Fonicatec hit by fraud.

jroper

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Dear All,

Over the weekend, and especially late last night, someone made a pretty concerted effort to hit us hard with fraudulent calls on our service.

http://pbxinaflash.com/community/threads/fonica-voip-service.2252/?t=2252

The modus operandi was set up an account, fill it with $50 USD, and fire calls to various numbers - including revenue share numbers around the world at some rate, so despite the sign up customer only being allowed make one concurrent call, the cost per minute was relatively high.

The $50 USD was paid from a stolen paypal account, which of course Paypal clawed back, leaving us with the carrier charges.

Fortunately, we were working late last night, and saw this activity going on, and were able to put a stop to losing too much money.

We have taken taken the following steps.
  • Any account that has not been verified, and has never been topped up has been set to inactive.
  • All new accounts are set to inactive, and will be activated manually on receipt of verification paper work. E.g. two forms of identification, or vouched for by an existing verified customer. E.G we need to know that you are a real person.
We are sorry for the inconvenience this may cause, but we do not see any other way round avoiding this sort of fraudulent activity.

We have never been defrauded by a verified customer. This post here http://www.pbxinaflash.com/forum/showpost.php?p=5008&postcount=21 outlines Voicepulse' similar view.

A footnote for anyone running A2Billing, with the ability to sign up on line, and take on line payments this is a very real problem, so it may be an idea to change the settings in a2billing.conf to not allow sign up and create an activated account.

Yours

Joe
 
Last edited by a moderator:
Well, welcome to the real world... :)

Although your suggestions may stop fraud when using Paypal as your processor, I suggest using Paypal was the mistake in the first place. Google PayPal fraud. If any of the search results are true, Paypay should have shutdown by some authority by now. Using Paypal is clearly categorized as "use at your own risk" or "don't try this at home" :).

I would seriously look for a real credit card processor and use them. At least you'd have someone on your side when fighting these types of fraud. And they have fraud prevention in place already for both your customer and your protection.

Your Implementation of fraud protection has 1) Made it harder for a real customer to sign-up 2) Caused delays for activation 3) Gave the customer a reason not to use you 4) Made extra work for you

I'd study and find out how other major providers handle their payment platforms. For example: Vitelity takes my money directly form my bank account at some level of balance - ready or not :)

I'm sorry for my rants - it's not towards you, but towards Paypal.

Bart
 
Hi

Thanks for the welcome to the real world - I thought I'd been here for a while ;-)

Yes, credit card is the way to go, however, Paypal is so alluring because of its simplicity.

There is little you can do to avoid this type of fraud even prior to the internet and online signups. Clawback is always an issue, whether it is credit card, or pretty much any type of payment barring cold hard cash.


Joe
 
Sorry that happened Joe.
With many voip suppliers over the years failing, I have no issue with any steps necessary for sign up. If it keeps you stable, it's ok with me! :smile5:
 
I'm the opposite, I do not wish to jump through hoops to use a service/buy a product on line. (hence I never did sign up with Voicepulse)

I do many purchases on line, and I have never identified my self with personal id, I have used both credit cards and paypal, also email transfers from my bank to the supplier. I will not use a service that I need to prove who I'm in person or online. I have been asked for other id at local store because if you use your credit card a lot the signatures wear off. (Visa should fix) I will leave the merchandise on the counter and go else where. My personal information is mine and should not be needed to do a purchase, if the card is not reported stolen and is in my hand there is no need for a clerk to persue this any further.

I accept phone orders with credit cards and expect the person to have the card in thier possesion on the delivery of the product. I have never nor do I expect my staff to ask for other id. (kind of goes against privacy laws don't you think)

And yes I have been bitten more than once with clawbacks, but it is such a low percentage it becomes the cost of doing business.

Grumpy
 
Easiest solution - use Visa only and force the transactions thru verified by visa. Also require billing zipcode and the 3 digit non embossed code.

If a customer has no desire to provide this basic information on a web transaction - then I don't want the customer. This basic information protects the customer and my business.

