4

I'm about to embark on a website build where a company wants to reward new visitors with a gift. The gift has some monetary value, and I'm concerned about the site being gamed. I'm looking for ways to help reduce the chance that any one person can drain the entire gift inventory.

The plans call for an integration with Facebook, so authenticating with your FB credentials will provide at least a bit of confidence that a new visitor is actually a real person (assuming that scripting the creation of 100's of FB accounts and then authenticating with them is no simple task).

However, there is also a requirement to reward new visitors who do not have FB accounts, and this is where I'm looking for ideas. An email verification system by itself won't cut it, because it's extremely easy to obtain countless number of email address (me+1@gmail.com, me+2@gmail.com, etc). I've been told that asking for a credit card number is too much of a barrier.

Are there some fairly solid strategies or services for dealing with situations like this?

EDIT: The "gift" is virtual - like a coupon

rcourtna
  • 4,589
  • 5
  • 26
  • 27
  • Did you think of using a combination of an e-mail and an IP address? You might get false positives from IP addresses being reused, but it's better than nothing. – Sergey Kalinichenko Feb 14 '12 at 03:35
  • IP is only OK but proxy - like a college campus - may give identical IP addresses to a lot of people. – Kai Qing Feb 14 '12 at 03:47
  • What is the gift? Is it physical or something like a coupon? – josh3736 Feb 14 '12 at 03:50
  • let us know when the website is online! :) – epzee Feb 14 '12 at 03:54
  • @josh3736 The gift is electronic, like a coupon @ epzee haha! – rcourtna Feb 14 '12 at 04:00
  • @rcourtna: How does the coupon work? Does each person get a unique redemption code or is it a printable deal? – josh3736 Feb 14 '12 at 04:06
  • @josh3736 Yes, a redemption code. Closest analogy I can think of is like an Amazon Gift Card being delivered to your inbox. – rcourtna Feb 14 '12 at 16:39
  • @rcourtna: OK, so it is possible to restrict redemption. Whenever a printable coupon is offered, it's basically impossible to restrict redemption (unless you're printing redemption codes) -- I recently had a client ask me to prevent someone from printing a coupon (to be redeemed in-store) more than 3 times. Needless to say, a direct link to the JPEG was all over Twitter. – josh3736 Feb 14 '12 at 18:25

4 Answers4

4

Ultimately, this is an uphill, loosing battle. If there will be incentive to beat the system, someone will try and they will eventually succeed. (See for example: every DRM scheme ever implemented.)

That said, there are strategies to reduce the ease of gaming the system.

  • I wouldn't really consider FB accounts to be that secure. The barrier to creating a new FB account is probably negligibly higher than creating a new webmail account.
  • Filtering by IP address is bound to be a disaster. There may be thousands of users behind a proxy on a single IP address (cough, AOL), and a scammer could employ a botnet to distribute each account requests to a unique IP. It is likely to be more trouble than it is worth to preemptively block IPs, but you could analyze the requests later—for example, before actually sending the reward—to see if there's lots of suspicious behavior from an IP.
  • Requiring a credit card number is a good start, but you've already ruled that out. Also consider that one individual can have 10 or more card numbers between actual credit cards, debit cards, and one-time-use card numbers.
  • Consider sending a verification code via SMS to PSTN numbers. This will cost you some money (a few cents per message), but it also costs a scammer a decent amount of change to acquire a large number of phone numbers to receive those messages. (Depending on the value of your incentive, the cost a prepaid SIM may make it cost-prohibitive.) Of course, if a scammer already has many SMS-receiving PSTN numbers at his disposal, this won't work.
josh3736
  • 139,160
  • 33
  • 216
  • 263
2

First thing I wonder is if these gifts need to be sent to a physical address. It's easy to spoof 100 email addresses or FB accounts but coming up with 100 clearly unique physical addresses is much harder, obviously.

Of course, You may be giving them an e-coupon or something so address might not be an option.

Once upon a time I wrote a pretty intense anti-gaming script for a contest judging utility. While this was many months of development and is far too complex to describe in great detail, I can outline the basic features of the script:

For one we logged every detail we could when a user applied for the contest. It was pretty easy to catch obvious similarities in accounts by factoring the average time between logins / submissions from a group of criteria (like IP, browser, etc - all things that can be spoofed so by themselves it is unreliable). In addition, I compared account credentials for obvious gaming - like acct1@yahoo.com, acct2@yahoo.com, etc. by using a combination of levenshtein distance which is not solely reliable - as well as a parsing script that broke apart the various details of the credentials and looked for patterns.

Depending on the scores of each test, we assigned a probability of gaming as well as a list of possible account matches. Then it was up to the admins to exclude them from the results.

You could go on for months refining your algorithm and never get it perfect. That's why my script only flagged accounts and did not take any automatic action.

Kai Qing
  • 18,793
  • 5
  • 39
  • 57
0

I would suggest a more 'real world' solution in stead of all the security: make it clear that it is one coupon per address. Fysical (delivery and/or payment) address. Then just do as you want, maybe limit it by email or something for the looks of it, but in the end, limit it per real end-user, not per person receiving the coupon.

Nanne
  • 64,065
  • 16
  • 119
  • 163
0

Since you're talking about inventory, can we therefore assume your gift is an actual physical item?

If so, then delivery of the gift will require a physical address for delivery - requiring unique addresses (or, allowing duplicate addresses but flagging those users for manual review) should be a good restriction.

My premise is this: While you can theoretically run a script to create 100s of Facebook or Google accounts, exercising physical control over hundreds of distinct real world delivery locations is a whole different class of problem.

Bevan
  • 43,618
  • 10
  • 81
  • 133