recently I helped some friends ship an invite system in their website that works like this: A user creates an account, we send a verification email and when he verifies the e-mail he gets one free credit to spend on the website. In addition to that, he has personalized links he can share on social networks or via e-mail and when people register using this link (e-mail verified accounts again) he gets one credit per invite. Much like the invite system on thefancy.com or any other reward driven invite system on the web.
Lately we see elevated rates of fake user account which probably are automated. The registration page features a CAPTCHA but we're aware this can be bypassed. We also see elevated rates of users creating disposable email addresses to create accounts following specific invite links thus crediting one legit users that onwards uses the free credits he earns.
I am looking for an automated way to prevent such kind of abuse. I currently investigating putting rate limits on invites/registrations that come from the same ip address but this system itself has it own flaws.
Any other production tested ideas?
Thank you
Edit:
I've also proposed 2 factor registration via SMS but was turned down due to budget shortage.
It seems you need to require more than just a verified email address before a user can send invites, ideally something that shows the user has participated in your site in some way. Without knowing what your site is it's hard to give specifics, but the StackOverflow equivalent would be requiring users to have at least X reputation before they can invite others. If you're running a forum you could require that they've made at least X posts.
I'd also suggest a small time limit before new accounts can invite - e.g. they have to have been a member for at least X days. This complicates automated invites somewhat.
An extremely simple method that I have used before is to have an additional input in the registration form that is hidden using CSS (i.e. has display:none). Most form bots will fill this field in whereas humans will not (because it is not visible). In your server-side code you can then just reject any POST with the input populated.
Simple, but I've found it to be very effective!
A few ideas:
Ban use of emails like 'mailinator'.
Place a delay on the referral reward, allowing you to extend fraud detection time period, giving you more time to detect bogus accounts and respond accordingly.
Require the referred user to create a revenue generating transaction before you give out any referral rewards (I know that might not be a shift you can make) - possibly in turn increasing the reward to account for the inconvenience to the referrer (you should be saving money through decreased fraud so not a hard sell).
Machine learning. Ongoing observations and tuning with your fraud detection. The more data you have the better you will be able to identify these cases. (IP addresses as you mention.) Shipping / billing info even more telling if it applies - beware adjacent PO boxes.
Add a CAPTCHA test to the confirmation page. I would be wondering if your CAPTCHA is sturdy enough if it is getting bypassed somehow. You might consider using the (hateful) reCaptcha which seems popular. A CAPTCHA on the confirmation page would reduce the risk that a 'bot is submitting the confirmation page. In other words, it would implement the idea of client interaction with the site after registration. A similar method would be to ask for the registrant's password.
Related
I am building a cross-platform app and using PHP and MySQLi. Users sign up with either their Facebook account or phone number. If they choose phone number, they enter their number and an SMS is sent containing the verification code. The user enters the code and an API token is sent back to be used across the API requests. Tinder (for example) is this way.
I am considering Twilio for the verification.
My issue comes down to the security of this login process. Can a malicious user just rapid-fire the login request that creates a verification code over and over again... sending plenty of SMS and costing me a fortune on my Twilio account? Should I only allow so many attempts? Can a bot just eventually guess the code?
What is the security behind Tinder's API?
things to consider:
1- limit request per phone number
2- limit request per user (by ip)
3- use captcha (only after second attempts to keep your app user friendly)
4- use honeypots
"can a bot guess the code?"
verification codes should have a time constraint. after like 2 mins they should be invalid. time constraint and request limiting should make it very very unlikely for a bot to guess the code.
if you are using laravel it already have rate limiting middleware (limit by ip).
Twilio developer evangelist here.
I agree with all the things that Shalior says in their answer, so I'm not going to reiterate that.
What I wanted to share was this article on falsehoods programmers believe about phone numbers. It is a good reminder that phone numbers don't necessarily uniquely define a user, and worth keeping in mind if this is your intention for a passwordless login.
I'm using Drupal 7 with Drupal Commerce for my e-commerce website.
I'm not a new programmer and I can pick up on skills relatively quickly, but I do not do it for a living, so bear with me if this seems like a stupid question.
I'm having difficulty with spam bots filling out my form "Commerce Checkout". Commerce creates a new customer profile (one each for shipping and billing information).
Shipping and Billing information each have the following fields:
First Name
Last Name
Address 1
Address 2
City
State
Zip Code
Country
It's pretty easy to determine which profiles are created by spam bots and which are real. The bot-created profiles have the same string of data in EACH of the above fields.
I'm trying to create a rule using Rules and Rules Form Support modules to BLOCK the creation of the profile or progression through the checkout process if any two of these fields contain the same data, but I'm running into a wall. How can I set up rules in Drupal 7 to accomplish this (i.e. if Address1/Address2 are the same or FirstName/LastName are the same or FirstName/Address1 are the same....)
If there's another way to accomplish this I am open to suggestions. From what I understand, CAPTCHA and Honeypot are really not options for the checkout-process forms because they will not block the progression to the next step. Unless someone is willing to show me how to incorporate one of those as well, that would be great or possibly even easier...
