TAGS: #starbucks
Today, we’ve gotten a threatening email from an anonymous sender (go figure…) alerting us that we should not be verifying customers IP addresses when they buy service from us. This John Doe seems to think we’re violating a so-called law and we could be sued for it. The gist of his email was that he collects information about customers that have been denied service based on the location of their IP address – Starbucks for example.
Now, here comes the logical question: as a provider of what could be construed as an equivalent to “telephone services” (notice VoIP is NOT a replacement for phone service!) – wouldn’t we expect our customers to use their service at home or work? why would an honest user choose to create their account from Starbucks – when they are required to have internet service at home to use our service anyway?
The answer is simple- except for the odd exception (a fraction of a percent), it doesn’t make sense, and the obvious proof is that real users with nothing to hide sign up from their home or work computer connected to a network that makes it possible to verify their identity to a reasonable level of certainty.
If that’s the case, then why are we, as a provider, receiving such “notice”? the answer is simple: IP address verification and fraud combating measures implemented by VoIP stop criminals in their tracks. When we first started furnishing service to the public, the percent of stolen credit cards thrown at us was an amazing 40%(!). We were not ready nor expecting such figures. The main offenders were crime rings from Egypt, Jordan, the Palestinian territories, and some countries in Africa – but we most definitely have gotten some criminal transactions from right here in the USA. After implementing minimal steps like preventing automatic processing for new unverified accounts our figures dropped to a manageable 5%, and after adding IP address validation we are at a comfortable fraction of a percent and can concentrate on doing business rather than worrying who we provide service to.
This online-crime epidemic is especially aimed at companies that provide VoIP service. Why? because it is an easy target, and as good as cash in the bank. For an international crime ring, getting their hands on stolen credit cards or PayPal accounts is not only easy – but also cheap. We’re talking a few cents per number. Not only do they get the identity theft victim’s credit information – they typically also get their name, address, and sometimes even more than that. For US-based criminals it is possible to do things like create a credit card in the victim’s name which could net them thousands of dollars. However in the case of criminals in Egypt for example – there’s not much they can do except shop around online. They of course cannot log into your-electronics-store.com and get a TV shipped over to them, so they need a simple way to “launder” their stolen cards into cold, hard cash. The solution? international calling minutes. A company that runs a network of call shops or calling cards in the middle east can get that cash from their customers, while getting free minutes from the victim Voice over IP provider of their choice. If you’ve been in the VoIP business for a few days you quickly learn that international minutes is just as liquid as cash. In fact some carriers pay each other by exchanging minutes rather than money.
Now that we’ve established that VoIP providers are one of the most desirable target for these criminals, let’s concetrate on how to stop them. Some ways we’ve discovered were effective are:
1. Don’t automatically process payments. When a thief wants to cash-in on that PayPal account they just bought for 30 cents – they want to do it fast, and they want to do it easy. If your site doesn’t give the result they’re hoping for, they’re most likely to just go away and try their luck with another merchant.
2. While we’re speaking of the whole “try their luck elsewhere” topic, another important topic comes up. Be consistent. Reject fraud when you find it, and find it 100% of the time. These guys are looking for easy targets that don’t require a lot of work. Make life harder for them and they’ll pick on someone else.
3. Check that IP address! If you live in cave, or otherwise not yet storing the IP address your new customers are signing up from – joine the 21st century and start storing this information! Here’s a big tip – if your user’s name is John Smith, their credit card’s address is in California, but their IP address resolves back to Pakistan.. well, let’s just say good ole John is not very likely to be visiting grandma back in the homeland…
4. Check for IP address proxies. These can go from very basic (and traceable) to completely undetectable. If you can however detect it – do something about it. Don’t let your customers sign up from a proxy, and be consistent about it.
5. Patterns. Voip fraud exhibits certain patterns you can easily detect. If Johnny comes back to make 30 calls a day to Guinea, something smells funny. Don’t spy on your customers, but it is perfectly within your rights to prevent abuse on your network by monitoring for fraudulent patterns.
6. Don’t compromise. If you think a (so-called) user is a criminal, disconnect them immediately and refund their deposit. Do NOT keep their deposit! remember this is STOLEN MONEY which can not only get you in trouble – but is also very much hurting the victim of the identity theft. Do them and your conscience a favor and refund their money immediately. If the so-called user asks that they re-establish service, your best choice is to send them on their way and not provide service. Alternatively you can ask them to provide copies of their passport and a utility bill. Note they may send fake ones, typically from a foreign country so it is hard for you to verify. If you’re not 100% sure beyond a shadow of a doubt that they have proven they are who they say they are – tell them you are sorry but you cannot furnish service to them.
Let’s get back to the email we received earlier, the one about anti-fraud measures hurting consumers. Yes- it’s true. In one case out of several thousands you might wrongfully identify a real customer as an identity thief because their info doesn’t check out. To me personally it only happened once – the guy had an address in one state, and was logged on from another state, and was adament about not wanting to provide us with identifying documents when we contacted him. He did eventually furnish these documents and we agreed to provide him service – but instead of creating a scene he could have just explained to us that he lives in both states to begin with. The bottom line is that Average Joe is not going to impacted by these verification techniques, and you should most definitely implement them.
After all- your customers are the ones benefitting from a more secure network – one that is unlikely to get shut down due to cyber crime, and one that is unlikely to go bankrupt due to criminal related losses. If as a provider you can save thousands of dollars in unnecessary stolen calling costs – you can offer your customers better pricing and terms. In the end we are here to furnish service – and the more affordable we can buy it – the more affordable we can sell it.
I wish you much, much good luck in stopping cyber crime and identity theft in it’s tracks!!!