Security enhancement: Q&A

[Wolfie]

So after reading about the addition of keyCaptcha as an option starting with 3.4 (great job btw), a couple of people mentioned about using the Q&A and I had this little idea come to me. IPS hosted Q&A's, another service for those with active licenses.

Offer different themes/categories to choose from as far as what types of Q&A's are to be used, so that admins aren't required to come up with their own questions nor scout around to see what others are using. Keep track of what is used and if a particular Q&A combo is detected (by the SMS) to be letting a spammer in, it could be automagically flagged for review and taken out of circulation until it's been looked at. Not only that, but with the sharp and witty IPS developers at the helm, some questions could be dynamically generated, such as using random numbers as part of the question of picking from a pool of random words, etc. That way, the question 'record' being used might be the same for several people but the actual question shown could be different for each person. Could also have dynamic answers, so that the same question 'record' would have a different answer each time.

As a simple example, a question might be math related:
Solve this math problem, only use the numbers that are not words:
11 + two + 10 = [answer would be 21 of course]

Each time, the values could be different and the spelled out number could be different, as well as appearing in the first or last position as well.

Granted, that's a rather easy question that a bot could be easily programmed to figure out, but the overall concept is what matters. Of course, an admin wouldn't have to use it if they didn't want to (would have to opt-in to use it), or they could toggle an option to randomly use the IPS Q&A or they own, or to use both, if they want the benefit of IPS supplied Q&A as well as their own that might be specific to the theme of their community.

The only drawback that I see to this would be a language barrier. For that, those wanting to contribute their time could help provide translations or alternative questions for the Q&A's that get used. Let the admin also toggle which language(s) hey want their questions to pool from.. By that I mean an admin might want to use both English and Spanish, or French and Italian, etc. Obviously, it would be on the admin to make sure they are selecting languages that their community visitors would know. Then when used, pick from a pool of available Q&A's that fit the chosen language(s).

I mentioned above about categories and also detection of Q&A's that don't stop a spammer.. To add on to each, for the categories, someone running a community about music obviously wouldn't want something like automotive questions for their community to answer, while a community about sports cars would welcome it. Someone joining that community would be more likely to know what company makes a certain type of car. For the detection, it could also be detected which Q&A's are encountering difficulty by visitors determined to be legitimate users. Since you (IPS) have the SMS data on your end, the Q&A's could be kept track of to later determine if a failed attempt stopped a spammer or a real person. If one is found to fail a lot by real people, then obviously that Q&A combo would need to be reviewed.

I'm sure many IPS clients would be more than happy to submit Q&A's to help populate the database. On a submission form, provide a list of categories to choose from, box for the question, dropdown type of answer (fixed or random/dynamic) along with notes about the question/answer. I say 'submit' because I imagine it would be chaotic to dig in a topic for ideas and if a spammer finds a set of questions/answers, it could easily defeat the purpose of it all.

[Lindy]

Upon reading this further, it's an interesting concept - but I don't see why admins can't devise their own questions -- like on a motorcycle community: "What's a leading japanese bike: Kaw_____" (asaki)

It also wouldn't take much effort for spambots to start harvesting the answers, I wouldn't think.

[Wolfie]

It's a nice idea, but what would prevent the bots from harvesting the database? :smile:

That's where the dynamically generated questions come in. Granted, it's not fool proof by any means, but if there are some questions that are forever changing, then keeping a copy of the questions becomes a moot point.

Site specific, that would be the point of the categories. Of course, if something isn't specific enough, like if it's a fan site on a specific celeb, they could of course still use their own questions, as well as this idea if they feel the questions would be easy enough for everyone (but bots) to answer.

It also wouldn't take much effort for spambots to start harvesting the answers, I wouldn't think.

Dynamic answers for some of the questions (dynamic questions).


Either way, thought I'd toss it out there. If it's something that can be done with success, I know the IPS devs can make it happen. If not, then just gotta think of another idea to toss out there and hope it's a feasible one.

[Lindy]

It's certainly doable. Will give it some thought, thanks. :)

[Wolfie]

It's certainly doable. Will give it some thought, thanks. :smile:

I know that there are flaws so I definitely won't be offended if this idea doesn't stick. Hoping though that either another client will read this and have a better idea or maybe the devs will evolve it into something unique and have something that presents a real issue for spammers.

Discussing it with someone else, they mentioned about trying to brute force an answer and another benefit occurred to me. If a bot is trying to do that (constantly submitting answers until it gets it right), then that too could be used as a form of detecting a potential bot. Either in how quick it's able to submit new answers or if it always seems to take the same amount of time to submit an answer (ex. 6.73 seconds each time several times in a row is a bit too exact). Or maybe a similar tracking concept could be used to report back to IPS (if the original idea falls through).

I do have another security suggestion (not spam related), but getting the idea sorted out in my head before posting it. Would be right up IPS's alley too.

Oh and thanks for the feedback on my idea. I know most times, there aren't too many replies to ideas from staff. :smile:

[Nimdock]

I think it's a decent idea that could be certainly explored...

In my forum it wouldn't really work because the Q&A challenge is kind of geared towards the audience in my forum.