not sure if this question belongs here... We are doing a giveaway but we have >30K wallets signed up. We're worried that many are bots. Have you encountered this yet? AND/OR does anyone have a solution to check each wallet transaction history to see if they have any transactions across other signed up wallets? We checked Algo Explorer and it seems that most cases there's a parent wallet and they're sending from the main wallet to a bunch of sub-wallets... thoughts?
Unfortunately there is no good way to prevent this unless you had some form of KYC. I could have a bot create fresh wallets with no transaction history that would be impossible to correlate with each other. Then if those wallets got an asset from you I could then just have them send that asset to the "main" wallet.
You could also set a minimum value of ALGO required to hold in the wallet to be eligible. It wouldn't completely solve the problem, but would make it more expensive for the people operating the bots at least.
Alternatively, set up a centralized service with email + captcha, make each address owner validate their address via that service and deny if they don't.
Related
The company I am working at offers a web based calculation tool which has to be paid monthly (a fixed price for a license).
Normally, users go to our website and authenticate themselves with their credentials and then can use the application. When they cancel their subscription they are not able to use the tool anymore, obviously.
Now another company called us because they want to provide our application for their own clients. We have already fixed that they have to pay a license fee for every of their clients. But there is also a restriction: their users should not have to log in on any of our websites (only on the website of our client). But the web application is hosted on our server and is loaded as an iframe.
Now there is that problem that we are not sure whether our client tells us the correct number of people who use our application wherefore we would like to verify that in some way.
One of my ideas is the following:
Our client has to call an API for every users who would like to use our application in order to submit some information like name or an unique ID of that user
When the user would like to access our application, an ID parameter is appended to the iFrame URL
I think that this is not a very good solution because our client could use the same ID for every access and pretend that only one users uses the application. By saving the ip address and id of the accesses it is possible to determine fraud in some cases because ip address will not change frequently.
We even do not have to know WHICH user accesses the application but only the NUMBER of users per month.
I am interested if there is a cryptographic solution where it is hard to cheat. Something like an authentication method which does not require any interaction of the user.
Well you can't. You should require the partner to issue a token for each user so you know they came from the partner.
You could have the partner call an api you expose to issue a one time token for a user and specify user id and IP. You could alternatively have the partner digitally sign such a login request.
If you bill the partner per user, and the partner decitfull he could claim less users.
You can fingerprint the users, you can give long term coockies, you can check IP and fonts installed etc. These will allow you to detect most types of fraud.
If you give a declared userId a cookie and then see him again without it, you assign him a new cookie and then later see the first cookie again while the partner is always declaring same id that is a very strong indicator of fraud.
If I was the decietfull partner I would pair up geographicly close users and merge their IDs. it would look no different from a user with two devices. But this still limits the extent of fraud possible. Two devices per user is plausible. 10 less so.
Find business partners you trust.
I am building and app which will offer payment in bitcoins. I know that when I send bitcoin from one address to another it can be tracked by blockain API to verify the transaction. After receiving some assets I want to send some assets back. The customer will have an input field where he will paste his deposit wallet address. I am subscribed to blockchain API to track received assets to my bitcoin address. How can I verify that the payment was made by certain customer? Checking his address doesn't seem to solve the problem because if customer uses wallets like Coinbase, Bitstamp etc. transaction is made from multiple addresses.
A few helpers here:
What you need to do is to generate a new address and give it to your customer. This way you can uniquely identify him
Wait for confirmation before making the decision. Just because you see a transaction, does not mean you have the money. You need to wait for a few blocks and several (>6) confirmations
I have a requirement to do 3rd party age verification before I ship an order. I'm using a company called EVS for this. They released a shopify app recently, but seems partly baked. It requires a user to enter date of birth when registering for an account and then triggers the verification when the user places an order. The main problem with that is that it's rare for a customer to actually create an account before ordering for the first time -- instead they order first, then shopify emails them to create an account after the fact. Creating the account afterward does not allow the customer to enter DOB.
So I'm planning to implement my own solution. I can use EVS's API to run the verification by sending a combination of Name, Address, DOB, DL# and State, and last 4 of SSN. I have already built a proprietary order management system that pulls in customer and order data, and I can write a client to perform the verification.
I'm less savvy on the shopify side. I need to balance customer friction when placing an order for the first time, against having to do a lot of manual work for verification.
Below are the options I have conceived. Are there any other options? Any ideas for a better solution? Keep in mind I need to verify a customer once. I can tag the customer account as verified, and once verified it's business as usual.
Alter shopify templates to only show the checkout button when a user is logged in. If not logged in, show a "Create an account" button instead. That way the user provides DOB during account creation and the EVS app works as designed.
Set up a separate verification site like verify.my-domain.com. I can trigger an email to the customer upon order creation and ask them to verify. (May have issues with incorrect email addresses or spam filtering.)
If customer is not logged in, or account is not age verified, and they click Checkout, I can redirect them to a page. I can use a form on the page to do the verification. If verification passes, send them on to checkout.
