We're running a directoy website where users can claim listings we have pre-populuated.
As we want to each listing have it's rightful owner, we are trying to figure out a way how can we verify that the Person who claimed a certain business or location is actually person of authority of that business?
Not all businesses have websites so we could authenticate by sending an email matching the business domain, phone number verification is also not an option as owning a phone number doesn't proves anything, I think.
We would love to have this process somehow automated, but we have no experience or ideas how to make this work.
Any suggestions are welcome!
The users need to register with you. They send you enough information to verify that they are who they say they are, eg, passport, driver's licence, credit card statements, electricity bills with address etc. You can then verify that this information is correct. In particular, their physical address must be verified.
You then mail a letter with a code that you choose to their physical address. When they have received it, send a link to their email address. The link is to a page where they must enter the code you mailed to them. They can then register with a userid and password of their choice. This only needs to be done once. After that, they can identify themselves with the userid and password they chose.
This technique relies on the fact that you can verify someone's physical address. Anyone can call you and claim to be someone else but the credit card company and the electricity company know their customer's correct address. It is possible to use someone else's credit card number and provide a different address but the credit card company will be able to tell you if the physical address they gave you is wrong.
Related
not sure if this question belongs here... We are doing a giveaway but we have >30K wallets signed up. We're worried that many are bots. Have you encountered this yet? AND/OR does anyone have a solution to check each wallet transaction history to see if they have any transactions across other signed up wallets? We checked Algo Explorer and it seems that most cases there's a parent wallet and they're sending from the main wallet to a bunch of sub-wallets... thoughts?
Unfortunately there is no good way to prevent this unless you had some form of KYC. I could have a bot create fresh wallets with no transaction history that would be impossible to correlate with each other. Then if those wallets got an asset from you I could then just have them send that asset to the "main" wallet.
You could also set a minimum value of ALGO required to hold in the wallet to be eligible. It wouldn't completely solve the problem, but would make it more expensive for the people operating the bots at least.
Alternatively, set up a centralized service with email + captcha, make each address owner validate their address via that service and deny if they don't.
The company I am working at offers a web based calculation tool which has to be paid monthly (a fixed price for a license).
Normally, users go to our website and authenticate themselves with their credentials and then can use the application. When they cancel their subscription they are not able to use the tool anymore, obviously.
Now another company called us because they want to provide our application for their own clients. We have already fixed that they have to pay a license fee for every of their clients. But there is also a restriction: their users should not have to log in on any of our websites (only on the website of our client). But the web application is hosted on our server and is loaded as an iframe.
Now there is that problem that we are not sure whether our client tells us the correct number of people who use our application wherefore we would like to verify that in some way.
One of my ideas is the following:
Our client has to call an API for every users who would like to use our application in order to submit some information like name or an unique ID of that user
When the user would like to access our application, an ID parameter is appended to the iFrame URL
I think that this is not a very good solution because our client could use the same ID for every access and pretend that only one users uses the application. By saving the ip address and id of the accesses it is possible to determine fraud in some cases because ip address will not change frequently.
We even do not have to know WHICH user accesses the application but only the NUMBER of users per month.
I am interested if there is a cryptographic solution where it is hard to cheat. Something like an authentication method which does not require any interaction of the user.
Well you can't. You should require the partner to issue a token for each user so you know they came from the partner.
You could have the partner call an api you expose to issue a one time token for a user and specify user id and IP. You could alternatively have the partner digitally sign such a login request.
If you bill the partner per user, and the partner decitfull he could claim less users.
You can fingerprint the users, you can give long term coockies, you can check IP and fonts installed etc. These will allow you to detect most types of fraud.
If you give a declared userId a cookie and then see him again without it, you assign him a new cookie and then later see the first cookie again while the partner is always declaring same id that is a very strong indicator of fraud.
If I was the decietfull partner I would pair up geographicly close users and merge their IDs. it would look no different from a user with two devices. But this still limits the extent of fraud possible. Two devices per user is plausible. 10 less so.
Find business partners you trust.
How can I have access to bigcommerce's %%GLOBAL_CustomerId%% variable?
I create a sample template and logged in with as a user. That variable doesn't show up. Isn't it suppose to be a Global variable?
Background: I want to create an app for bigcommerce that can identify a user base on their customerID. If I can't grab that variable, you guys see any other way to work around this?
It's not immediately clear in the docs, but you can use %%GLOBAL_CurrentCustomerEmail%% anywhere on the template to get the email address of the currently logged in user.
If you need the customer's ID, then you can query the API with the email as a parameter.
Personally, I'd rather "trust" the customer's email as a point of identification, because you never know if the Bigcommerce ID's may get changed or not (example: Customers are deleted and then reimported, now having brand new ID's).
