

Ask HN: limiting new account registrations - evancaine

For a project I'm working on I need to make sure as far as possible that users are not able to signup multiple accounts. The most obvious way to do this would be to ask for credit card details then charge &#38; refund a small 'verification' amount.<p>However, I'm in the UK &#38; having a hard time getting a merchant account because I don't have a business bank account, nor do I want one yet if I can help it because it's extra overhead and I want to launch a beta soon.<p>another option would be to use an SMS web service to send a confirmation code to a users mobile phone - not as stringent as a CC check but I'd use it as a last resort.<p>can anyone suggest an alternative?<p>evan
======
JimmyL
If you're really that concerned about multiple users, I think doing the CC
check would be the way to go.

The larger question I think you should be asking, however, is why this
guarantee is so important. You're setting up a huge barrier to new sign-ups -
if I came upon a site asking for my CC details, even if it was through PayPal,
it would take a hell of a lot for me to move forwards and not lose interest in
the service. So you had better make sure that your product is so compelling
that it will cause your users to get up from their computers, go get their
wallet, and give you their CC number; be warned, this is one hell of a
threshold. If you've gone that far, however, I wouldn't bother refunding the
money - almost all users who you've engaged enough to get their credit card
number won't mind giving you a nickel or so for your services, which you'll
probably need to cover the costs of your CC fees anyways. If you do this, I'd
100% go with PayPal - it's easy, and it provides me (the user) with some
degree of reassurance that you're not just going to steal my CC number.

Even if you do this, however, you still need other checks. I have three
different credit cards, all hooked to different addresses and with using
different variations of my name. Many banks allow users to generate one-time
credit card numbers for online purchases. Multiple people could live at the
same address and have cards, and they could even have the same names (like
when sons are named after their fathers). Don't forget to analyze how
important it is not to have duplicated, or conversely, how much of a problem
it would be to have them - as this gets higher, you're going to have to make
some tradeoffs (for example you could make a rule that says only one
registration per household, and accept that you'll be losing out on users
where there is more than one party in the household who wants to use your
service).

As a point of comparison, the last service that I signed up for that needed
this severe of a uniqueness guarantee - the old ICANN@large, anyone? - did a
web-based signup, which led to a code getting mailed to you. Additionally,
they restricted it to one-signup-per-household, and didn't accept PO boxes.

Bottom line is that this is a difficult problem, which generates a very high
barrier to entry. So if you've done the analysis and concluded that it's 100%
necessary to do this, you may as well embrace it and charge a bit.

~~~
evancaine
thanks everyone for your comments. JimmyL, you make some very valid points and
this is a route I'm taking hesitantly. I should have made it clear in my
original post why I need to restrict signups in this way. I'm making a trading
platform for users to buy & sell collectible items from a certain niche.
Without limiting new accounts, there's little to stop someone creating
multiple accounts and engaging in fake transactions in order to bump up their
feedback, especially during the beta because I won't be charging any fees.

------
barryrandall
Generally speaking, if somebody wants multiple accounts, they can get them
easily enough. It would help to know a little bit more about why you're trying
to block multiple signups.

I'm in the US, and I write checks to my customers. We're required to submit
information to the IRS on a quarterly basis, so we collect payee
identification, which is either a Social Security number or Employer
Identification Number. It's one thing to lie to an Internet company, its
another to lie to the IRS. That discourages a lot of people from trying to
game the system. Perhaps there's a similar mechanism available in the UK.

Focus on detection. Scoring new accounts for possible/probable fraud, and
flagging them for review works wonders. Scaling this approach requires more
human effort, but it's worth it when you get in to large dollar amounts.

It also helps to have some leverage in your terms of service.

------
jsz0
SMS isn't a very good solution. Only slightly better than a simple e-mail
verification. There are a number of services that would allow someone to
receive texts on unique phone numbers. I'm assuming you have a good reason to
limit accounts which means inevitably someone thinks they have a good reason
to get around your limit.

This might be a silly suggestion but I would prefer, as a user, to be asked to
submit a photograph of myself holding up a sign with some unique keyword you
generate when the user attempts to signup. I honestly think this is less off
putting than exchanging CC information. Depending what type of site you're
doing it could actually be a fun mysterious way to promote it.

------
johnnybgoode
Why is the SMS confirmation code method less stringent than a CC check?

~~~
brk
I think he means lower barrier to entry, he can do that without needing to
sign up with any 3rd party.

------
joez
Maybe an email account that should be unique... i.e. a school or employer?
@google.com or @berkeley.edu. Although people might have multiple
schools/employers or a mix of both. This also might not work for certain
demographics (ones without email!) but I am not sure who your audience is.

~~~
gus_massa
It is very easy to create another temporal email address
[http://mailinator.blogspot.com/2008/08/dear-world-email-
addr...](http://mailinator.blogspot.com/2008/08/dear-world-email-addresses-
are-not.html)

~~~
joez
Oh I wasn't talking about like a @gmail, @yahoo, especially not @mailinator
address but one that would be unique to your employer or school. Most schools
only allow it's students (and only it's students) to have one address. Most
employers are the same way. It would take some doing but it wouldn't be
impossible to compile a list of all the .edu's and large companies.

------
ScottWhigham
The only way I know of to prevent duplicate accounts is to give people a code
to redeem that is tied to a physical address. In other words, mail them a post
card with a redemption code on it and only mail one card to one address. I'm
sure this can be readily abused too though!

~~~
icey
I could have a card sent to my house, my work, my parent's house, my brother's
house, a PO box, my neighbor's house, etc.

------
udfalkso
This is almost certainly overkill, but you can do what Google does for
services like adsense. They deposit a small amount of money in your bank
account, like $0.02 and then you have to tell them what the amount was for
verification.

------
donw
Out of curiosity, why is it so important to prevent users from signing up
multiple times? Is it a scaling issue, or...? I ask, because there may be an
alternative (and less invasive) way of reaching the same goal.

------
rms
In the USA it's really easy to get a business bank account. Just go into the
bank and tell them you want a business bank account and they will set you up
with a free business account. Is it harder in the UK?

~~~
dazzawazza
Nope, I went to abbey national (it's called santander now I think) and I get
free business banking for life.

I'm not recommending them, just saying it is possible. All you need is a few
forms of ID.

------
anamax
> For a project I'm working on I need to make sure as far as possible that
> users are not able to signup multiple accounts.

For your convenience or theirs?

------
johnnybgoode
Actually, if you want to be _really_ stringent, you should charge a small fee
without any refund. I take it you don't want to go that far, though.

------
notaddicted
I have 2 credit cards.

~~~
joez
He could request the billing address, I believe, and cross reference that. Of
course you might have 2 billing addresses as well...

~~~
cperciva
... or there might be two family members who live at the same address.

~~~
JimmyL
You can also change your billing address easily with most credit cards - if
nothing is being mailed to me (and I'm determined to get past this check),
what makes me enter a real address I have access to for it?

As for names, it's somewhat common - two of my credit cards are firstinitial
lastname (as opposed to firstname lastname), and I happen to share
firstinitial with my father. I've got a friend who was named after his father
(firstname lastname III), but who doesn't use the generation suffix for
anything aside from his passport.

------
anigbrowl
Paypal?

~~~
jsz0
Probably the most practical hands off approach to it. Their verification
system is annoyingly hard to get around. (although I think they have eased up
on it lately)

