How to prevent account hijacking and bot logins on my site?

Forum Moderators: phranque

Message Too Old, No Replies

How to prevent account hijacking and bot logins on my site?

some ways to solve this problem

LoneWolf22

4:07 pm on Jan 17, 2007 (gmt 0)

I have a problem that because of phishing or keylogger (Nobody knows exactly) many accounts of a web site I manage were hijacked. Someone wrote a program (bot) that sent spam using private messages on our site. We changed the passwords meantime and put some captcha forms, but now we seek for a permanent solution to solve this problem.

I looked at hardware based authentication like RSAsecurity, but it is not acceptable for us because it is very expensive and we have multinational user base. I also looked at software based solutions like Bharosa [bharosa.com,...] that is most suitable for us, but they mostly target finance institutions and they are expensive.

Please, share your experience with solution you use to prevent account hijacking and bot logins. Is there any scalable, pay as you grow, easy to integrate, authentication solution for consumer web sites?

carfac

2:54 pm on Jan 19, 2007 (gmt 0)

If you want to do something at little to no expense (other than yur time), you can do a lot.

First, have all the forms log the IP address posting. If you find them all coming from one or two IP ranges, BINGO- just block those IPs at a firewall.

Check the referrer field, too.

RE sending PMs specifically, add a sub to the PM program that requires the PM be posted FROM one of your scripts or pages. In fact, add a new, hidden field that is required- if that is not there (as it would not be for bot posted spam), reject the spam.

You can also add a second step to sending a PM- a "preview" of the message to be sent and a step to confirm send".

These steps should make it enough of a nuisance for spammers that they would move on...

Good Luck!

Dave