: How can I screen clients that try to register multiple times? My company offers a bonus to every client that registers. We would like to prevent people from abusing this by registering several

@Kaufman445

Great answer from danlefree, but let me touch on the two methods that you mentioned before and their suspected outcome.

Even though your specific demographic may not be computer savvy, let's just assume that they are the Average Joe (AJ for short).

IP tracking is a good way to deter a fair amount of abuse simply because people aren't knowledgeable enough to change their own IP. AJ could theoretically search for their solution, yes. But it would be up to you to conceal the tracking method as much as possible.

Cookies are a lot more difficult to use than IP tracking. A lot of people have them turned off by default. Security programs check that and will prompt AJ when one is requested, giving him an easy clue if he wanted to abuse your registration.

Vote Up Vote Down

@Angie530

You will not be able to prevent people from registering as many times as they like - losing game, even if you implement IP tracking, phone number or SMS verification, et cetera (if you're giving away something worth money, I can assure you that someone out there will gladly game your system).

Do not provide anything free unless you can literally afford to give it away.

I'd provide a discount to first-time purchases and then use the payment information to determine whether or not the individual making the purchase has purchased before.



Edit: I understand that the limited free offering is central to your business, so my best advice would be to weigh the cost of abuse against the cost (and pain) of preventing abuse ... if you're giving away access to a file or web-based service, for example, the total cost of providing your sign-up with the offer and potential profit lost on abuse probably wouldn't justify a .00/signup expenditure on abuse prevention.

You have not described the registration process, but I can tell you off-hand that there is nothing you can do with the information in an HTTP request to confirm with any degree of certainty that the individual issuing the request has not signed up before.

You need identity information from your signups to verify with an out of band (i.e. not based on an HTTP request) solution - preferably one which makes sense to your users so they feel comfortable providing you with the information, is convenient and inexpensive for you to verify automatically, and is reasonably difficult to forge. Pick two :)

Assuming you can ask your signups just about anything, here are some options:


E-mail Address Verification - A unique e-mail address is easy to come by, but if the financial motivation to abuse your offer isn't very high, it might be a sufficient deterrent to abuse. You could also require an "official" e-mail address, depending upon your clientele (i.e. do not accept addresses hosted with free e-mail providers, insist on corporate domains or private domains)
Telephone Number Verification - A numeric code is e-mailed to your signup and then an IVRU dials out to your signup, who must enter the code to confirm his or her account. This option could become expensive and will likely be error-prone if you have a geographically-diverse client base - additionally, if the value of your free offer is significant, you should know that pre-paid cell phones provide an inexpensive way to acquire new phone numbers and it may or may not be practical to segregate land line providers versus mobile providers (again depending upon your client base).
Identity Verification - People hate dealing with this and it is expensive, but if you're giving away something expensive like a weekend at a timeshare, it may make sense and be considered acceptable by your clientele. You can be reasonably sure you know who is responding if you request a photocopy of government-issued identification.
Payment Verification - Some merchant account gateway providers offer [CO].00 authorization holds - great way to find out whether your client has a valid card, however, there's no guarantee they have funds to pay for anything with this method and the cardholder's name will not be verified as part of the process.


If you would like to investigate telephone number verification, I'd recommend that you check out MaxMind - I am not aware of any truly independent firms which match MaxMind's offerings for price and effectiveness. (MaxMind's services support many white-label resellers)

Vote Up Vote Down