Account Creation Issues/Solutions
Most of you know that the @steemcleaners have been dealing with thousands of @steem -created spam/scam accounts recently. After investigating all the possible ways this is happening, here is what we found.
This is an Excel screenshot of 2316 scam accounts created by just one scammer using free @steem accounts in March. The yellow portions are sequential names (name1, name2, name25). It's rotated 90 degrees.
Issue 1
Unlimited tries for phone numbers on signup.
There is absolutely no legitimate reason a user needs to try more than one or two numbers "already linked to an existing account or under review". The presence of limitless tries allows scammers the option to cycle through myriad sms numbers in order in order find an unused one. We tried 20 different numbers from different countries that were already in use.
Users are alloted one free STEEM account. Additional accounts should be sponsored directly by the existing user off their account (which can be done easily through Steem Connect or by directly interacting with the blockchain) or through a third party service like Anonsteem. Currently, scammers have extorted the account creation process to trick @steem into creating thousands of accounts which are purely used for abuse.
Reasoning:
User may need to try multiple numbers until one on a supporting carrier is found. Users whose carrier doesn't support the function would typically borrow a friend's or family member's phone to complete the registration. They would need to change the number on signup for that.
Proposed Solution:
- Limit the "already linked to an existing account or under review" to 2 tries before lockout.
- Limit the Edit function to 5 tries before lockout.
Issue 2
Ability to swap between countries/regions.
The initial area code suggestion defaults to the registrant's geographic location. Unsuccessful attempts and edit-prompted attempts both allow the registrant to swap their area code. We have successfully swapped our code to Russia, Ukraine, South Africa, Great Britain and so forth while cycling through our list of free sms numbers.
Reasoning:
Text reception may be restricted in a user's geographical location.
Proposed Solution:
Limit the area code selection function to the 5 proposed Edit tries before lockout.
Github Submission
https://github.com/steemit/faucet/issues/297
Issues 1 and 2 bundled into one submission.
Issue 3
Users forget their username. The username is not included in any registration communications.
Reasoning:
This is a standard security feature to safeguard the user in case their email account is hacked or monitored.
Proposed Solution:
Add a message to users to write down their chosen username.
Thank you @ username. Your email address has been verified. Add -- Write down your username so you don't forget it!
Github Submission
https://github.com/steemit/faucet/issues/298
Sign Up Process Demonstration
So we know what we're talking about, here's the sign up process in screenshots.
We tried about 20 different numbers from different countries. They were all in use.
This code sent, but I wasn't able to get it without paying an unlock fee from the scam free sms service.
Finally one unused number was found.
So far so good ....
If this account actually gets created, we'll refund @steem the fee (0.1 STEEM and 15 SP delegation, delegation to be automatically returned upon power-up).
Conclusion
Two other security-related issues were discovered during the sign up process that will be explored further and directly related to Steemit Inc staff if warranting a response.
 |
Like what we're doing? Support us as a Witness.Go to https://steemit.com/~witnessesAt the bottom, type in guiltypartiesClick VOTE
 |
At what level should the limits apply? Limits per account create attempt can easily be bypassed, by just creating a bunch of emails. Limits should per IP address would stop Tor users from creating accounts, as a lot of signups come from Tor. This would also apply to organizations that share an IP among many people.
I think that attempts to sign up with a phone number should pretend to send a SMS, but silently do nothing. However, if somebody from the same IP address that created the account using the attempted phone number, then it should just give an error like it does right now.
Creating emails and reattempting the sign up process with these will indeed allow the scammers to create accounts but it will significantly slow down the ones that are using this route. We need to plug the simple holes.
Limiting them per IP address would be a good idea as well. It would give them another hoop to jump through. Let's say 2 accounts per IP.
Like you said, there's another solution that would add another layer: have the SMS receive a number and then SEND it. That will eliminate the receive-only SMSes.
great post......now i have new information.....you helped me of beginner....thanks for sharing...and than ivote you for witness
Good to hear it helped.
thank you guiltypartie :)
You should post this on @utopian-io. They will reward you for it.
I know who reads my posts so I know I'm not going to get extra votes or readership. I did consider it.
Ah makes sense.
For any new account, captcha is not working and the Loader keeps on Loading and Rotating.