I have a service with \"try it now\" experience that currently offers a \"one cl

Question

I have a service with "try it now" experience that currently offers a "one click" effort.

This service has a pool of N resources (lets say 50).

Each new resource takes about 1 hour to generate.

How can this service be protected from a malicious user to empty my pool of resources?

We have circled around some suggestions but so far nothing seems to resolve the issue:

- Using email validation (emails can be easily faked today - for example with yopmail)
- Using some external Login (Google , Facebook etc.. ) - again, users can open as many accounts as they want.
- IP request throttling - IPs can be changed easily.
- Services like Incapsula or Cloudflare can't really help in this scenario.
- Captcha will have no effect

Serious candidates have serious user-experience implications and do not seem to be sustainable - such as call each user that wants to run the demo and talk to them, and then manually pass them some link.

perhaps using email validation with some sort of email blacklisting by regex (e.g.: .*@yopmail.*) can do the job.

What is the right way to tackle this scenario?

Explanation / Answer

First idea: Use SMS or automated phone calls to give a one time password. Put their phone number on blacklist after this. You can use any SMS authentication cloud service, or any phone based authentication cloud service for this. Getting a new mobile SIM card or phone number is too cumbersome for a user to get Another free resource.

However:

This is a question many companies struggle with. Most companies solve this by simply requiring setting up a payment method to try the service. I guess you meant that 1st is free and the rest cost Money.

Then you simply do that to get the 1st free, they have to enter their credit card number, like they will have to pay. You can then put that their credit card number has got 1st free resource. Next time they try with the same credit card, they will be debited.

Of course, according to PCI DSS, you are not allowed to store plain PAN's. However, when you use a external payment service, you does not need to care about PCI DSS, and you will many times get to hold a obfuscated version of the CC number, something like:

1234 5678 **** 1234

thus you can still identify returning users. You will simply do this by debiting the user the full price of service (since the external payment provider will debit all entered CCs with the price you passed them, even if its a free user). But if its a free user, your system will sense that the obfuscated CC is "unknown" and immediately process a refund, causing the Money to go back into users account within a week. Make sure to inform that the Money will be pulled temporarly from account when getting free service.

Most companies use this method, even large companies like Netflix, spotify and Google, to prevent people from getting multple free months. Many VPN providers also use this method to prevent users from aquiring multiple trial accounts.

Getting new cards from their CC provider cost Money in most cases, and is more expensive and cumbersome for the user (for the purpose of getting more free trial time) than actually paying for the service.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.