Topic: Combating cheating by analyzing browser fingerprints (Read 2145 times)

I disagree with your logic. Obviously any security system can be breached, but that doesn't mean they shouldn't be put in place to begin with. Any sense of security is enough to ward off no-gooders. Browser fingerprinting isn't of course the end-all, be-all solution, but at least it does something.

It's not my site, but yes, I agree there is a balance between security measures and reasonability of use/maintenance.  Certainly, that is up to each site owner to decide.

Much of my argument is academic anyway.  As someone pointed out earlier as you add more and more security checks managing them becomes more and more unwieldy.

The sensible approach is to cull the universe of checks down to a small managable set that gets most of the problems.  This browser fingerprint approach might very well be useful or it may not.  You may also find it's not worth the hassle and stick with the 5 other things that work reasonably well.

No one said this would prevent all cases of cheating, but it does help prevent some of them.

@ gbl08ma - I agree.  Certainly, it is a choice both for the faucet website to implement anti-cheat measures, and a choice for the user to decide whether they wish to comply with that level of anti-cheat measures.  Some users may indeed opt to not use some faucet websites based on the difficulty in acquiring the handout.

Actually it's more like 0.0001 BTC/day on OP's faucet.

IMHO, adding yet another variable to the list of things to check only increases the chances that one of the validation steps fails, making it more cumbersome to get that 0.0001 BTC. And when people can't get money from your website, they'll stop coming back to it, which equals less advertising revenue.

More and more people care about their privacy on the internet and some don't like the fact that they are being tracked and bubbled. This means the crowd of people that already block ads, Google Analytics and JavaScript on unknown websites will get into the next step and block websites from knowing their user agent, referrer and other browser information. Sure, you can always ask them to disable these privacy features on your website for it to work (much like "we're the cops, show us your ID"), but then some will say "so much for this? I'm not coming back here!" (and in the specific case of Bitcoin faucets, they'll say in addition "I thought you were going to give me free bitcoins, is this a SCAM?").
Personally I go away from websites which force me to disable my ad blocker before I can visit them, now imagine if I hid my user agent and these websites forced me to disable my ad blocker AND show them who am I.

That's fine until the Russian mob sends the commandos over to cut through your cyber chain link fence and get at your goodies.

Are people really going to go through that much effort to get an extra 0.001 BTC/day?  Maybe a few, but most won't.  As giantdragon says, each step of difficulty means fewer people will be doing it.  It won't eliminate cheating completely, from those who are very persistent about it, but it helps deter some cheaters.

It's like saying, why bother building a fence around your property?  People can still hop the fence and get in.  Why bother putting barbed wire on top of a fence?  People can still put heavy clothes on top of it to get over it.  Or they can cut through the chain link fence.  Therefore, we shouldn't build fences at all.

As I said before, this technology is just ADDITIONAL measure to uniquely identify a user. It cannot be used alone, but adds another brick in the protection wall.

That's just plain silliness.  A service and its potential users can eternally play this game of technological whack-a-mole but to what end?  Eventually there would be no users of the service.

Now you can create a Firefox add-on that randomizes the fingerprint instead of making them all the same.  Or even better, create plausible counterfit fingerprints.

What's next?

Just tried this extension. It seems that all users who have installed it will have the same fingerprint, making identification of the concrete user impossible. But service operator can just reject requests made with this ID (i.e. block all users who have enabled it in the browser).

https://addons.mozilla.org/de/firefox/addon/firegloves/

I don't suggest to use this technology exclusively, it is just another protection barrier. It will create more difficulties to the fraudsters and decrease their willingness to cheat.

Absolute anonymity will make some Bitcoin services like advertising networks or faucets impossible to run. Their operators must have ability to ensure users' uniqueness (even without knowing who is behind anonymizer).

A custom browser or stripped-down variant of Firefox could be put together that gives away nothing.

Besides, why would someone in BTC want to combat anonymity?  Get burned by pirate?

That's a really interesting concept. Hopefully more services will start to adopt it.

At first I want to thank a user from the Rugatu, who suggested this idea!

As you know, IP addresses can be easily spoofed by using TOR, proxies, VPN etc. Blocking anonymizers altogether is bad solution because many legitimate users may use them for privacy purposes (regarding to Bitcoin users, this rate is even higher).

Electronic Frontier Foundation have published a paper, in which suggested to use aggregated hashed value of various browser parameters (user agent, screen resolution, timezone, plugins etc) to ensure uniqueness of the each user.

This technology may be useful for services, which want to restrict number of times that the same user can do relating to the concrete action (e.g. clicking an ad, requesting free Bitcoins at faucet etc). I have enabled this feature on my sites CoinURL and Daily Bitcoins and now see promising results. I suppose other services also would consider enabling this method!