User Phone Verification - A way to prevent fraud in e-commerce

Recently in one of our e-commerce projects we implemented phone verification for users to have authentic accounts at our website. The requirement was to have one account per user to avoid misuse of offers provided by our service on scenarios like signup, high-value purchase, referring a new user to shop at our site plus other special offers.

So we decided to verify users using phone number verification that seemed more reliable than email verification since having multiple phone numbers is not as easy and rare as compared to having multiple email accounts. We then chalked out a simple approach that came out ineffective and needed a renovation.

Initial Approach:

Save a phone number corresponding to a user that he can verify later by the one time verification code sent to his phone. We then ensure that the phone number is not verified against other account to have an account per user on verification request. Things seemed to go well but didn’t serve the purpose as expected.

During our revisit to the approach we found out that a user still could create multiple accounts. If you missed it too, here is how it goes:

Suppose, a user say, Haitham signs up with account A1 and verifies his account with number, N1. Now once he needs another account to avail more offers he can simply edit his number to say, N2 and not verify it. Then he can create another account say A2, and verify this new account using N1. As in the application’s use case of 'referring a new user to shop at our site', he could add himself as a referrer using account A1 for A2. Hence, the whole idea of fraud detection and prevention was deceived.

Magic Trick:

Don’t associate a number with a user until the user verifies the number.

The simple change above solved our issue to all possible levels.
Read more