2600 Magazine_ The Hacker Quarterly - Digital Edition - Summer 2011 - 2600 Magazine [8]
As you can see, none of the methods is perfect in itself (maybe the seventh is). My suggestion is to combine some of them and then, as a last resort, add some techniques of analyzing votes after they have been placed. More on this later.
Case Study
As an illustration of the problem, I'll share with you one of the cases. It was a project for some big international company, which I will not identify to protect their (and my) business. The idea for the competition was quite simple - people would upload images on the given subject, and then visitors could vote for the photos they liked most. The winner would be given quite an expensive prize, worth an equivalent of $3500 or so. In other words, the stakes were high. So was the number of people wishing to cheat.
I presented the customer with some recommendations based on the list above. Unfortunately, they decided to employ the least effective and most vulnerable techniques: protecting by CAPTCHA, cookies, and IP limit. They didn't want to employ any demanding or expensive methods. So that was it. I had no choice.
So there it was on the production server - my application (that I was not so proud about) with weak protection, waiting for some rascals.
It wasn't a big surprise to me when, a day or two after the competition was announced, some of the entries started to gain more votes than the others. At this point, the battle began. First, I exported a list of votes per image with their times and IPs. I ran blocks of IPs through the databases (available online at www.ripe.net (Europe), www.arin.net (North America), www.apnic.net (Asia and Pacific), www.lacnic.net (Latin America and Caribbean), and www.afrinic.net (Africa)) to get ISP information for the votes. It turned out that cheaters were using ADSL or mobile wireless connections that allowed them to change their IP when they reset their modem. I concluded that they were still typing in the CAPTCHAs manually because the interval between consecutive votes was significant, as well as (which I found quite funny) the fact that voting started at around 8 to 10 am (when they woke up) and ended around 11 pm to 1 am (when they went to bed). To prevent those guys from voting, I just blocked some IP ranges. I observed that legitimate voters weren't using mobile networks to vote anyway.
This action caused a big decrease in the illegal votes. But, a few days later, I noticed some other guy doing funny stuff. The pattern was the same - lots of votes placed all day with a break for sleep in the night hours. One thing was different. IPs were changing all the time, but they weren't from the same network. They were from all around the world! Germany, then USA, then Japan, China, some African countries, and so on. I quickly realized that this guy was using Tor or some similar network. Fortunately, the rules of the competition were saying that only people in my country were eligible to vote and win. So I found a database that provided information about the country of origin of every single IP address (Google for "IP geolocation free"). Two hours later, every vote from abroad, past and future, was invalid.
In the meantime, I added some more security to the site, making “cookies enabled” a requirement and adding some session variables loaded on the page showing the photo (just before the vote). It allowed me to cut some of the less experienced cheaters.
For a while I thought that it was over. But I was wrong. There was still one guy voting all the time. He was using a trick with changing IPs all the time and I wasn't allowed to ban his IP range because it was the most popular ADSL provider in my country (ten percent market share). One thing that I noticed was that he was voting all the time, even in the night. It was impossible for a living person to do this, so I concluded that