Fraud - a Serious Epidemic In The VoIP Landscape

Today, we've gotten a threatening email from an anonymous sender (go figure...) telling us that we should not be verifying customers IP addresses when they purchase service from us. This John Doe seems to think we're violating a so-called law and we could be sued for it. The gist of his message was that he collects information about customers that have been declined service based on the location of their IP address - Library for example.

Now, here comes the logical question: as a provider of what could be construed as an equivalent to "telephone services" (notice VoIP is NOT a replacement for phone service!) - wouldn't we expect our customers to use their service at home or work? why would an honest user choose to buy service from Starbucks - when they are required to have internet service at home to use our service anyway?

The answer is simple- except for the odd exception (a fraction of a percent), it doesn't make sense, and the obvious proof is that legitimate users with nothing to hide sign up from their home or work PC connected to a network that makes it possible to verify their identity to a reasonable level of certainty.

If that's the case, then why are we, as a provider, receiving such "notice"? the answer is simple: IP address verification and fraud combating measures implemented by Voice over IP stop criminals in their tracks. When we first started offering service to the public, the percent of fake identities thrown at us was a staggering 40%(!). We were not ready nor expecting such figures. The main offenders were crime rings from Egypt, Jordan, the Palestinian territories, and some countries in Africa - but we certainly have gotten some criminal transactions from right here in the USA. After implementing minimal steps like preventing automatic processing for new unverified accounts our fraud figures dropped to a manageable 5%, and after adding IP address validation we are at a very nice fraction of a percent and can concentrate on doing business rather than worrying who we provide service to.

This online-crime epidemic is especially targeted at businesses that provide Voice over IP service. Why? because it is an easy target, and as good as cash in the bank. For a multi-national crime ring, getting their hands on stolen credit cards or PayPal accounts is not only easy - but also cheap. We're talking a few cents per number. Not only do they get the identity theft victim's credit information - they typically also get their name, address, and sometimes even more than that. For US-based criminals it is possible to do things like create a credit card in the victim's name which could net them thousands of dollars. However in the case of criminals in Egypt for example - there's not much they can do except shop around on the internet. They of course cannot log into your-electronics-store.com and get a TV shipped over to them, so they need a simple way to "launder" their stolen cards into cold, hard cash. The solution? international calling minutes. A company that runs a network of call shops or calling cards in the middle east can get that cash from their customers, while getting free minutes from the victim VoIP service provider of their choice. If you've been in the VoIP business for a few days you quickly learn that international minutes is just as liquid as cash. In fact some carriers pay each other by exchanging minutes rather than cash.

Now that we've established that Voice over IP providers are one of the most desireable target for these thieves, let's concetrate on how to stop them. Some ways we've discovered were effective are:

1. Don't automatically process payments. When a thief wants to cash-in on that credit card they just bought for 30 cents - they want to do it fast, and they want to do it easy. If your site doesn't provide the result they're hoping for, they're most likely to just go away and try their luck with another merchant.

2. While we're on the whole "try their luck elsewhere" topic, another important topic comes up. Be consistent. Reject fraud when you find it, and find it 100% of the time. These guys are looking for easy targets that don't require a lot of work. Make life harder for them and they'll pick on someone else.

3. Check that IP address! If you live in cave, or otherwise not yet storing the IP address your new customers are registering from - joine the revolution and start storing this information! Here's a big tip - if your customer's name is John Smith, their credit card's address is in Nevada, but their IP address resolves back to Pakistan.. well, let's just say good ole John is not very likely to be visiting grandma back in the homeland...

4. Check for IP address proxies. These can go from very basic (and traceable) to absolutely transparent. If you can however detect it - do something about it. Don't let your customers sign up from a web proxy, and be consistent about it.

5. Patterns. Voip fraud exhibits certain patterns you can easily detect. If Johnny comes back to make 30 calls a day to Guinea, something is fishy. Don't spy on your customers, but it is perfectly within your rights to prevent abuse on your network by monitoring for criminal patterns.

6. Don't compromise. If you think a (so-called) user is a criminal, disconnect them immediately and refund their deposit. Do NOT keep their deposit! remember this is STOLEN MONEY which can not only get you in trouble - but is also very much hurting the victim of the identity theft. Do them and your conscience a favor and refund their money immediately. If the so-called customer demands that they re-establish service, your best choice is to send them on their way and not provide service. Alternatively you can ask them to provide copies of their passport and a utility bill. Note they may send fake ones, typically from a foreign country so it is hard for you to verify. If you're not 100% sure beyond a shadow of a doubt that they have proven they are who they say they are - tell them you are sorry but you will not furnish service to them.

Let's get back to the email we received earlier, the one about anti-fraud measures hurting customers. Yes- it's true. In one case out of several thousands you might wrongfully identify an innocent user as an identity thief because their information doesn't check out. To me personally it only happened once - the guy had an address in one state, and was logged on from another state, and was adament about not wanting to provide us with identifying documents when we contacted him. He did eventually furnish these documents and we agreed to provide him service - but instead of creating a scene he could have just explained to us that he lives in both states to begin with. The bottom line is that Average Joe is not going to hurt by these verification techniques, and you should most definitely implement them.

After all- your customers are the ones benefitting from a more secure network - one that is unlikely to get shut down due to cyber crime, and one that is unlikely to go bankrupt due to criminal related losses. If as a provider you can save thousands of dollars in unnecesary fraudulent calling costs - you can offer your customers better pricing and terms. In the end we are here to furnish service - and the more affordable we can buy it - the more affordable we can sell it.

I wish you much, much good luck in stopping cyber crime and identity theft in it's tracks!!!

Nitzan Kon is the CEO of Future Nine Corp - a leading Cheap Phone Service Provider, who also specializes in International Calling Cards utilizing Voice over IP.