For option 3, I don't know what shopify allows or what best practices allow. Can I use js to pass data to my own server on a different subdomain? Or post the form to another subdomain and then redirect back to shopify?
I'd appreciate any thoughts or suggestions.
You have pretty much summed up all your options, to clarify on them a little:
You can require that customers create an account in the store checkout settings. /admin/settings/checkout
This would work, you could iframe it in too on a custom Page. Or, better, use cross-domain calls or jsonp.
This is a little convoluted and you would have to persist and maintain lot of external state. I'd avoid this
I think a combination of 1 and 2. Turn on "require customer account". Modify the customer account creation page. Implement a cross domain policy with your server which will host custom code leveraging the EVS API.
I'm not sure if you are selling tangible goods or not but with stringent policies on users' age you have to bear in mind that shipping addresses could change. For a tight integration you should look at having webhooks whenever a customer is changed and make sure all their data is still valid since their last EVS approval.
I've been looking into this quite extensively and we've spent a number of hours experimenting with options. Our client in this case is on Shopify Plus so we do have the benefit of access to checkout.liquid.
Our research has led us to believe that one cannot pass the required 'customer note' of the date of birth to the checkout should they be attempting to checkout as a 'guest'. Perhaps because the 'customer' does not yet exist.
Our options have been narrowed down to:
Write a custom backend app that allows Shopify and EVS to communicate directly (XML API on the EVS side) in the checkout process or just prior and then pass the verification status back to Shopify to allow the order to proceed, or append some relevant status marker for the fulfillment department to act accordingly. The EVS app doesn't prevent the order from proceeding, but does flag the customer's age as unverified in the Risk Level panel in the admin. This would be quite a substantial project and by no means low hanging fruit. There is also risk of re-doing a lot of what the EVS app does already and running into they same obstacles they did.
Force customers to register prior to checkout (if not signed in). This seems the most viable approach. The only caveat being that existing customers will not have the customer note (birth date) and we'd need to build a smaller backend app to allow them to append this to their customer account via the Shopify API (this cannot be done via liquid).
These are our findings and I'd love to know more about how you ended up approaching this.
I need to accept bitcoins on my website (PHP). I'm using blockchain and i have read the api: https://blockchain.info/api/api_receive Is quite simple but i have some questions, but first i will try to explain what i need.
Client send bitcoins to my wallet (Any amount they want)
Server will be notified with confirmations until gets OK.
Gets the sent amount and client wallet from callback and store in DB.
Now my questions:
"You provide a bitcoin address we generate unique addresses that forwards payments to that address instantly notifying a callback URL."
Q: Can we reuse that address and all clients use same address to send bitcoins? Or address will be deleted? The address have a lifetime?
Instead create address to pay is possible clients pay directly to my wallet and server got notified? I don't need extra params like tokens.
I end up in a website that use always the same wallet/address for each odd: http://bitzillions.com/satoshibones
I will like to have a pay system like that, one address per game.
Also should i use blockchain/blockchain (https://github.com/blockchain/api-v1-client-php) library or the simple library (https://github.com/blockchain/receive_payment_php_demo)?
Also if you have any suggestion or alternative i will like to hear.
I think I can help. Disclaimer that I work for BlockTrail.
It would not be good to use the same address because people can view the historical transactions associated with that address. It is recommended to use a new address for every transaction. These can be under the same wallet or different wallets. That may sound complicated but with the possibilities as long as the universe is old you can make a new address per transactions. Some wallets will do this for you automatically. This is called HD Wallets or Hierarchical Deterministic Wallets. You can also use this to have your clients always pay into the same wallet.
You can also use an API to create these wallets. If you are interested in using BlockTrail's here is the link: https://www.blocktrail.com/
We also have webhooks that will send you notifications for confirmations etc... If you want to learn more about our platform, here is a blog that describes it. BTW it is free! https://blog.blocktrail.com/2015/06/blocktrails-developer-platform/
I am in the midst of trying to find an e-commerce solution for my employer, and it is necessary that we go with a hosted payment page to minimize our PCI compliance woes. After researching several companies' solutions, it seems that they all expect you to submit the total price of the transaction to them via a hidden field or GET variables in order to generate the payment form. This seems like a sizable concern for the merchant, since a user with Firebug (or eyes, in the case of GET variables) could easily modify the transaction total, get a new hosted payment form, and continue with the checkout, thus giving themselves whatever discount they desire.
Has anyone set up a hosted payment page before and dealt with this issue? Any suggestions for a better way to do things?
There usually is a hash submitted with those forms that are generated with secret values that the user won't know (e.g. password, transaction key, etc). So if they tamper with the amount, which is also used in calculating the hash's value, then the payment gateway will reject the transaction. The user cannot bypass this by changing the hash because they do not have all of the information required to calculate it.
So using these hosted forms are safe from abuse. If they weren't they wouldn't be viable products and the gateways couldn't offer them for use.