How to defend against users with Multiple Accounts?

Question

We have a service where we literally give away free money.

Naturally said service is ripe for abuse. To defend against this we do the following:

• log ip address

• use unique email addresses (only 1 acct/email addy)

• collect more info like st. address, phone number, etc.

• use signup captcha

• BHOs (I've seen poker rooms use these)

Now, let's get real here -- NONE of this will stop a determined user.

Obviously ip addresses can be changed via a proxy (which could be blacklisted via akismet) but change anyways if the user has a dynamic ip or if more than one user is behind a NAT'd network (can we say almost everyone?)

I can sign up for thousands of unique email addresses each hour -- this is no defense.

I can put in fake information taken from lists for street addresses and phone numbers.

I can buy captchas from captcha solving services (1k for $5).

bhos seem only effective for downloadable software -- this is a website

What are some other ways to prevent multiple users from abusing the service? How do all the PPC people control click fraud?

I know we could actually call the person but I don't think we are trying to do that anytime soon.

Thanks,

Answer 1

It's pretty difficult to generate lots of fake phone numbers that can send and receive SMS messages. SMS verification could go a long way towards cutting down on fraud. Of course, it also limits you to giving away free money to cell phone owners.

Answer 2

I think only way is to bind your users accounts to 'real world' information, like his/her passport number, for instance. Of course, you'll need to make sure that information is securely stored and to find some way to validate it.