Jump to content
  • Advertisement
Sign in to follow this  
Choisir

[web] Fake / Multi Account Catching

This topic is 2429 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I consider creating a MMO web based game , something similar to travian/ogame or such (just to give you an idea)

Regardless of genre, most developers are facing a serious problem of constant fight with fake and multi accounts. It is quite easy for cheaters relying on anonymity of web and it surely harms business in both ways. Increases bandwidth cost, gives them unfair advantage, reduces your revenue (as they both get items they buy this way and worse they sell to other people either by RL money or ingame).

It is obviously not possible to eliminate them all, but what do you suggest about techniques to catch and eliminate these cheaters?

Share this post


Link to post
Share on other sites
Advertisement
What do you mean by fake account? One that is created and them spams and harasses users? I'd think that type of thing is better handled by catching and punishing the behavior rather than trying to stop the account creation in the first place.

Share this post


Link to post
Share on other sites
Including but not limited to. In fact they are all multi accounts as well.

There are some ways relying on cookie and IP but I wonder if there are any other industry tips allowing heuristic scans.

Share this post


Link to post
Share on other sites
There is only one solution that really works, and it is harsh for business: A subscription that can only be paid with VISA (no PayPal, no PayByCash, or similar). It does not matter how much you charge, all that matters is that you can undoubtly link several accounts paid via the same card number to a single narrow group of people. In times of "Verified by VISA", card number theft should be much less of an issue, too (unless the thief has their unlocked cell phone as well). If someone turns out to be a massive abuser, blacklist the card number.

The second best option is to require an unique email address which may not be Hotmail, Mailinator, Gmail, or another freemail provider. A verification link is sent to that address which enables the account. This will make life for the occasional cheater harder (though, not indefinitely), and will be no noticeable obstacle to a professional gold farmer / RMTer. Email addresses are easy to get (comparatively to, say, a new credit card number).

Any other solution, such as recording IP addresses or gathering metrics from the user's machine (which has privacy concerns) is bound to fail from the beginning. IP addresses change, hardware changes, several people use the same hardware, and many people share the same IP address within short time. Usually plugging the cable and putting it back in is enough to get a new IP address.

Note by the way that "multi account" alone is not necessarily bad (it can be, but it is not necessarily so), and it is sometimes well accepted. You should think twice before banning someone just for buying 3-4 accounts. To begin with, it might just be a family with two kids, and then you have to consider that if someone pays you 4 times as much money, it kind of is his darn right to run 4 toons, too. It only begins to matter when the gameplay is disruptive to others, which may sometimes be hard to decide upon.

Share this post


Link to post
Share on other sites
I don't see how using cards helps very much; I have at least three VISA and two MASTERCARDs...


It doesn't seem that that would be particularly unusual.

Share this post


Link to post
Share on other sites
In-game prevention (e.g. GMs) prevail in these sort of cases. What you are looking for is a good pre-emptive prevention system, but there is none - at least not with enough effect that it'll help significantly.

Share this post


Link to post
Share on other sites

I don't see how using cards helps very much; I have at least three VISA and two MASTERCARDs...

It doesn't seem that that would be particularly unusual.


Not to mention that I've bought three copies of some games, including Minecraft, using the same creditcard (well, debit card) and for valid purposes (so myself and two siblings can play simultaneously). You might accidentally stop some legitimate sales if you do that.

Really, the best way (in my opinion) is just tie one account to one email address, have moderators quickly ban spammers (and maybe allow users to vote-spam-kick), and design the game so a single person using multiple accounts simultaneously doesn't get much advantage over another player only using one account.

Honestly, the point of multiplayer gaming is playing with friends and family first, and random internet strangers second. The likelyhood of multiple different and legitimate users using the same IP address / computer / credit card is very good. The two siblings play a web-based trading-card game called 'Elemental', and do so from the same computer. Also, they rapidly cycle what computers they use (sometimes accessing it from our parent's laptops when they can't get on mine).

Would you ban two legitimate customers because they both use the same machine?
Would you ban two legitimate users because they suspiciously switch machines every few hours?
What if both their accounts simultaneously seem to come from the same IP address (because it's behind a single router) will you ban them?
What if both their accounts are paid for using the same credit card (because their parents or siblings bought the game for them) will you ban them?

Each of those should raise warning flags, but not result in instantly banning them, or even alert them that they are suspicious.
Ban for behavior, not environment. smile.gif Regardless of how they access your game, if they pay, let them play, unless they cause disturbance to the community (spamming, griefing, etc...). There is no substitute for moderation, though by all means help your moderators by automatically flagging suspicious behavior, recording chat logs, and other tools, but train your moderators to only ban for actual bad behavior not just suspicious behavior.

Share this post


Link to post
Share on other sites
First, thank you all for replies. Player verification is a nice approach. Players can be asked for verification payment via credit card, Paypal or be asked to confirm by SMS.

But in some games, player base is usually underaged (ie have no credit card or such) or hesitant / reluctant to give personal details (SMS or credit card data). This can easily become a serious problem and a strong negative impact. But still a hybrid approach of allowing people to play until certain level and then ask some kind of confirmation may help.

For email, I don't think it is wise to block free email services as they are widely used but at least blocking quick email services like 10minutemail.com is a good idea.

And finally for cookie and IP tracking, I can imagine how hard it is to distinguish a legit family/university/company play from a gold farmer. These techniques may at least help for catching noob cheaters.

So there are two questions raising.

1 - ) Is banning usage of proxies logical? I mean unless player is from Iran or China or such country where access is limited, there is no motive to use proxies, isn't there?

2 - ) Even though player tries doing things by resetting modem ie changing IP , isn't it possible to have scripts doing heuristic scans to look for certain patterns. Ok its ultra lame but I noticed something like this in a game I play where they catch multies looking if they have same password. It is lame but you got the point. Using more sophisticated patterns , would it be possible to reduce it to an acceptable level?

I am pretty sure that most people are not banned because of the tiny probability (around 10%) that they might be legit , it would be suicide if legit people would be mass banned. But I believe that there must be tools we can use.

Share this post


Link to post
Share on other sites

I don't see how using cards helps very much; I have at least three VISA and two MASTERCARDs...


It doesn't seem that that would be particularly unusual.

You can get 3 VISA cards and 2 Mastercards, fine. Maybe you can get another two or three, fine. Who cares. It's besides the point.

Not to mention that I've bought three copies of some games[/quote]
Yes, and who cares. It's besides the point.

You can register 500 fake accounts in 15 minutes (or in around 30 seconds if you use a script) no problem. You can generate 500 fake mail addresses for the confirmation links in 15 minutes likewise.

You can not get 500 new credit cards in 15 minutes. And that is the one big difference. Use your second credit card if your first one is banned? Fine. Use your third card when the second is banned? Fine. But you can't do this forever, and at the same rate.

One won't catch someone creating 3 accounts that way, but this is not what you want anyway. The people you want are the ones who create 500 accounts and who disrupt the experience for others. You want to pinpoint the people who have a long negative record with your CSRs for abuse, cheating, scamming, and you want to make their lives hard. You don't want to punish someone for giving you a little extra money.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!