I run a SaaS that allows free trials. Basically if you register you get a few dollars worth of free services immediately. I have been determining new users based on IP address alone and it has worked well for the first few months. Now people are finally catching on that it is trivially easy to change their IP address and scam me out of free trial bonuses.
What I want to do is basically create a hash of all possible javascript browser variables and store it in a MySQL database.
If I notice that the same browser hash has signed up for a free trial 10 out of the previous 100 registrations… I will not enable a free trial bonus to that account.
Where do I even start? (Where can I find a list of all javascript browser variable settings like window size, operating system, browser and version number, country, language etc…? Or does jquery offer something like this already?)
I have thought about implementing phone verification via twilio… but that would cost me money, cost my users money, and ultimately lead to fewer free trials.
EDIT: THE GOAL HERE IS TO LIMIT FRAUDULENT ACTIVITY AS MUCH AS POSSIBLE, AND NOT HINDER REAL ACTIVITY IN THE SLIGHTEST!
Sure this solution is not perfect, but added with the others I already have it will help. I am willing to accept some loss, but would like to limit it as much as possible.
What you might want to do is take a look at browser finger printing http://panopticlick.eff.org/
Although this is not fool proof by any means if you mix it with cookies and the users IP address you should get something that works for most users.
Updated
If the idea is to limit fraudulent activity I would implement a SMS based code, similar to how Gmail works. You have to enter your mobile number to get the free trail, If you buy SMS’s in bulk you should be able to get them for about 2p each, and its easy to implment just find a SMS supplier with a API.
Although you can use the technique above it is overly complex and still wont be fool proof, and can easily be worked around.