There are lots of modules which can protect your website like
Spam Detect: https://www.drupal.org/project/spam_detect
Spambot: https://www.drupal.org/project/spambot
Simple Anti-spam: https://www.drupal.org/project/simpleantispam
User Ip Log: https://www.drupal.org/project/uiplog
Restrict Ip: https://www.drupal.org/project/restrict_ip
IP Ranges: https://www.drupal.org/project/ip_ranges
Ban an Ip address: https://www.drupal.org/documentation/modules/ban
and many more.
Use any or any set of such modules to prevent your site from spammers. You can choose which suits you better.
Thanks
Just require login with Commerce Checkout Redirect:
https://www.drupal.org/project/commerce_checkout_redirect
It will require anonymous users to set up an account first before proceeding.
If you still need more security, you should also be able to follow this suggestion to enable CAPTCHA on your user registration form:
https://drupal.stackexchange.com/questions/95979/add-captcha-to-registration-form
That should make it possible to reduce the number of spam submissions through your checkout system.
Scenario: I want to create an app where users register accounts and a server sends them a one time pin to verify their contact details via SMS. User enters the code received to verify their details.
However, sending an SMS costs money but receiving one is free and my SMS gateway lets me read incoming SMS messages.
So I could create a screen in my app that lets the user send an SMS to my gateway with the gateway number and message prefilled (eg. "Hi, please activate my account with code: 34GKTT551T"). User only needs to press send.
Instead of having the user type in a code they've received and verifying the code on the server, my gateway picks up a code sent by the user and sends the message to my server which then verifies the code and thus validates that the users phone number is the one they entered on registration.
Question: Is there anything fundamentally wrong with this approach?
What are the pros and cons of doing things this way? Yes, I know SMS messages can be faked but it's harder than faking an email which could also be used. I would not consider this an alternative to proper 2 factor authentication but this approach worth doing as a lower cost alternative that doesn't require users to do anything else special.
PS. This is my first question on stack overflow so be nice.
No this is not secure as the sender of an SMS can be easily faked. Take these instructions for how to achieve this on Kali OS.
There are also services such as this one.
All it would offer is a very thin layer of security against people who have the user's password but do not know the above information or the mobile phone number of their victim. The phone number of their victim may be achieved via other means such as social engineering. It may work if there is a separate phone used for the sole purposes of 2FA, however why not go with using Google Authenticator API, which is free (Google Authenticator app available for iOS and Android)?
I am looking for a way to check which of my costumers email addreses are linked to valid Paypal accounts before i decide to propose this payement method on my website. while searching on google i found this website which does the job perfectly and is 100% accurate
http://prime-position.ch/cache/9.php
, the only problem is that it is very slow and takes hours with big email lists so my question is how do i find this script in particular or another one that does the same job.
Well... to answer your question... you can't verify an email with PayPal (w/ or w/o API).
Even with mass payments, they don't give errors, they just notify the recipient to create a PayPal account if they want the money. And the mass payment fails if they don't claim the funds sent to a non-existing PayPal email in 30 days.
That script is a joke and does not work! If this was your attempt at phishing for PayPal emails... you need to step up your game :)
UPDATE:
AddressVerify API^ is of no use to you. It requires their home address and will not work without it. I don't think you have that... plus your account may get flagged after too many tests.
I have a website that is starting to grow but with that comes users who continue to signup and send SPAM messages to other members. I currently use google's captcha API service but if a user creates an account manually then it's of no use. My main problem is after a user creates a fake account they start sending duplicate messages so my thought here is to check with some PHP code for similarities in messages and deny them after x amount sent but I'm not sure how much of a load this puts on the server. Is there a way I can maybe grab the IP when they signup and ban that IP if they start spamming people. It's driving me nuts because I spend almost an hour a day now cleaning up SPAM and removing invalid users. Have others run into this and what measures have you taken?
There are various solutions but none of them work perfectly, It would be best to use a combination of solutions.
A few solutions:
Enforce a time limit for sending messages (1 message per 30 or 60 seconds)
Use the PHP function similar_text to check a new message against the last sent message and deny sending the message if the similarity is above a set percentage (I would guess above 70%)
Use CAPTCHA's if a user sends a lot of messages during a set time
Keep a list of IP adresses ($_SERVER['REMOTE_ADDR'] tells you which IP the user has) in your user database and keep a ban list which you then use to check against when a user registers to keep them from creating an account.
Give your users a report button which notifies you of spam
Automatically Temp-Ban a user when he/she is reported often
Also keep a ban list based on the email address of users (It takes more time for a spammer to create a new email address (only do this with confirmed email adresses as email adresses can be hijacked)
These are only some of the available options, just try to make the life of a spammer as hard as possible.
To get the IP of a user use
$_SERVER['REMOTE_ADDR'];
One step I've taken above and beyond is I've tapped into StopForumSpam's API to automatically block a user if their IP or email is found in their spammer database. Much smarter than a captcha.
I would recommend looking into a similar solution if you're getting hit a lot with spam.
The only one method used to develop my WAF was analyzing the traffic:
HTTP headers
request URL, method, protocol
POST data
GET parameters
COOKIES
Even it took years, the end product is a very sharp knife.
It should be connected to the linux firewall. I use Fail2ban.