Help me keep my game from being gamed
December 14, 2013 8:23 AM Subscribe
I'm developing a website where people try to be click number X (sort of like radio call-in contests) to win a prize, and am looking for advice on ways to make it harder for someone to cheat.
The mechanics are:
1- user logs on to the website
2- clicks on big button
3- the site responds with "you are click #X". If it's, say, number 100,000, user wins prize.
So far my ideas to make it less cheatable are:
A- Users have to identify with their national ID number. The payout will be to the person with the matching national ID card, so you couldn't make sockpuppets (or you would need 1 real person per sockpuppet or fake IDs).
B- If the same user clicks more than once every 15 seconds or so, the minimum time between clicks increases progressively (or they have to input a captcha?) so as to rule out bruteforce attacks.
C- Each pageload is associated with a one-time unique hash associated with the user, which is included in the click POST, and has to match.
My backend is Django 1.6, deploying on Heroku.
Any ideas, criticism or obvious holes are welcome.
The mechanics are:
1- user logs on to the website
2- clicks on big button
3- the site responds with "you are click #X". If it's, say, number 100,000, user wins prize.
So far my ideas to make it less cheatable are:
A- Users have to identify with their national ID number. The payout will be to the person with the matching national ID card, so you couldn't make sockpuppets (or you would need 1 real person per sockpuppet or fake IDs).
B- If the same user clicks more than once every 15 seconds or so, the minimum time between clicks increases progressively (or they have to input a captcha?) so as to rule out bruteforce attacks.
C- Each pageload is associated with a one-time unique hash associated with the user, which is included in the click POST, and has to match.
My backend is Django 1.6, deploying on Heroku.
Any ideas, criticism or obvious holes are welcome.
It's sort of unclear: Are users supposed to be able to manually click very rapidly? This is what I would expect if you report the click number immediately after clicking, and you didn't mention any "one click per day" or similar limit.
posted by trevyn at 10:47 AM on December 14, 2013
posted by trevyn at 10:47 AM on December 14, 2013
Response by poster: Users should be able to click repeatedly, it's meant to be sort of addictive. So humans repeatedly clicking is OK, robots not so much.
We'd need some sort of minimum wait between clicks to avoid bruteforce attacks, I think, hence option 'B'.
posted by signal at 11:07 AM on December 14, 2013
We'd need some sort of minimum wait between clicks to avoid bruteforce attacks, I think, hence option 'B'.
posted by signal at 11:07 AM on December 14, 2013
Best answer: I break systems like this for a living. Absent strong validation that an account represents a person and that said person is present, I can rig this system so I can win a majority of the time.
B is trivial to defeat with some minor rate limiting.
C is a good idea, but trivial to defeat by issuing a GET before the POST.
A is the best mechanism you have, but my thought would be to run a pool similar to bitcoin mining pools, where the person that wins the lottery gets a bigger share of the pot, I take a cut as the organizer, and the rest get a share of what's left. The house always wins in this case.
There's also the option of DoSing from one IP and flooding out the competition, then at random intervals timing a stop in the DoS traffic to allow a different system to submit a legitimate request.
I think you need a better threat model of what you'd like to defend against. I keep thinking about this and can't decide if certain tactics are fair or not under your game because the rules are ill-defined.
I think you might benefit from looking at bitcoin, and rather than having the client return a per-request value, have the client perform a long math operation on the per-request value and need to return the correct answer, ensuring that the browser crunches for a few seconds between requests.
posted by bfranklin at 1:48 PM on December 14, 2013 [3 favorites]
B is trivial to defeat with some minor rate limiting.
C is a good idea, but trivial to defeat by issuing a GET before the POST.
A is the best mechanism you have, but my thought would be to run a pool similar to bitcoin mining pools, where the person that wins the lottery gets a bigger share of the pot, I take a cut as the organizer, and the rest get a share of what's left. The house always wins in this case.
There's also the option of DoSing from one IP and flooding out the competition, then at random intervals timing a stop in the DoS traffic to allow a different system to submit a legitimate request.
I think you need a better threat model of what you'd like to defend against. I keep thinking about this and can't decide if certain tactics are fair or not under your game because the rules are ill-defined.
I think you might benefit from looking at bitcoin, and rather than having the client return a per-request value, have the client perform a long math operation on the per-request value and need to return the correct answer, ensuring that the browser crunches for a few seconds between requests.
posted by bfranklin at 1:48 PM on December 14, 2013 [3 favorites]
Response by poster: bfranklin:
How about B with a captcha after a certain speed/frequency threshold is passed? Or are captchas too easily broken?
