Sign in to follow this  
Choisir

[web] Fake / Multi Account Catching

Recommended Posts

I consider creating a MMO web based game , something similar to travian/ogame or such (just to give you an idea)

Regardless of genre, most developers are facing a serious problem of constant fight with fake and multi accounts. It is quite easy for cheaters relying on anonymity of web and it surely harms business in both ways. Increases bandwidth cost, gives them unfair advantage, reduces your revenue (as they both get items they buy this way and worse they sell to other people either by RL money or ingame).

It is obviously not possible to eliminate them all, but what do you suggest about techniques to catch and eliminate these cheaters?

Share this post


Link to post
Share on other sites
What do you mean by fake account? One that is created and them spams and harasses users? I'd think that type of thing is better handled by catching and punishing the behavior rather than trying to stop the account creation in the first place.

Share this post


Link to post
Share on other sites
Including but not limited to. In fact they are all multi accounts as well.

There are some ways relying on cookie and IP but I wonder if there are any other industry tips allowing heuristic scans.

Share this post


Link to post
Share on other sites
There is only one solution that [i]really [/i]works, and it is harsh for business: A subscription that can only be paid with VISA (no PayPal, no PayByCash, or similar). It does not matter how much you charge, all that matters is that you can undoubtly link several accounts paid via the same card number to a single narrow group of people. In times of "Verified by VISA", card number theft should be much less of an issue, too (unless the thief has their unlocked cell phone as well). If someone turns out to be a massive abuser, blacklist the card number.

The second best option is to require an unique email address which may not be Hotmail, Mailinator, Gmail, or another freemail provider. A verification link is sent to that address which enables the account. This will make life for the occasional cheater harder (though, not indefinitely), and will be no noticeable obstacle to a professional gold farmer / RMTer. Email addresses are easy to get (comparatively to, say, a new credit card number).

Any other solution, such as recording IP addresses or gathering metrics from the user's machine (which has privacy concerns) is bound to fail from the beginning. IP addresses change, hardware changes, several people use the same hardware, and many people share the same IP address within short time. Usually plugging the cable and putting it back in is enough to get a new IP address.

Note by the way that "multi account" alone is not necessarily bad (it can be, but it is not necessarily so), and it is sometimes well accepted. You should think twice before banning someone just for buying 3-4 accounts. To begin with, it might just be a family with two kids, and then you have to consider that if someone pays you 4 times as much money, it kind of is his darn right to run 4 toons, too. [i]It only begins to matter when the gameplay is disruptive to others[/i], which may sometimes be hard to decide upon.

Share this post


Link to post
Share on other sites
[quote name='Katie' timestamp='1318851953' post='4873422']
I don't see how using cards helps very much; I have at least three VISA and two MASTERCARDs...

It doesn't seem that that would be particularly unusual.
[/quote]

Not to mention that I've bought three copies of some games, including Minecraft, using the same creditcard (well, debit card) and for valid purposes (so myself and two siblings can play simultaneously). You might accidentally stop some legitimate sales if you do that.

Really, the best way (in my opinion) is just tie one account to one email address, have moderators quickly ban spammers (and maybe allow users to vote-spam-kick), and design the game so a single person using multiple accounts simultaneously doesn't get much advantage over another player only using one account.

Honestly, the point of multiplayer gaming is playing with friends and family first, and random internet strangers second. The likelyhood of multiple [i]different [/i]and [i]legitimate [/i]users using the same IP address / computer / credit card is very good. The two siblings play a web-based trading-card game called 'Elemental', and do so from the same computer. Also, they rapidly cycle what computers they use (sometimes accessing it from our parent's laptops when they can't get on mine).

[i]Would you ban two legitimate customers because they both use the same machine?[/i]
[i]Would you ban two legitimate users because they suspiciously switch machines every few hours?[/i]
[i]What if both their accounts simultaneously seem to come from the same IP address (because it's behind a single router) will you ban them?[/i]
[i]What if both their accounts are paid for using the same credit card (because their parents or siblings bought the game for them) will you ban them?[/i]

Each of those should raise warning flags, but not result in instantly banning them, or even alert them that they are suspicious.
Ban for behavior, not environment. [img]http://public.gamedev.net/public/style_emoticons/default/smile.gif[/img] Regardless of [i]how[/i] they access your game, if they pay, let them play, unless they cause disturbance to the community (spamming, griefing, etc...). There is no substitute for moderation, though by all means help your moderators by automatically flagging suspicious behavior, recording chat logs, and other tools, but train your moderators to only ban for actual bad behavior not just suspicious behavior.

Share this post


Link to post
Share on other sites
First, thank you all for replies. Player verification is a nice approach. Players can be asked for verification payment via credit card, Paypal or be asked to confirm by SMS.

But in some games, player base is usually underaged (ie have no credit card or such) or hesitant / reluctant to give personal details (SMS or credit card data). This can easily become a serious problem and a strong negative impact. But still a hybrid approach of allowing people to play until certain level and then ask some kind of confirmation may help.

For email, I don't think it is wise to block free email services as they are widely used but at least blocking quick email services like 10minutemail.com is a good idea.

