Search:

Fraud - a Serious Disease In The VoIP Reality

Today, we've gotten a threatening email from an anonymous sender (go figure...) alerting us that we should not be verifying customers IP addresses when they buy service from us. This John Doe seems to think we're violating a so-called law and we could be sued for it. The gist of his message was that he collects information about customers that have been denied service based on the location of their IP address - Library for example.

Now, here comes the logical question: as a service provider of what could be construed as an equivalent to "telephone services" (notice VoIP is NOT a replacement for phone service!) - wouldn't we expect our customers to use their service at home or work? why would an honest user choose to create their account from Starbucks - when they are required to have internet service at home to utilize our service anyway?

The answer is simple- except for the odd exception (a fraction of a percent), it doesn't make sense, and the obvious proof is that real users with nothing to hide register from their home or work PC connected to a network that makes it possible to verify their identity to a satisfactory level of certainty.

If that's the case, then why are we, as a provider, receiving such "notice"? the answer is simple: IP address verification and fraud combating measures implemented by VoIP stop criminals in their tracks. When we first started furnishing service to the public, the percent of fraudulent transactions thrown at us was an insane 40%(!). We were not ready nor expecting such figures. The main offenders were crime rings from Egypt, Jordan, the Palestinian territories, and some countries in Africa - but we most definitely have gotten some criminal transactions from right here in the USA. After implementing minimal steps like preventing automatic processing for new unverified accounts our figures dropped to a manageable 5%, and after adding IP address validation we are at a very nice fraction of a percent and can concentrate on doing business rather than worrying who we provide service to.

This online-crime epidemic is especially aimed at companies that provide VoIP service. Why? because it is an easy target, and as good as cash in the bank. For a multi-national crime ring, getting their hands on stolen credit cards or PayPal accounts is not only easy - but also cheap. We're talking a few cents per number. Not only do they get the identity theft victim's credit information - they typically also get their name, address, and sometimes even more than that. For US-based criminals it is possible to do things like create a credit card in the victim's name which could net them thousands of dollars. However in the case of criminals in Egypt for example - there's not much they can do except shop around on the internet. They of course cannot log into your-electronics-store.com and get a TV shipped over to them, so they need a simple way to "launder" their stolen cards into cold, hard cash. The solution? international calling minutes. A company that runs a network of call shops or calling cards in the middle east can get that cash from their customers, while getting free minutes from the victim Voice over IP provider of their choice. If you've been in the VoIP business for a few days you quickly learn that international minutes is just as liquid as cash. In fact some carriers pay each other by exchanging minutes rather than money.

Now that we've established that VoIP providers are one of the easiest target for these criminals, let's concetrate on how to stop them. Some ways we've discovered were effective are:

1. Don't automatically process payments. When a criminal wants to cash-in on that credit card they just bought for 30 cents - they want to do it fast, and they want to do it easy. If your site doesn't yield the result they're looking for, they're most likely to just go away and test their luck with another service.

2. While we're on the whole "try their luck elsewhere" topic, another important topic comes up. Be consistent. Reject fraud when you find it, and find it 100% of the time. These guys are looking for easy targets that don't require a lot of work. Make life harder for them and they'll pick on someone else.

3. Check that IP address! If you live in cave, or otherwise not yet capturing the IP address your new customers are signing up from - joine the 21st century and start capturing this information! Here's a big tip - if your customer's name is John Smith, their credit card's address is in Georgia, but their IP address resolves back to Pakistan.. well, let's just say good ole John is not very likely to be visiting grandma back in the homeland...

4. Check for IP address proxies. These can go from very basic (and traceable) to absolutely transparent. If you can however detect it - do something about it. Don't let your customers register from a web proxy, and be consistent about it.

5. Patterns. Voip fraud exhibits certain patterns you can easily detect. If Johnny comes back to make 30 calls a day to Afghanistan, something is fishy. Don't spy on your customers, but it is perfectly within your rights to prevent abuse on your network by monitoring for fraudulent patterns.

6. Don't compromise. If you think a (so-called) user is a fraudster, disconnect them immediately and refund their deposit. Do NOT keep their deposit! remember this is STOLEN MONEY which can not only get you in trouble - but is also very much hurting the victim of the identity theft. Do them and your conscience a favor and refund their money immediately. If the so-called customer demands that they re-establish service, your best choice is to send them on their way and not provide service. Alternatively you can ask them to provide copies of their passport and a utility bill. Note they may send fake ones, typically from a foreign country so it is hard for you to verify. If you're not 100% sure beyond a shadow of a doubt that they have proven they are who they say they are - tell them you apologize but you will not provide service to them.

Let's get back to the email we received earlier, the one about anti-fraud measures hurting customers. Yes- it's true. In one case out of several thousands you might mistakenly identify a real consumer as an identity thief because their information doesn't check out. To me personally it only happened once - the guy had an address in one state, and was logged on from another state, and was adament about not wanting to provide us with identifying documents when we contacted him. He did eventually furnish these documents and we agreed to provide him service - but instead of creating a scene he could have just explained to us that he lives in both states to begin with. The bottom line is that Average Joe is not going to impacted by these verification techniques, and you should most definitely implement them.

After all- your customers are the ones benefitting from a more secure network - one that is unlikely to get disconnected due to cyber crime, and one that is unlikely to go bankrupt due to fraud related losses. If as a provider you can save thousands of dollars in needless stolen calling costs - you can offer your customers better pricing and terms. In the end we are here to provide a service - and the more affordable we can buy it - the more affordable we can sell it.

I wish you much, much good luck in stopping cyber crime and identity theft in it's tracks!!!