Reputation: 39553
Preventing fake accounts
I'm working on a simple web service that allows users to sign up for free and upload a small amount of data. I can easily establish a quota for each user, but malicious users could create fake accounts to upload as much data as they like in a denial-of-service attack.
Obviously, there's no perfect defense against this type of attack, but what can we do to mitigate this problem?
Upvotes: 0
Views: 1539
Answers (5)
Reputation: 11
Consider Phone Number Verification
Requiring phone number for account creation is the best approach I've come across; Creating a new email or cycling an IP address is pretty trivial, but genuine sms phone numbers cost money to activate & grant your service the ability to restrict access by country-code.
An important caveat: Virtual phone numbers (like google-voice), temporary-phone number services, & burner phones can make sms-verification ineffective at preventing duplicate user accounts. Depending on your use case, it might be worthwhile to use a service, like Vonage's Number Insight api, that lets you identify those types of numbers.
Authillo is a passwordless authentication provider that prevents duplicate/fake accounts by leveraging sms verification, liveness detection, & facial recognition. Depending on how critical it is that you prevent fake accounts on your service, their base plan might be what you're looking for.
Upvotes: 0
Reputation: 28160
Tie it to a more-or-less unique identifier (phone number, bank account number, facebook/google/etc account) or to a finite resource (such as time, by using a captcha).
Upvotes: 2
Reputation: 6827
Just log the IPs and assume the same user if the IP does not change within a time interval. This is bad, because it would prevent multiple users in the same house (same IP) but it is a good start.
Upvotes: -3
Reputation: 19871
When the user signs up, the user supplies a valid email. Most accounts are not enabled until a response has been received, usually by clicking a link in the body of that email. When that click-through is received, you should be able to grab an IP address. That should help you curtail an abundance of casual DOS attacks.
Upvotes: 0
Reputation: 2262
- use a captcha on account creation to ensure that it's a human and not an automated process.
- require a valid email address and require that they click a link in their email to validate that that's their email address and continue the registration process. This cuts down on their ability to create many throwaway accounts because you can limit them to only having one account per email address and they have to then create a new email address for each account they want to create.
Upvotes: 2
Related Questions
- Preventing Brute Force Logins on Websites
- How to defend against users with Multiple Accounts?
- Fake account creation prevention on a Laravel website
- How to deal with fake accounts without having to take personal details like phone number or email
- prevent multiple login : Magento
- How does account validation work?
- Preventing fake account creation in mvc
- Best way to avoid fake users
- How can I prevent brute-force attacks?
- User ID verification