Also, in your suggestion: have the client perform a long math operation on the per-request value and need to return the correct answer ensuring that the browser crunches for a few seconds between requests., how is this different from B?
Thanks!
posted by signal at 1:58 PM on December 14, 2013
How about B with a captcha after a certain speed/frequency threshold is passed? Or are captchas too easily broken?
Also, in your suggestion: have the client perform a long math operation on the per-request value and need to return the correct answer ensuring that the browser crunches for a few seconds between requests., how is this different from B?
Thanks!
posted by signal at 1:58 PM on December 14, 2013
The math function mitigates a subset of trivial attacks. Captcha could also work but its easier to bust. My answer was a bit all over the place. Would help if you could better define what the rules are.
posted by bfranklin at 3:11 PM on December 14, 2013
posted by bfranklin at 3:11 PM on December 14, 2013
Response by poster: Not so sure about the rules yet, basically:
You sign up and in with your Facebook account, must provide real name and national ID number. You click a button, if you're click number X, you win. You can play again as many times as you wish.
You can't play more often than x seconds, and can't win more than once, can't use any automated playing system.
posted by signal at 4:26 PM on December 14, 2013
You sign up and in with your Facebook account, must provide real name and national ID number. You click a button, if you're click number X, you win. You can play again as many times as you wish.
You can't play more often than x seconds, and can't win more than once, can't use any automated playing system.
posted by signal at 4:26 PM on December 14, 2013
How do you ensure that the national ID number belongs to the name that you're given? It seems like you're relying on this to ensure there's a real person behind the account, but it doesn't actually provide assurance of that unless you're able to cross reference the id # to the name.
How are you checking for click number X in a multithreaded environment (i.e., do you have a race condition where you can have multiple winners)?
What is the prize going to look like? If winning gets you $5, it's not worth your time to engineer a foolproof system and good enough should be good enough. If it's $500 or $5000, additional measures make more sense.
posted by bfranklin at 6:23 PM on December 14, 2013
How are you checking for click number X in a multithreaded environment (i.e., do you have a race condition where you can have multiple winners)?
What is the prize going to look like? If winning gets you $5, it's not worth your time to engineer a foolproof system and good enough should be good enough. If it's $500 or $5000, additional measures make more sense.
posted by bfranklin at 6:23 PM on December 14, 2013
Response by poster: How do you ensure that the national ID number belongs to the name that you're given?
Prizes are handed out in person, after verifying national id, hard to forge.
Numbers' uniqueness will be ensured at the database level (basically every click us recorded in the db, and the winner is the Xth click in the db, so unique by definition.)
Prizes vary, but could be up to a car, for example, so worth it.
posted by signal at 8:02 PM on December 14, 2013
Prizes are handed out in person, after verifying national id, hard to forge.
Numbers' uniqueness will be ensured at the database level (basically every click us recorded in the db, and the winner is the Xth click in the db, so unique by definition.)
Prizes vary, but could be up to a car, for example, so worth it.
posted by signal at 8:02 PM on December 14, 2013
National ID number? In the US the closest thing we have to that is a Social Security number. I guess it might be different in other countries, but I doubt many people in the US would freely give out their SSN to some random website, just so they might win a prize.
posted by spudsilo at 11:53 PM on December 14, 2013
posted by spudsilo at 11:53 PM on December 14, 2013
Response by poster: It's not like an SSN, people give it out if they think they'll get something in return, like in a contest.
posted by signal at 7:00 AM on December 15, 2013
posted by signal at 7:00 AM on December 15, 2013
I've given things a bit more thought, and I think you're probably in good shape as long as you're actively monitoring and reacting for attempts to beat the system. I still think dominating the network traffic to the game is going to be the best way to win, but as long as you're watching and adjusting to it, I'm not thinking of any other glaring holes.
posted by bfranklin at 5:50 PM on December 16, 2013
posted by bfranklin at 5:50 PM on December 16, 2013
Response by poster: Cool, thanks so much for your input. Re DDOSing, I get the feeling being on heroku might be an asset, at least being able to react.
posted by signal at 6:48 PM on December 16, 2013
posted by signal at 6:48 PM on December 16, 2013
« Older How long is the "chain" of moving, when people... | Making a tealight/teracotta pot heater more... Newer »
This thread is closed to new comments.
posted by michaelh at 9:08 AM on December 14, 2013