It is an unfortunate side effect of building a successful online or mobile application company that the more popular one gets, the more of a target it becomes. Fraud has always been an issue in business; there will always be bad guys trying to take things that aren't theirs. It's the methods that change. One of the greatest current threats to companies operating online now comes in the form of the malicious, relentless, intelligent, quick and hard to identify fake user. They want to sneak their way into online communities through the registration of fake accounts so they can wreak havoc on legitimate users and make a living out of damaging brand reputations.
It's the specific ways that these fake users abuse online and mobile application companies that lead product owners, developers, security team leaders and even heads of growth to Telesign--seeking ways to stop them. Fraud from fake accounts presents as credit card fraud, spam, botnet attacks, theft of confidential information and social engineering, which can lead to account takeovers. The damage caused includes user abandonment, negative brand impact, a decrease in user growth and decreased user base value.The following tutorial provides a best-practice approach to reducing fake accounts that is recommended by Telesign's experienced team of security professionals. Our Technical Account Managers help our customers protect the world's largest Web and mobile applications from fraud and through that knowledge and experience have identified how to combine products from Telesign's comprehensive platform to solve specific business use cases and modern account security challenges.
What You'll Need
Step 1. Sign up for a new Telesign account through our self-service portal. Once you are full registered, implement the Intelligence API in order to assess the risk level of each new user. This requires that end-users be prompted to provide a valid phone number.
Check Phone Number Risk Level with Intelligence
Step 2. Through the Intelligence API, Telesign runs a query on the phone number provided by the end user. Intelligence then utilizes phone number data and analytics, machine learning and TeleBureau™ (a global phone number reputation consortium), to return a score, risk level and recommendation on the end-user-provided phone number.
Step 3. If the resulting risk assessment score is very high (901-1000), it is extremely likely that the end-user poses a fraud risk and Telesign's recommendation* would be to immediately block and prevent the end-user from continuing account registration and/or prompt the end-user to provide an alternative valid phone number or contact customer support.
If the scoring determines that the risk level is medium to high (401-900)*, Telesign recommends that the end-user continue the account verification process (step 4) but also be “flagged” and – pending verification success – be provided with only limited account access during continuous monitoring.If the resulting risk assessment score is in medium low to low range (400 and under), Telesign recommends that the end-user be allowed to continue the account verification process (step 4) and – once verified – gain complete account access and capabilities.
Step 4. Telesign's Messaging API or Voice API can be used to deliver patented phone-based verification through a time-based, one-time passcode sent over SMS or voice message to the phone number entered by the end-user. This verification process further confirms that the end-user is a legitimate user and connects a trust anchor to that user for the lifetime of their account.
The end-user should be provided with a message stating that they will receive a verification code that they will need to enter in order to continue registration. It is best to offer them the option of receiving this code via SMS or voice. In order to provide the user with this choice, Telesign recommends that customers utilize the phone type data provided in Intelligence to identify non-SMS enabled devices so that those phone types are not sent an SMS. (Further UI best practices can be found here.)
Step 5. When an end-user chooses to be verified via SMS, send an SMS message with a verification code, using Telesign's Messaging API.
Send an SMS message with a verification code, using Telesign's Messaging API
Step 6. A time-based one-time passcode is delivered to the end-user's mobile number and at the same time, the user is shown a secondary login screen in their Web browser with a prompt to enter the verification code once it is received.
Step 7. If the code entered by the end-user matches the code provided, the end-user has now been verified and can complete their account registration. **
Those unable to successfully complete the phone verification process should be considered potentially fake and any further access should be blocked or monitored. If blocked, it is best to offer these users the opportunity to contact customer support, where their registration can be manually reviewed.
Telesign Intelligence's risk score settings are controlled by the customer. Telesign provides a recommendation only, but customers indicate whether an account creation may be blocked, flagged or allowed to proceed.**
TeleSign suggests that end-users with risk scores that resulted in a “flag” recommendation be provided with limited account permissions, continuously monitored, and/or manually reviewed – even if successfully completing phone verification."