Multi-accounting - a modern-day plague for online business

It is really important for any online business to be sure that behind every new account there is a real new user of a product. However, it is not always possible to verify and confirm a new user online. On the one hand, this facilitates the customer experience and increases conversion, on the other hand, it allows to create multiple accounts related to one person, which, in turn, leads to disruption of the unit economy and financial losses. Today we are eager to tell our audience about the most effective ways how to deal with multi-accounting issues.

What is multi-accounting?

Multi-accounting implies a situation when multiple accounts are created by the same user (usually a natural person) on an online business website. Technically, multi-accounting is not considered to be an illegal activity, however, in many cases creation of multiple accounts violates the rules of online business and the terms of web resource usage and also leads to significant costs.

Problems related to multi-accounting are relevant for many industries, let’s take a look at some basic examples.

  • Lending. In most cases it is impossible to create multiple accounts in lending industry, since all the personal accounts are always connected with a passport data, full name, phone number and, in most cases, the lender identifies a borrower in different ways. In this regard, the problem of multi-accounting lies in the area of connected devices of one group of people (for example, among family or friends), and the main risk is associated with an increased probability of delinquency or default due to a potentially high credit burden, which is artificially “spread” across several accounts.
  • Insurance. First of all we are talking about auto insurance, when one broker or agent creates a large number of accounts and tries to issue many insurance policies, often using unverified or unreliable data.
  • E-commerce. With the development of digitization and online payment system, especially during the pandemic, the risk of chargebacks has also increased significantly. According to the latest research of Juniper Research, in 2021 e-commerce industry suffered $20 billion losses due to online fraud. In addition, there is a problem of a large number of fake or non-existing accounts that are considered to be a part of company’s portfolio, however no payments are carried out.*
  • Betting. Many bookmakers promise bonuses to newly registered players in order to attract more users. No doubt that in order to create multiple accounts, scammers use different credentials: full name, email, phone numbers, social media accounts, etc. Online scammers use accounts for the purpose of bonus hunting, receiving free bets, as well as to continue betting after the old account is blocked or when the betting limit is reached.

Multi-accounting mechanics

The ways of creating multiple accounts depend on technological background of online scammers and the tools they use. The easiest way to create a multi-account is to re-register it from the same device. This is especially common when, due to the specifics of the industry or business process, a user can utilize a large set of different email addresses or mobile phone pool numbers (which is more complicated and expensive, but also possible).

As we can see, the main account creation scenario is when different users register new accounts on a unique device and each person logs in to one’s new account.

One of the misuse scenarios is this case is when a personal account is created from one device, while a person logs in from another device. Both actions are performed by the same person.

Also, one of the most important issues is the use of randomizers between steps. Was the account registered from a real device or a virtual machine was used in order to create it?

The use of randomizers

More complex cases arise when a potentially risky user begins to use various technical tricks, device manipulation, randomization tools, deepfakes and device virtualization.

One of the newest and fastest growing types of online fraud is the use of sophisticated software also known as randomizers. The purpose of such software is to thwart existing digital device profiling technologies and bypass the system by misrepresenting the same device a fraudster uses to apply for a loan online as a new one every time.

Thus, a scammer can draw upon the credit from the same device for an unlimited number of times, changing only the borrower's data, while the security system of a financial institution will recognise each application as a unique.

Speaking of randomization we imply the use of any software or code used for adding various anomalies for device fingerprint obfuscation or user activities concealment. A fraudster can randomize a physical device or add some interference to virtual device. One can randomize both a real device and add breakdown to a virtualized or fake device. In addition, in order to hide multi-accounting, scammers often use proxy servers or register each new account under a new IP address. It is also possible to use stolen credentials or create fake IDs based accounts.

What problems does multi-accounting imply?

The scale of multi-accounting can vary from fairly harmless, when a regular user decides to take advantage of the promotion campaign of their favourite online stores, to bonus hunters, who have rather high technological skills and may cause great damage to the business by their malicious actions.

