(no subject)

[eirias]

Quick technical pondering: how do services like TimesSelect prevent people from "donating" their logins to services like BugMeNot? I mean, I suppose it'd be easy enough to track things like "how often is it used?" and "how many people use it at once?" and "how often does the IP change?" (though wireless coffee shops are making the latter a bad criterion, I suppose) The thing that's sticky (in my head) is that AFAICT they don't actually do this with normal logins (otherwise BugMeNot etc wouldn't work), and the same login works for both activities. Might there just be a toggle like "check for abuse? (Y/N)" that would be set based on your TimesSelect status?

Comments

[thaisa.livejournal.com]

Yeah, that's my guess. For free services, I doubt they care very much, but when it's a paid service they have a lot more motivation to make sure that there isn't a lot of abuse. I would guess that BugMeNot has some motivation not to provide passwords for paid memberships too? (Which I assume it currently doesn't do.) I mean, court injunctions and lawsuits get so very unpleasant.

To the best of my knowledge, there are sites that provide fraudulent passwords to paid sites (most notably paid porn sites), but they have to be pretty underground to survive, I'd guess, and the sites are on the lookout for it.

[eldan.livejournal.com]

I have borrowed friends' logins for sites before, and vice versa. I reckon the only way they could get caught (without causing many false positives) is watching for simultaneous logins. Even then they'd have to give some slack (what about me using two different computers and not logging out on the first one, for instance?) but they could close down an account that has too many (however exactly they want to define that) simultaneous logins.

Or they could do something like blogger does, where logging in from any computer automatically logs out any other that is also logged in. It's only mildly annoying for legitimate users, and it doesn't really stop people occasionally sending their friends an article and saying "use these login details" (which I imagine they're not too worried about, since it's only a small step from "I'll lend you my copy of the magazine"), but it would make bugmenot impractical.

[nonnihil.livejournal.com]

Preventing account-sharing is a phenomenally difficult problem; for the most general specification of the problem, it is provably unsolvable. We've given it a lot of thought at my company (though not in the context of a website) because for us there are also big steaming legal holes that we could fall into if users succeeded in account-sharing.

One common trick is to note down the IP and set a cookie in the user's browser. Then look for the number of times that both IP and cookie change. This deals with computers that are getting bounced around a bunch of IP addresses, eg on a wireless network, and with one user using a couple of browsers on the same computer or computers in the same household.

If that number gets too high, the account might be flagged as possibly shared, and be subject to a bit of extra scrutiny. If an account is flagged as suspicious, one can then do more resource-intensive checks on it -- for instance, use one of the many services that will for a small fee attempt to map an IP to a geographic area, and see if a client leaps about at more than, eg, the speed of sound.

But for a cheap service, that heightened scrutiny will almost never be worth it.

[trygve.livejournal.com]

Such a IP->geographic location service wouldn't account for things like proxies, VPNs, RDP/ssh, or other such remote access though.