Also I have worked for some big office supply chains in the past, if you cant read the signature panel or its unsigned and the customer is unwilling to provided a picture ID, we then were told to thank the customer for visiting our store and cancel the sale. What they lost in sales this way apparently covered what they would loose due to CC fraud.

Hence, my current day time job - we accept cash and cash only.....
 
Hi Grumpy

The difference with minutes, as opposed to buying books, or goods, is that you can have the minutes now, and use them now, and there is no getting them back when they are used.

When you buy a physical item, it is delivered to your house/office etc which in itself is a form of identification. No point in stealing something unless you are there to receive it. And if you are there to receive it, then it's highly likely its your house/office, on balance of probability

If you turned up at our office with your credit card in hand to pay us, we would be happy to verify your account, We know what you look like, you have a physical card in your hand, and we know your name, and your signature or pin probably matches the one on the card, therefore it is highly likely that you are who you say you are.

Seeing as you are not going to turn up there, then a photocopy of the front (not the back with the 3 digit code on) is the closest we can get.

When someone buys minutes online, you have no idea what part of the world they are in, or if they are who they say they are. Even Geo IP does not work, see any public proxy server!

In one company, I saw £69,000 GBP disappear between Thursday Afternoon, and Friday morning, this was before VoIP days. That's a big cost to do business. Bear in mind your Piaf can probably manage in excess of 100 possibly 200 concurrent calls.




Joe
 
I think it takes a lot of courage to admit this problem...

As opposed to everyone's concerns with how FONICATEC (Joe) does business, I will like to acknowledge the fact that it takes a lot of courage to post a threat like this in a public forum. I will do business with a company such as FONICATEC any day of the week, as they have the decency to explain a flaw, and how are they actively working to solve it.

A lot of VoIP providers will never do such a thing, and when it with fraud, chances are they will increase the per minute charges in order to recover from such situations. Tell me now which provider do you rather have?

Thanks Joe for you honesty, and keep up the good work with your company.

Regards,
markiper
 
Hi

Our aim is to get this service into profit - it's not yet - and then I can fulfil my promise of passing profits back to PBX in a Flash.

Also, the system is based on PiaF + A2Billing, installed from the same scripts as are freely available here. The only thing I have changed are some access ports, e.g.SSH.

The service is designed for only PBX in a Flash and asterisk users, in that it uses IAX2, and the trunks are chosen for quality rather than price, which more befits a PBX system.

I hope that this is a demonstration of the robustness of PiaF, and A2Billing, and I trust that the users of the service are happy with it.

Joe
 
Hey Joe,

Sorry to hear about it, but of course, I've been nailed several times myself as well. Here's the steps that I take:

I allow a new customer to register and all, but new accounts get a context called "pending". I also record their IP info. Then on their first purchase, I verify their payment looks legit (checking signup address, IP, e-mail name) etc. You usually can tell very fast if they are who they say or not. On fraudulent payments (always from the US) - I now call the phone number listed on Paypal to see if they did buy or if they were defrauded, I alert them (since paypal could give a shit).

It makes a little extra effort on my side, but since I've started to implement this policy, I haven't been hit again. The fraudsters are pretty easy to see by simply checking their account info and the paypal info.
 
Joe,
Sorry to hear about this. Its sad that the fraudstars can go into the lengths, knowing how you and the team are helping the community.
I believe i saw somewhere, i believe its krzykat who posted about minFraud.
Has anyone tried it?
 
I sympathize with you. I've been hit with fraud in the past as well.

When I signed up with Vitelity they had international calling disabled. I had to fax them a copy of my ID before they would turn it on. Seems like a hassle but I've been in their shoes so I did what was needed.

Maybe you should consider a similar policy? I don't know if the system supports that.
 
Hi

That's basically what we do, except for all calls, although it is an interesting idea to allow national calls, but not international, and should be easily implemented on A2Billing.

