| Today, we've gotten a threatening email from an | | | | want to do it easy. If your site doesn't give the result |
| anonymous sender (go figure...) alerting us that we | | | | they're hoping for, they're most likely to just go away |
| should not be verifying customers IP addresses when | | | | and try their luck with another merchant. |
| they buy service from us. This John Doe seems to | | | | 2. While we're speaking of the whole "try their luck |
| think we're violating a so-called law and we could be | | | | elsewhere" topic, another important topic comes up. Be |
| sued for it. The gist of his email was that he collects | | | | consistent. Reject fraud when you find it, and find it |
| information about customers that have been denied | | | | 100% of the time. These guys are looking for easy |
| service based on the location of their IP address - | | | | targets that don't require a lot of work. Make life |
| Starbucks for example. | | | | harder for them and they'll pick on someone else. |
| Now, here comes the logical question: as a provider of | | | | 3. Check that IP address! If you live in cave, or |
| what could be construed as an equivalent to | | | | otherwise not yet storing the IP address your new |
| "telephone services" (notice VoIP is NOT a | | | | customers are signing up from - joine the 21st century |
| replacement for phone service!) - wouldn't we expect | | | | and start storing this information! Here's a big tip - if |
| our customers to use their service at home or work? | | | | your user's name is John Smith, their credit card's |
| why would an honest user choose to create their | | | | address is in California, but their IP address resolves |
| account from Starbucks - when they are required to | | | | back to Pakistan.. well, let's just say good ole John is |
| have internet service at home to use our service | | | | not very likely to be visiting grandma back in the |
| anyway? | | | | homeland... |
| The answer is simple- except for the odd exception (a | | | | 4. Check for IP address proxies. These can go from |
| fraction of a percent), it doesn't make sense, and the | | | | very basic (and traceable) to completely undetectable. |
| obvious proof is that real users with nothing to hide | | | | If you can however detect it - do something about it. |
| sign up from their home or work computer connected | | | | Don't let your customers sign up from a proxy, and be |
| to a network that makes it possible to verify their | | | | consistent about it. |
| identity to a reasonable level of certainty. | | | | 5. Patterns. Voip fraud exhibits certain patterns you |
| If that's the case, then why are we, as a provider, | | | | can easily detect. If Johnny comes back to make 30 |
| receiving such "notice"? the answer is simple: IP | | | | calls a day to Guinea, something smells funny. Don't |
| address verification and fraud combating measures | | | | spy on your customers, but it is perfectly within your |
| implemented by VoIP stop criminals in their tracks. | | | | rights to prevent abuse on your network by monitoring |
| When we first started furnishing service to the public, | | | | for fraudulent patterns. |
| the percent of stolen credit cards thrown at us was | | | | 6. Don't compromise. If you think a (so-called) user is a |
| an amazing 40%(!). We were not ready nor expecting | | | | criminal, disconnect them immediately and refund their |
| such figures. The main offenders were crime rings | | | | deposit. Do NOT keep their deposit! remember this is |
| from Egypt, Jordan, the Palestinian territories, and | | | | STOLEN MONEY which can not only get you in |
| some countries in Africa - but we most definitely have | | | | trouble - but is also very much hurting the victim of the |
| gotten some criminal transactions from right here in the | | | | identity theft. Do them and your conscience a favor |
| USA. After implementing minimal steps like preventing | | | | and refund their money immediately. If the so-called |
| automatic processing for new unverified accounts our | | | | user asks that they re-establish service, your best |
| figures dropped to a manageable 5%, and after adding | | | | choice is to send them on their way and not provide |
| IP address validation we are at a comfortable fraction | | | | service. Alternatively you can ask them to provide |
| of a percent and can concentrate on doing business | | | | copies of their passport and a utility bill. Note they may |
| rather than worrying who we provide service to. | | | | send fake ones, typically from a foreign country so it is |
| This online-crime epidemic is especially aimed at | | | | hard for you to verify. If you're not 100% sure beyond |
| companies that provide VoIP service. Why? because | | | | a shadow of a doubt that they have proven they are |
| it is an easy target, and as good as cash in the bank. | | | | who they say they are - tell them you are sorry but |
| For an international crime ring, getting their hands on | | | | you cannot furnish service to them. |
| stolen credit cards or PayPal accounts is not only | | | | Let's get back to the email we received earlier, the |
| easy - but also cheap. We're talking a few cents per | | | | one about anti-fraud measures hurting consumers. |
| number. Not only do they get the identity theft victim's | | | | Yes- it's true. In one case out of several thousands |
| credit information - they typically also get their name, | | | | you might wrongfully identify a real customer as an |
| address, and sometimes even more than that. For | | | | identity thief because their info doesn't check out. To |
| US-based criminals it is possible to do things like create | | | | me personally it only happened once - the guy had an |
| a credit card in the victim's name which could net them | | | | address in one state, and was logged on from another |
| thousands of dollars. However in the case of criminals | | | | state, and was adament about not wanting to provide |
| in Egypt for example - there's not much they can do | | | | us with identifying documents when we contacted him. |
| except shop around online. They of course cannot log | | | | He did eventually furnish these documents and we |
| into and get a TV shipped over to them, so they need | | | | agreed to provide him service - but instead of creating |
| a simple way to "launder" their stolen cards into cold, | | | | a scene he could have just explained to us that he |
| hard cash. The solution? international calling minutes. A | | | | lives in both states to begin with. The bottom line is that |
| company that runs a network of call shops or calling | | | | Average Joe is not going to impacted by these |
| cards in the middle east can get that cash from their | | | | verification techniques, and you should most definitely |
| customers, while getting free minutes from the victim | | | | implement them. |
| Voice over IP provider of their choice. If you've been in | | | | After all- your customers are the ones benefitting from |
| the VoIP business for a few days you quickly learn | | | | a more secure network - one that is unlikely to get |
| that international minutes is just as liquid as cash. In fact | | | | shut down due to cyber crime, and one that is unlikely |
| some carriers pay each other by exchanging minutes | | | | to go bankrupt due to criminal related losses. If as a |
| rather than money. | | | | provider you can save thousands of dollars in |
| Now that we've established that VoIP providers are | | | | unnecesary stolen calling costs - you can offer your |
| one of the most desireable target for these criminals, | | | | customers better pricing and terms. In the end we are |
| let's concetrate on how to stop them. Some ways | | | | here to furnish service - and the more affordable we |
| we've discovered were effective are: | | | | can buy it - the more affordable we can sell it. |
| 1. Don't automatically process payments. When a thief | | | | I wish you much, much good luck in stopping cyber |
| wants to cash-in on that PayPal account they just | | | | crime and identity theft in it's tracks!!! |
| bought for 30 cents - they want to do it fast, and they | | | | |