And finally for cookie and IP tracking, I can imagine how hard it is to distinguish a legit family/university/company play from a gold farmer. These techniques may at least help for catching noob cheaters.

So there are two questions raising.

1 - ) Is banning usage of proxies logical? I mean unless player is from Iran or China or such country where access is limited, there is no motive to use proxies, isn't there?

2 - ) Even though player tries doing things by resetting modem ie changing IP , isn't it possible to have scripts doing heuristic scans to look for certain patterns. Ok its ultra lame but I noticed something like this in a game I play where they catch multies looking if they have same password. It is lame but you got the point. Using more sophisticated patterns , would it be possible to reduce it to an acceptable level?

I am pretty sure that most people are not banned because of the tiny probability (around 10%) that they might be legit , it would be suicide if legit people would be mass banned. But I believe that there must be tools we can use.

Share this post


Link to post
Share on other sites
[quote name='Katie' timestamp='1318851953' post='4873422']
I don't see how using cards helps very much; I have at least three VISA and two MASTERCARDs...


It doesn't seem that that would be particularly unusual.
[/quote]
You can get 3 VISA cards and 2 Mastercards, fine. Maybe you can get another two or three, fine. Who cares. It's besides the point.

[quote]Not to mention that I've bought three copies of some games[/quote]
Yes, and who cares. It's besides the point.

You can register 500 fake accounts in 15 minutes (or in around 30 seconds if you use a script) no problem. You can generate 500 fake mail addresses for the confirmation links in 15 minutes likewise.

You can [b]not [/b]get 500 new credit cards in 15 minutes. And that is [u]the one big difference[/u]. Use your second credit card if your first one is banned? Fine. Use your third card when the second is banned? Fine. But you can't do this forever, and at the same rate.

One won't catch someone creating 3 accounts that way, but this is not what you want anyway. The people you want are the ones who create 500 accounts and who disrupt the experience for others. You want to pinpoint the people who have a long negative record with your CSRs for abuse, cheating, scamming, and you want to make [i]their [/i]lives hard. You [i]don't want [/i]to punish someone for giving you a little extra money.

Share this post


Link to post
Share on other sites
You said in the first post you are considering making a web based mmo and are worried about cheating via players having many accounts. If you have not started development it's simply not an issue. Solve it if it ever becomes one - more than likely you'll have no users. If you become successful you'll be in a position to select an appropriate solution, rather than speculating.

Share this post


Link to post
Share on other sites
One suggestion is to create a UID for their account that is stored in the registry that can be accessed from any account created (local machine area). If they delete it from the registry then they lose their account including the master account. This way you know if it's coming from the same computer and if they have paid for multiple accounts then they can use the same UID (Unique ID) code for every account. This will bypass any privacy issues since you aren't collecting any info from their system other than the UID that was created for their copy of your game. That can be spoofed but only by those who know your code well enough to do that, especially if you tie their user accounts to that code (as in store the code server-side in their player files). Even if their IP changes the UID will not change.

Share this post


Link to post
Share on other sites
[quote name='LancerSolurus' timestamp='1319355792' post='4875553']
One suggestion is to create a UID for their account that is stored in the registry that can be accessed from any account created (local machine area). If they delete it from the registry then they lose their account including the master account. This way you know if it's coming from the same computer and if they have paid for multiple accounts then they can use the same UID (Unique ID) code for every account. This will bypass any privacy issues since you aren't collecting any info from their system other than the UID that was created for their copy of your game. That can be spoofed but only by those who know your code well enough to do that, especially if you tie their user accounts to that code (as in store the code server-side in their player files). Even if their IP changes the UID will not change.
[/quote]

Players may connect to a browser based game everywhere they want. At school, at their iPhone, at home etc etc. It is not wise to rely on a UID which can also be lost in legitimate ways like an OS reformat. I think it will be risky to exchange safety with mobility. Thanks for the advice though.

Share this post


Link to post
Share on other sites
[quote name='return0' timestamp='1319325876' post='4875472']
You said in the first post you are considering making a web based mmo and are worried about cheating via players having many accounts. If you have not started development it's simply not an issue. Solve it if it ever becomes one - more than likely you'll have no users. If you become successful you'll be in a position to select an appropriate solution, rather than speculating.
[/quote]

Well that's the spirit :) "You have no game ie no player to worry and even you had a game likely nobody would play ie no need to worry. And even you somehow manage to have some users, then there is a need to worry"

I can understand your point; there is not even one line code but worrying about profits and mentions of a Travian like game : it sounds unrealistic but yet another wannabe to me too :)

But still I think it is an issue that must taken into consideration before starting development, other way it might cost to time and money which are very precious in early stages.


PS : I am not working on Travvian or OuGame, it was just to give an idea.

Share this post


Link to post
Share on other sites
Do not, do not, do not consider this issue before starting development! You will consume your most precious resource, which is inspiration, by working on a dry technical solution that cannot even be validated until you are successful. Better to rapidly iterate on the core product. Being popular with bad tech is a good problem to have. Even if you came up with a good solution now, it's inventory - your codebase carries it, and its weight - you might even break it. Solve problems when they are problems. Right now you have zero users - solve that!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this