Fraud - a Serious Disease In The VoIP World

Today, we’ve gotten a threatening email from an anonymous sender (go figure…) alerting us that we should not be verifying users IP addresses when they buy service from us. This John Doe seems to think we’re violating a so-called law and we could be sued for it. The gist of his message was that he collects information about customers that have been declined service based on the location of their IP address - Library for example.
Now, here comes the logical question: as a provider of what could be construed as an equivalent to “telephone services” (notice VoIP is NOT a replacement for phone service!) - wouldn’t we expect our users to use their service at home or work? why would an honest user choose to create their account from Starbucks - when they are required to have internet service at home to utilize our service anyway?
The answer is simple- except for the odd exception (a fraction of a percent), it doesn’t make sense, and the obvious proof is that legitimate users with nothing to hide sign up from their home or work computer connected to a network that makes it possible to verify their identity to a reasonable level of certainty.
If that’s the case, then why are we, as a provider, receiving such “notice”? the answer is simple: IP address verification and fraud combating measures implemented by VoIP stop criminals in their tracks. When we first started offering service to the public, the percent of fake identities thrown at us was an amazing 40%(!). We were not ready nor expecting such figures. The main offenders were crime rings from Egypt, Jordan, the Palestinian territories, and some countries in Africa - but we most definitely have gotten some fake transactions from right here in the USA. After implementing minimal steps like preventing automatic processing for new unverified accounts our figures dropped to a manageable 5%, and after adding IP address validation we are at a comfortable fraction of a percent and can concentrate on doing business rather than worrying who we provide service to.
this fraud epidemic is especially aimed at companies that provide VoIP service. Why? because it is an easy target, and as good as cash in the bank. For an international crime ring, getting their hands on stolen credit cards or PayPal accounts is not only easy - but also cheap. We’re talking a few cents per number. Not only do they get the identity theft victim’s credit information - they typically also get their name, address, and sometimes even more than that. For US-based criminals it is possible to do things like create a credit card in the victim’s name which could net them thousands of dollars. However in the case of criminals in Egypt for example - there’s not much they can do except shop around on the internet. They of course cannot log into your-electronics-store.com and get a TV shipped over to them, so they need a simple way to “launder” their stolen cards into cold, hard cash. The solution? international calling minutes. A company that runs a network of call shops or calling cards in the middle east can get that cash from their customers, while getting free minutes from the victim Voice over IP provider of their choice. If you’ve been in the VoIP business for a few days you quickly learn that international minutes is just as liquid as cash. In fact some carriers pay each other by exchanging minutes rather than currency.
Now that we’ve established that VoIP service providers are one of the most-chosen target for these thieves, let’s concetrate on how to stop them. Some ways we’ve discovered were effective were:
1. Don’t automatically process payments. When a thief wants to cash-in on that credit card they just bought for 30 cents - they want to do it fast, and they want to do it easy. If your site doesn’t give the result they’re looking for, they’re most likely to just go away and try their luck with another merchant.
2. While we’re speaking of the whole “go away” topic, another important topic comes up. Be consistent. Reject fraud when you find it, and find it 100% of the time. These guys are looking for easy targets that don’t require a lot of work. Make life harder for them and they’ll pick on someone else.
3. Check that IP address! If you live in cave, or otherwise not yet capturing the IP address your new users are registering from - joine the 21st century and start capturing this information! Here’s a big tip - if your customer’s name is John Smith, their credit card’s address is in Virginia, but their IP address resolves back to Pakistan.. well, let’s just say good ole John is not very likely to be visiting grandma back in the homeland…
4. Check for IP address proxies. These can go from very basic (and traceable) to completely undetectable. If you can however detect it - do something about it. Don’t let your users sign up from a web proxy, and be consistent about it.
5. Patterns. Online crime exhibits certain patterns you can easily detect. If Johnny comes back to make 30 calls a day to Guinea, something is fishy. Don’t spy on your customers, but it is perfectly within your rights to prevent fraud on your network by monitoring for fraudulent patterns.
6. Don’t compromise. If you think a (so-called) user is an identity thief, disconnect them immediately and refund their deposit. Do NOT keep their deposit! remember this is STOLEN MONEY which can not only get you in trouble - but is also very much hurting the victim of the identity theft. Do them and your conscience a favor and refund their money immediately. If the so-called customer asks that they re-establish service, your best choice is to send them on their way and not provide service. Alternatively you can ask them to provide copies of their passport and a utility bill. Note they may send fake ones, typically from a foreign country so it is hard for you to verify. If you’re not 100% sure beyond a shadow of a doubt that they have proven they are who they say they are - tell them you are sorry but you cannot furnish service to them.
Let’s get back to the email we received earlier, the one about anti-fraud measures hurting customers. Yes- it’s true. In one case out of several thousands you might wrongfully identify an innocent consumer as an identity thief because their info doesn’t check out. To me personally it only happened once - the guy had an address in one state, and was logged on from another state, and was adament about not wanting to provide us with identifying documents when we contacted him. He did eventually furnish these documents and we agreed to provide him service - but instead of creating a scene he could have just explained to us that he lives in both states to begin with. The bottom line is that Average Joe is not going to affected by these verification techniques, and you should most definitely implement them.
After all- your customers are the ones benefitting from a more secure network - one that is unlikely to get disconnected due to cyber crime, and one that is unlikely to go bankrupt due to criminal related losses. If as a provider you can save thousands of dollars in unnecesary fraudulent calling costs - you can offer your customers better pricing and terms. In the end we are here to furnish service - and the more affordable we can buy it - the more affordable we can sell it.
I wish you much, much good luck in stopping cyber crime and identity theft in it’s tracks!!!Nitzan is the CEO of Future Nine Corp - a leading Cheap Phone Service Provider, who also specializes in Callings Cards utilizing VoIP