PDA

View Full Version : Limit Account Sharing


sub_ubi
07-29-2005, 06:03 PM
Can anyone think of a way to limit massive account sharing?

By massive, I mean 30 - 40 people using the same username/password within 10 minutes. I



I don't even know if that could be made into a hack. Can anyone think of any other ways to limit account sharing?


Edit: update, an attempt was made in 2006 for vbulletin 3.5!
https://vborg.vbsupport.ru/showthread.php?t=109315

It doesn't work now, but at least we know it's possible.

Andreas
07-29-2005, 06:21 PM
It is impossible that 2 individuals are using the same account at the same time.

sketch42
07-29-2005, 06:34 PM
It is impossible that 2 individuals are using the same account at the same time.

?.. im logged into my accnt from 2 diff ips all the time... what do you mean?

sub_ubi
07-29-2005, 11:29 PM
Yeah, people on my forums share accounts all the time. It is possible.

JohnBee
07-29-2005, 11:46 PM
When two different IP's are accessing the same account at the same time:
1) they are both logged out
2) the password is changed
3) an email is sent to the account owner explaining that his account may be compromised and requesting he change the password


That is an awesome idea! put me on the beggers list of this (must have)

Brinnie
07-30-2005, 12:19 AM
It is impossible that 2 individuals are using the same account at the same time.

That is correct.

Chris M
07-30-2005, 01:20 AM
It is impossible that 2 individuals are using the same account at the same time.

It is possible - I have done this myself from home and at University :)

Satan

Andreas
07-30-2005, 03:53 AM
It is possible - I have done this myself from home and at University :)

Satan
Then please explain me how on earth 2 HTTP Requests can arrive at the same time, keeping in mind that IP is a serial communication Protocol ...

It is impossible!

Chris M
07-30-2005, 10:51 AM
By "the same time" I presume you mean simultaneously...

If so, I was logged in both at home (via direct connection) and at Uni (different IP) and was browsing my board under my username on both browsers...

If you mean at the exact same instance in time, I doubt that anyone could do that precisely...

Satan

sub_ubi
08-01-2005, 02:02 AM
Then please explain me how on earth 2 HTTP Requests can arrive at the same time, keeping in mind that IP is a serial communication Protocol ...

It is impossible!

Alright, since the exact same time is impossible, within a set amount of seconds.

Just something to stop excessive sharing, like other sites do.

sub_ubi
08-13-2005, 05:26 PM
Any ideas? I'd move this to paid requests, but I don't even know what to ask for as I have no idea if it's even possible.

StarBuG
08-15-2005, 11:29 AM
If you reset the password after a different ip accesses an account that was previously used by another IP you donĀ“t take dial up users into account.
My DSL connection is separated after 24h.
When I am browsing the forum and get disconnected I reconnect immediatly with a new ip.

In that case nearly every day I would need to change my password so I doubt that this would be a good idea.

You could write a script that detects if a forum cookie for another account is already set and if that is the case then notify an admin about possible account sharing.

StarBuG

sub_ubi
08-23-2005, 10:10 PM
If you reset the password after a different ip accesses an account that was previously used by another IP you don?t take dial up users into account.

So you're saying it's impossible to detect account sharing due to dynamic ip's?


I still say it's possible. There are many sites out there that can tell when accounts are being shared by checking IP's.

How about this: check if there have been 5+ different IP's accessing the account within a certain amount of time - say 20 seconds. Unless DSL or dialups switch IP's every few seconds this should work fine.

Andreas
08-23-2005, 10:15 PM
There are many sites out there that can tell when accounts are being shared by checking IP's.

They can't (under the condition the Users don't have certificates on secure devices).
They can only assume - with a good or bad ratio of false decisions.

b6gm6n
08-23-2005, 10:28 PM
This is what you want to avoid > I can login right now as admin...then go down the road to my friends house, find my forum and again without any questions login as admin...so we got two admins on different pc's using the same account doing different things.... hmmmmm don't like that me thinks...so here's an idea >

once a user is logged in and then if another login attempt on the same (logged in account) takes place, a simple check should reveal that if already logged in (as shown on the WOL section) then refuse them at the gate with a "your already logged in mate!" screen.... easy!

-b6

Andreas
08-23-2005, 10:32 PM
Hmm ... you log in, then you have a line failure and get disconnected after a few seconds.
You dial in again, get a new IP ... and must wait 15 minutes to contine.

Would really p*ss me off.

Also, what about AOL Users?
AOL uses a Proxy Cluster, so every request from an AOL User might come in with a different IP => new Session all the time.

*more problems to add here*

Brad
08-23-2005, 10:37 PM
This is what you want to avoid > I can login right now as admin...then go down the road to my friends house, find my forum and again without any questions login as admin...so we got two admins on different pc's using the same account doing different things.... hmmmmm don't like that me thinks...so here's an idea >

once a user is logged in and then if another login attempt on the same (logged in account) takes place, a simple check should reveal that if already logged in (as shown on the WOL section) then refuse them at the gate with a "your already logged in mate!" screen.... easy!