Practically, the whole strategy of unfair competitors can sometimes be built on multi-accounting: fake reviews or ratings, ads-clicking or fake bad (or good) reviews - all this can be the result of attempts to promote their products and damage the reputation of competitors, for example, in the case of using click farms in order to generate massive Internet traffic with bad faith. In addition, a large number of fake accounts on any web site, classified or social media can lead to a disruption of the unit economy as a whole. So, due to the erroneous assessment of marketing indicators, such as MAU, DAU, ARPU, misperceptions may occur, for example, about the value of the company itself.**

What are the best ways to solve this problem?

One of the most effective ways to combat multi-accounting is to use solutions based on device fingerprinting technologies, which allow to identify fraudsters quickly using device authentication and matching technologies:

  • A set of device authentication technologies allows to create reliable and stable device identifiers over time - depending on how the business processes are built, you can either add a verification step, reject application and at the same time make the UX simpler for those who constantly use the same device;
  • Identification of randomization signs, significant manipulations with the technical and software components of the devices. All these signs of risky behaviour distort device fingerprint, however, the very fact of their usage during an account creation or logging in should lead to a proper response of online business;
  • Identification of complex proxying signs, network connection manipulation etc. All these signs may not ba an attempt to manipulate the device, but may seriously damage the process of account usage and management.

Is your company protected from multi-accounting? Short check-list.

  • It is worth making sure that the registration of an account, as well as the first login are made from the same device;
  • Also a company needs to check that from the same device not more that three accounts are registered. On the one hand, this will help to ensure the customers identity, on the other hand, it will reduce the second type error when accounts for several family members are created from a family computer;
  • Also you need to be sure that the same account is not used on more than 1-2-3 different devices in a limited period of time;
  • You need to establish additional verification rules in terms of excessive privacy cases on the device - whether any special browser or software settings were used in order to hide device parameters and distort its digital fingerprint;
  • A company needs to determine an acceptable level of network anomalies, for example, using the same IP address for different devices for a limited period of time, using foreign IP addresses and foreign network settings, shifting the time zones of the device and IP address. This will reduce cases of accounts misuse, as well as the cases of multiple entries on the same device;
  • In addition to that, you should always remember that any company must have the resources to conduct tests for randomizers, conduct tests for virtual machines and private mode.

These are some of the basic guidelines for reducing multi-accounting cases; these rules should be reviewed regularly in order to check and monitor their effectiveness. Also creating and adding new rules to the system will also help. Another approach that works is to build a simple trustworthiness score, possibly binary or semaphore-based, which will allow to manage account creation in a more flexible way and reduce type 2 errors.

Summing it all up, a flexible and secure verification system is required in order to prevent multi-accounting. By doing this, regular users will be satisfied with the company's services or products, while fraudsters and bonus hunters won’t be able to cause any harm to an online business. When a company finds some special tools and technologies to distort the digital fingerprint during account creation, this fact may become a good reason for additional verification. One of JuicyScore's most effective technologies is device comparison and matching: a stack of device authentication technologies allows to build robust and stable in time device ID resistant to various anonymising techniques, to identify randomisation and anonymisation or the same virtual devices. Using these technologies you can spot multiaccounting, data manipulation and multiple accounts. With JuicyScore data you can avoid conversion reduction, improve customer journey and deliver the best user experience.

*Pay Pal case is rather notable. Company’s shares instantly lost a quarter of their value after closing 4.5 million fake accounts. Accounts were created by users in order to receive additional bonuses for new accounts registrations. According to the company's management, the day before they decided to launch that marketing campaign, which turned out to be really unsuccessful, they offered from 5 to 10 dollars to every new user for new account registration. As a result, a large number of bots rushed to the servers of the payment giant, while the company was unable to trace them. Pay Pal had to revise its growth forecasts for this year, as well as reduce the medium-term goal of new audiences outreach.

**In particular, Elon Musk announced that deal with Twitter was temporary on hold due to the revealed facts of multiple fake and spam accounts. Initially, the company stated that the number of fake accounts does not exceeded 5%, however, later it became clear that fake accounts can sum up to 20% of the total number of social network users, which certainly affects the valuation of the entire company.