

Ask HN: How do you verify the identity of your users? - rschmukler

I am working on a website that runs contests. We need to confirm that users map to real people to avoid cheating on contests. Obviously email confirmation is a way, but easily scammed.<p>Twitter or FB login are possible, and I could even see when the account was created to ensure that they didn't just make it to scam my site's registration, but I am worried about scaring users away with it.<p>What do you recommend?
======
rogerbinns
Note that you don't really need to confirm everyone who participates, only
people who win. You should make it clear that should someone win you will go
full forensic on them. Providing you've saved enough data you can go back and
correlate their activity with similar activity to see if cheating appears to
happened. You can do investigation with humans which makes attacks harder, and
also scales (you only need to investigate the limited number of winners rather
than all participants).

As 0xEA mentioned you can go network effect on them too. For example you can
require that winners had Facebooked/Tweeted something at the time of their
entry. When someone wins you can go back an check that which means that
someone cheating would have to do so with lots of dummy accounts. And of
course the messages form advertising for your contests.

You can also make them nominate FB/Twitter friends to share their prizes
should they win at entry time. Again this makes life a lot harder to cheat as
it gives your win investigations more to work with.

------
patio11
If you have a working solution to that problem, stop working on contests and
proceed directly to IPO.

------
jilt
Make them upload a picture of themselves next to today's newspaper, where
today's date is legible, and you need to be able to verify the paper is legit.
That would be possible but not easy at all to fake.

The second best way is credit card, and use a third-party service that doesn't
require you to store any cc info locally.

Unfortunately, people have more than one cc, more than one email, and you
can't ask for ssn, but even if you could, that isn't guaranteed to be unique:

[http://ssa-custhelp.ssa.gov/app/answers/detail/a_id/79/~/req...](http://ssa-
custhelp.ssa.gov/app/answers/detail/a_id/79/~/request-for-a-different-social-
security-number)

DNA is unique, but that is too expensive and can be faked unless checked
immediately, and depending on type of test, can be faked even in person if
blood not taken (difficult to fake otherwise), and can't do online.

Vocal recognition for determining whether a user is unique and for relogin
later can be faked online easily.

Visual recognition online may be decent way to do it, but probably too
expensive, and could be faked by someone holding up someone else's picture, or
a video of someone from YouTube (although could check for artifacts indicating
is from video source).

Retinal scan can be faked.

Gait + body/facial recognition isn't too bad, but you can't do that online.
That is what the government uses with street cameras in cities, etc.

~~~
loumf
You don't have to do a newspaper. Generate a one-time, expiring string, like
"Q8uZ3" -- they have to write it on a card and take a picture of their face
with the card underneath. They have 30 minutes before it expires.

------
dmm
A credit card number would be hard to fake.

A scanned pic of govt id that matches a name would work too.

~~~
EvanKelly
If high schoolers have access to scannable fake IDs, then I'm not sure a
scanned pic of an ID is really suitably difficult to fake.

I agree that CC numbers is probably a good way forward as long as your users
trust your site enough to provide that information.

Are CC numbers easier to "name check" than SSNs?

~~~
joshschreuder
High schoolers also have a larger net gain to faking their ID (years more
drinking and partying), as opposed to winning a competition online.

But I guess it depends on the competition (eg. a digital camera vs. a car
would provide different levels of motivation to cheat)

------
0xEA
You could use the PGP endorsement model. Network effects should work out
decently.

------
alagappanr
How about an SMS verification code sent to the user's mobile phone?

~~~
jrockway
Mobile phones are $30 at your nearest bodega.

~~~
joshschreuder
Meaning that multiple entries are very cost-prohibitive. If you want to enter
100 times with Facebook, you can buy 100 Facebook accounts for much cheaper
than the $30 * 100 mobile phone cost.

~~~
jrockway
In that case, you can just get a VOIP number for 8 cents or whatever.

~~~
shawndrost
It might be possible to prevent this. Craigslist somehow detects when you use
a Twilio number.