-b6

This could work, asuming the account owner could kill the current session. Think IRC and ghosting.

Andreas
08-23-2005, 10:41 PM
Yeah. But how would you identify if the "Account Owner" is trying to kill the old Session?
The only thing that comes up my mind are shared secrets (if the Users don't have certificates or you can do biometrical identification) - and then we've gained nothing :)

Brad
08-24-2005, 01:51 AM
Agreed, that would rely on a second password and it can be shared just like the other one. Users on proxies would also be bad (aol comes to mind).

I'm sure it's possible, but I honestly don't see why it is worth coding because anything you do can be gotton around. If you figure out how to do it all on the server side you are still burning clock cycles that can be better used else where.

This type of problem is best done by humans imho, sure you can only catch them after the fact. But I'd rather do that then turn away possible members because my code thinks they are browsing from two seperate locations. :)

sub_ubi
08-24-2005, 07:41 AM
Hmm ... you log in, then you have a line failure and get disconnected after a few seconds.
You dial in again, get a new IP ... and must wait 15 minutes to contine.

Would really p*ss me off.

Also, what about AOL Users?
AOL uses a Proxy Cluster, so every request from an AOL User might come in with a different IP => new Session all the time.

*more problems to add here*

haha kirby you're such a buzzkill. Do you have any ideas for a way that would work, or have any idea how other sites do it?

I don't care if 2 or 3 people are sharing, I just want to stop 10+ people using the same account.

Marco van Herwaarden
08-24-2005, 11:57 AM
They usually use some calculation of the numer of different IP's (or subnet's) in a certain period of time. If that is higher then a set limit, it is asumed that it will be a share.

This work fine for pornsites for example where if an account is shared, immediae hundreds of people from all over the world try to use it.

Andreas
08-24-2005, 12:01 PM
That's what I always tried to point out: You cannot detect if an account is being shared, you can only assume it, and this assumption might be good or bad, depending on your algortihms.

Marco van Herwaarden
08-24-2005, 12:29 PM
@Kirby,

If you are so depressed all the time, what is that smile doing on your face.

sub_ubi
08-24-2005, 08:53 PM
Thank you both. If I can gather the money I'll probably put this in paid requests.

FrozenCreations
08-25-2005, 12:04 AM
ok, me being an admin, (well, im guessing we all are, lol) i have so many accounts on my site, it woudl drive you insane!) i log on2 all kinds of accounts, i see no need for this /;

CMX_CMGSCCC
08-29-2005, 01:59 AM
What I would do is something like this: (It would not be full proof, but it would be a good start)

1) Save all of the IP's that a user logs in from. (I believe the vB does this already now.) You could add a number of times each IP has logged into that account as well to see which ISP is the most used.
2) Check if there is multiple sessions with the same username. If there is more than 3, start the extra check in number 3.
3) Check if the IP's are close together, or far apart. (i.e. make sure the xxx.xxx.*.* parts match up or are very close. (Even resolve the hostname to see if its the same ISP but a different IP address because it was dialed in.)
4) Have a check in to set the account to banned if it detects x number of sessions logged in the time period of y. (Both x and y would be settings that the owner can set.)
5) If it detects say over 20 ISP's of the account and all are different ISP's, ban the account automatically.

I think with the above stipulations, you could catch a number of accounts on www.bugmenot.com for example. You might get some legitmate users here and there, but some of the Untachy hacks I have seen would hit some legitmate users sometimes too I think.

-CMX

sub_ubi
10-12-2005, 09:38 PM
What I would do is something like this: (It would not be full proof, but it would be a good start)

1) Save all of the IP's that a user logs in from. (I believe the vB does this already now.) You could add a number of times each IP has logged into that account as well to see which ISP is the most used.
2) Check if there is multiple sessions with the same username. If there is more than 3, start the extra check in number 3.
3) Check if the IP's are close together, or far apart. (i.e. make sure the xxx.xxx.*.* parts match up or are very close. (Even resolve the hostname to see if its the same ISP but a different IP address because it was dialed in.)
4) Have a check in to set the account to banned if it detects x number of sessions logged in the time period of y. (Both x and y would be settings that the owner can set.)
5) If it detects say over 20 ISP's of the account and all are different ISP's, ban the account automatically.

I think with the above stipulations, you could catch a number of accounts on www.bugmenot.com for example. You might get some legitmate users here and there, but some of the Untachy hacks I have seen would hit some legitmate users sometimes too I think.

-CMX


That would be a very nice hack.

To make it simpler, just check the domain. If more than x domains are logged into the same account over a period of y, do z.

"z" doesn't have to be automatically banning the account, changing the pass, or anything drastic. It could simply make a note in a text file for an admin to read.