Thanks for the suggestion - keep them coming, and we may implement them into A2Billing.

joe
 
Did anyone at A2B ever look into minfraud? I thought someone was going to, but I've been so busy on virtual PBX project, any new A2B items have been on hold for me.
 
Just a word to the wise. Joe has been doing this sort of stuff for close to a decade if memory serves me correctly. If this can still happen to him, it oughta make anyone think twice about starting up an A2Billing business. :hangb:
 
Hi

During the one to one training we do on A2Billing, we talk about fraud in some detail, and the different methods of protection.

In this instance, a commercial decision was made to allow people to sign up without needing to verify, and actually make some calls, and as can be seen from the forum posts in this thread, and others, there is some resistance to verifying the account.

It is a careful balance between making the service accessible, against not exposing ourselves unduly.

For the best part of 12 months, this view has served us well, with one clawback of $20USD. This particular fraud was something a little more concerted.

This sort of fraud is not A2Billing specific, it relates to any product that allows the purchase of minutes via on line sign up and payment, as any carrier will testify.

I have discussed the possibilities of fraud in some detail on these forums, as have other carriers, and indeed in some detail to people who have written to me personally in respect of our verification policy.

I also write about this as part of an educational purpose, I probably get more out of this forum than I put in, because each question and problem increases my knowledge, which helps me at a commercial level, as well as having useful suggestions in return.

Yes; anyone should think twice before starting a VoIP business, but risk can be managed, but only if you are aware of the risks, and I am happy to make people aware of my experiences.

Joe
 
yes, you can manage if you know what you are doing. It's a fun business, but you must stay on top of it.

Another fraud detection method you can use with A2B is to smell a potential fraud on first use. Typically a new customer will purchase the bare minimum amount, say $5 or $10. A fraud attempt will purchase the max amount or close to it, say $100 or $250 on a first attempt. That's an immediate red flag that we immediately put their account in a pending status and verify the purchase before allowing them to spend what isn't theirs.
 
Sorry to hear about your ordeal Joe.

My 2 cents....For business users, the verification policy should not be frowned upon for couple of reasons 1) Starting a business is a lot of paper work and its an indication both parties are generally concerned about doing things right 2) If doing a little paperwork upfront to keep the cost down for all then why the heck not (Car insurance in some cities are freaking unbearable due to fraud).

One thing that angers me with some VoIP providers out there is the activation policy is not posted, they don't tell you it might take few hours to a day to activate an account. That is just not professional in my opinion. If the user is aware it might take a little time to activate their account to protect all, then the majority will be ok with it.

My two suggestions (not sure if possible or what it takes):

1) when a user signs up and pays, credit their account for 10 minutes (or less) while their payment is being verified. Big brownie point to retain customers and free advertising to their friends.

2)It's clear Paypal not the preferred payment choice, and we all want other payment options integrated in A2B (I know it supports couple of options, but none documented). Why the heck can't we start a task force to take on this feature? Is this an option worth addressing?

Nabil
 
Hi

We've done a number of other payment methods for A2B, and these have been included in A2Billing, when we have tested them extensively.

If there are any others you want, then maybe post a bounty on the A2B forums, and see if there is some interest.

However, what ever you may think of paypal, it is popular.

I'm thinking of adopting an idea put forward by a forum member and allowing calls to the USA, until verification, when worldwide will be available.

Joe
 
Gibran27703 said:
Sorry to hear about your ordeal Joe.

My 2 cents....For business users, the verification policy should not be frowned upon for couple of reasons 1) Starting a business is a lot of paper work and its an indication both parties are generally concerned about doing things right 2) If doing a little paperwork upfront to keep the cost down for all then why the heck not (Car insurance in some cities are freaking unbearable due to fraud).
Click to expand...

In England (and presumably Europe) its routine to have to initially provide some sort of paper verification as a security method to get any kind of telecoms service, including from the major name fixed and mobile telcos.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 61 (members: 0, guests: 61)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,259
Latest member
Fadeek86
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top