of a more accurate IP comparison or something else?

Obviously, if the user REALLY wants to do this, they will find a way - but I want to find a reasonable solution to make it (at least) moderately difficult or frustrating for them to pull it off.

Many thanks

Tim
  • 6,640
  • 8
  • 34
  • 55
  • 1
    My suggestion would just be to keep a log of the past x IP addresses used to log in - if they match on at least half of those, ban the user. Without going to a lot more effort, I think that's a decent enough way of doing it. – SharkofMirkwood Aug 01 '13 at 10:55
  • 2
    [A good reading](http://stackoverflow.com/a/16120977) – HamZa Aug 01 '13 at 10:56
  • Are you following me, @SharkofMirkwood? :D Thanks that sounds fairly reasonable... it's difficult when people use the site at work / at school though as they'll have a shared IP. – Tim Aug 01 '13 at 10:57
  • @SharkofMirkwood This is risky, since on 3g ip addresses aren't unique. My suggestion would be to sent out a warning if a lot of the ip addresses of two users match, and keep an eye on them. If they are really helping each other I think it's safe to assume it's the same person. – Kevin Aug 01 '13 at 10:57
  • Thanks @HamZa, that looks great although realistically probably too extreme for this purpose - I don't want any AJAX stuff going on really so I'm limiting myself to within the scope of PHP. – Tim Aug 01 '13 at 11:01
  • Haha yeah I recognised your name, wasn't sure if you'd remember me ;) Well yeah it's quite tricky to find duplicate accounts if the users are going to some effort to conceal it. My suggestion was just that - and yeah it's probably best to check before actually banning anyone! Kevin's suggestion is good, just do what I said but check, then look into it before taking action. Obviously you could go to more effort and make a better filtering system, but I think this should be ok. – SharkofMirkwood Aug 01 '13 at 11:02
  • @SharkofMirkwood and what happens when you have just blocked a major ISP proxy server? – Anigel Aug 01 '13 at 11:04
  • @Anigel I'm not suggesting to block an IP address - just the accounts that were associated with it. And even then, it's after checking the users' actions to see if anything seems dodgy. – SharkofMirkwood Aug 01 '13 at 11:07
  • Any method you may choose is trivial to bypass, even something as simple as using one browser for one account and a second browser for the other account would fool most detection methods. About all you can do is check usage, if one user shows a pattern of boosting another users reputation all the time then flag it for manual review. Consider login times, other activity occurring on the accounts etc. – Anigel Aug 01 '13 at 11:08
  • @SharkofMirkwood I just took if they match xx ips "just ban the user", to mean that you literally ban the users using that ip address as there was nothing else in your comment to imply you carefully assess each of the users from that ip and check their behavior before applying the ban hammer. – Anigel Aug 01 '13 at 11:09
  • @Tim Your problem isn't something simple. Also I don't see where you got the idea of "AJAX". The answer I linked will give you ideas on identifying users with several techniques. Note that blocking IP's like that is a big no, since some ISPs uses 1 IP for several hundred clients. – HamZa Aug 01 '13 at 11:09
  • @Anigel you must have misunderstood. What I meant was if the IP address of 2 users match each other in at least half of the x stored IP addresses for the users, they're probably helping each other and should be looked into or banned. When I said "just ban them", well that's up to Tim if he wants to do that or review the accounts manually. – SharkofMirkwood Aug 01 '13 at 11:11
  • tl;dr ban the user, not the ip. – HamZa Aug 01 '13 at 11:13
  • @SharkofMirkwood I get that and that goes straight back to my original question to you but what if that ip address is a major proxy server for an isp. You may have hundreds of users with accounts always using the same IP – Anigel Aug 01 '13 at 11:13
  • @Anigel Then I guess you gotta keep an eye out for that and maybe create a whitelist if you notice this happening frequently. This wasn't my idea of a perfect system, it's just what the OP was asking for. – SharkofMirkwood Aug 01 '13 at 11:51
  • @HamZa, I assumed AJAX when it spoke of things like localstorage and other bits that could only be logged via javascript, unless i'm mistaken. Thanks for your comments guys – Tim Aug 01 '13 at 12:04

2 Answers2

0

There are solutions with disadvantages..

In my opinion, I think there isn't an effective way to prevent users to create multiple accounts.

As you have pointed, you can store the IP's, name machines, session_id() in PHP.. and do some analytics control, but this can bring you false positives. Users who share same IP, same machine..

A possible solution is make the things difficult. Using some kind of user validations, like validate phone, validate mail, answer a long register form.. Eventualy this may have the attackers think twice about the cost of doing extra work to create multiple accounts..

The disavantatge is real users must do the same, and maybe they will not go to your site with this kind of validations.

It's hard to choose between thoose.

Another possible solution is made the register throught a 3th party app, like Facebook, Google acount. Becomes easy to filter multiple accounts and is an easy way for login to real users.

And finaly, for me, one of the most strong methods to control your community is do a achivement/reputation system like stackoverflow. It allows you to control that new users don't interfere with the system if they don't spend time working on/for the community. At my point of view, a real robust solution to manage a community.

Lan
  • 649
  • 1
  • 7
  • 16
  • Thanks @Lan, nice idea on 3rd party stuff although they could just use a Twitter account for one and a Google account for another with differing emails. I'm allowing for multiple oauth options per account though. Even with rep etc it's difficult to find the balance as you say. – Tim Aug 01 '13 at 12:07
  • I've read the great article pointed by Hamza.. In php you can develope code to (almost) achieve your goal.. just maybe the balance of the efford is too huge in your case ^^. But it solve your main question: 'using php/mysql to identify multiple accounts..' :) Good luck! – Lan Aug 01 '13 at 14:03
0

The IP-address ban method is way to easy to go around, at least as the only security method. Adding it won't hurt more then the time spent implementing it and the method sure helps a bit, but just make sure you complement it.

Since you have some kind of accounts I would suggest you to look more at the user part. What behaviors are typical for an account, that is only used for boosting another. For each of those actions log the two users and if you see a following pattern, send a warning or ban.

If it's a game or someone might want to ban another person for some reason. Make sure to find these typical actions from that receiver as well (or find connections in IP-addresses to confirm). This prevent "boosting" attacks that may result in an incorrect ban.

It's hard to give tips not knowing how the system is supposed to work and what values you have in it but I hope it gives you some new thoughts.

Adam Wigren
  • 383
  • 2
  • 11