Smiry Kin's
12-18-2005, 09:48 PM
If you reset the password after a different ip accesses an account that was previously used by another IP you don?t take dial up users into account.
My DSL connection is separated after 24h.
When I am browsing the forum and get disconnected I reconnect immediatly with a new ip.

In that case nearly every day I would need to change my password so I doubt that this would be a good idea.

You could write a script that detects if a forum cookie for another account is already set and if that is the case then notify an admin about possible account sharing.

StarBuG

The guy was stating that if ppl log in at the same time... dial up, would mean disconecting.. there for loging back in. new ip etc.. only 1 user logged in..

Zxin
12-19-2005, 06:55 PM
Over a 10 minute period of time you get http requests from 3 or 4 different IP addresses, I think that most people would say that is worth looking in to, so then FLAG the account.

Let me be specific that the requests contiune over the time period,
not IP1 for 10 munites then IP2 then IP3 then IP4, but a mix of requests.

A simple whois to check if the IP block belongs to the same ISP and then you KNOW its being shared (especially if you are talking saw east coast and westcoast IPs). (This can be done with a nightly cron job, or even on the fly depending on severity thesholds)

Quite possible to detect, since you are using authenticated access.
Remember its not that an account "changes" IPs its simultaneous requests.
A user with 10 requests per minute over 2 IP addresses for 10 minutes sure the heck IS sharing accounts :) (unless the ISP has some real elaborate load sharing proxy, but in this case you can rely on whois lookups)

1. VBB detects more than X IP addresses per username in an X seconds, and flags the account.
2. Log parcer kicks in for flagged accounts and strips out username/IP data and does a whois and checks for IP ownership, and outputs an email address to the forums staff (keeps false positives down)
3. Automated step via theshold that says if X IPs in X hours (and whois data not matching) and starts actions placed in the plugin (admin can set anywhere from flag and email to shutdown the account (heck lauch a nuke if you have that kind of access :P)

-Zxin

That's what I always tried to point out: You cannot detect if an account is being shared, you can only assume it, and this assumption might be good or bad, depending on your algortihms.

Borgs8472
12-19-2005, 07:10 PM
Also, what about AOL Users?
http://www.torrentforge.com/trekbbs.co.uk/AOL_AD.GIF

cheznoir
12-27-2005, 06:20 AM
Why not also add a check for a temp cookie? That would maintain itself on each computer regardless of the dynamic ip change, but would have to be unique per machine.

Give it a period where if it switches back from one temp cookie to another too quickly, you knock out one account, keep the older active. Keep doing it.

sub_ubi
05-31-2007, 01:28 AM
bump, update!

Alfa1
12-07-2007, 11:02 AM
Just use their web form to block your site and you are done as far as sharing accounts is concerned. Though there will likely be more services like these.

Quarterbore
12-30-2007, 05:47 AM
I need something like this as well and I will try to work on something to detect this soon. :mad:

ewelin
04-25-2008, 12:58 PM
Hello,

Just curious if anyone ever developed this or is working on it. I am a webmaster for a site which requires subscriptions in order to access the content. I'm looking to make sure that a username is not being shared between multiple people... I found this topic and was hopeful something like this already existed. If it doesn't exist I would even consider a paid request.

b6gm6n
04-25-2008, 01:04 PM
Hello,

Just curious if anyone ever developed this or is working on it. I am a webmaster for a site which requires subscriptions in order to access the content. I'm looking to make sure that a username is not being shared between multiple people... I found this topic and was hopeful something like this already existed. If it doesn't exist I would even consider a paid request.

Have you tried 'multiple login detector'? might help... sends an email or a PM to admin upon one person logging in with different user names, might be a key there

ewelin
04-25-2008, 01:18 PM
That's the exact oposite of what I'm looking for. I don't care of someone is logging onto the site with multiple usernames as that means they are paying multiple subscriptions. What I'm consider with is a user who pays a subsciption fee, then gives his buddies the account info so both of them can log into the site at the same time. I need to be able to protect against multiple people using one user account. Not one person using multiple user accounts.

b6gm6n
04-25-2008, 02:06 PM
Right, yeah... ok... then each user must be uniquely identified using ip addresses perhaps, if the same ip is used with the username & password it works... different ip...same username & password... no entry! - but there's a problem with that... many users have shared ip's and ranges... hmmm

ewelin
04-25-2008, 02:20 PM
Which was discussed previously...

https://vborg.vbsupport.ru/showthread.php?p=852453#post852453

ewelin
06-06-2008, 04:58 PM
So does anyone know if this exisits or is willing to create it?

chronoshift
06-13-2008, 04:16 AM
I really cannot figure out why there isn't a shared login detector built-in or mod....

ewelin
06-13-2008, 10:01 AM
I agree completely with you chronoshift, I mean there is a subscription mod built in, so you think this would have been hit on before. It's really hard to believe no one has put something like this into place before.