On a subject of security though, you cannot trust client side data, and should attempt to mitigate fraudulent requests through the use of a CSRF token or some similar measure. Otherwise, anyone can send you an email address and receive back a list of that person's favorite products -- golden information for say, a targeted advertising company, or just your suspicious next-door neighbor Joe who seems to always be conveniently checking his mail right when you get home from work, but never says anything when you walk by, not even a wave or a smile, despite the fact that you all have been neighbors for quite some time now. Like, should I say something? Hahaha, I kid I kid.
Paypal offers an identity verification feature where a cell phone is checked against a given billing address.
I would like to have a similar verification system in my website. What do I need to do to get this type of validation in place?
Cell phones numbers aren't intrinsically linked to mailing addresses; the association is stored by the company that does the billing.
So if you want to verify the phone against the cell provider's billing address, then you would have to get that information from the cell provider. If you want to verify it against the billing address of the credit card the phone company uses, then you'd have to ask the credit card company (once you have the card number from the phone company).
As a rule, companies don't make address information available for you to query. The exception is credit card companies, which will do address verification as an anti-fraud measure. This verification happens through your merchant account through which you process card transactions, and may be subject to certain conditions worth paying attention to.
I am working on an app in iTunes connect for a client, under their iTunes connect account. I want to add myself as a user so that I can get email notifications of updates in app status. When I try to add myself as a user I get the following message:
The email address you entered already belongs to an iTunes Connect account. To continue, enter a different email address
I am using this email address on my own company's iTunes connect account, but not on my client's account. How can I add myself as a user?
#sarnold Turning your comment into an answer because it worked for me.
Two Separate Websites
Apparently for historical and organizational reasons, Apple operates their developer and app store business in a bifurcated manner.
developer.apple.com
The web site for all the technical resources, including documentation, WWDC videos and such.
itunesconnect.apple.com
This completely separate web site handles the business end:
Contracts, banking, payments.
Uploading your finished app.
Defining your In-App Purchase products.
Problem: Different Handling Of Accounts
The developer.apple.com site is slick in that a programmer can have a single Apple ID used to join multiple developer accounts. She may work for three different companies, and be assigned a role on each of those companies’ Developer accounts all on the same Apple ID. When she logs in to the Developer site, she is presented with a popup menu asking which of the three companies’ Developer accounts she wants to access during this work session. Nice.
The problem: in iTunesConnect, not so nice. In iTunesConnect, the "admin" person cannot assign existing Apple IDs as members with a role. Very strange. The admin is forced to create a new ID for each person being adding to the team. That means the person joining must have multiple email address. If an admin tries to add you to their iTunesConnect with an email address already used on some other company's iTunesAccount, an error message reports that email address / Apple ID is already in use. Obviously the programming team running the iTunesConnect site could use some help from the Developer site's team. ☹
Workaround: Email Address Trick
The workaround cited by sarnold involves a feature of email addresses. The spec for email servers has a feature where you can extend your email address. You can add a suffix to the first part of your email name by appending a "+" PLUS SIGN. From what I could figure out, the email software first looks for the extended name. If no such name is found, it drops the extension and looks again. If found, the shorter version of the email address is actually used.
So if the programmer Susan wants to use her email address susan#example.com for a second or third iTunesAccount, she tells her client's admin person at Acme Corporation to use something like this as her email address: susan+acme.com#example.com. Apple will still create a needless extra Apple ID for Susan, but at least Susan does not have to bother with creating and accessing extra email accounts. The emails sent by Apple will arrive at her susan#example.com address.
Susan double-checked this would work before talking to the admin person. She sent herself an email to susan+acme.com#example.com to make sure it arrived at the susan#example.com account.
Effectively, the email servers are not fooled by the extended email address, but iTunesConnect is fooled into creating an new Apple ID using an old email account.
Basically, you can't invite other iOS devs to review your efforts seems to be the result of this policy.
I had (and have) the exact same problem... what makes me kinda like FlavorScape's suggestion ;)
What I did is something similar to sarnold's comment: I used an alternative email address (_#gmail.com instead of _#googlemail.com) and this actually created a new AppleID with this email address.
It works fine, but it would be so much better to just connect my actual Developer account to my client's.
The way it's like at the moment, I can not even access the developer resources and (most importantly) the provisioning center with the new Apple ID, so my client has to do create new provisioning profiles and stuff, which is pretty frustrating and complicated.
Additionally, it is a pain to let him test the Apps on his own devices, because of the developer certificate is installed on my Mac, not his, and I am therefore the only one (or better, my Mac is the only computer) that can install new provisioning profiles on his devices.
Is there a better way to connect the accounts and solve these problems?
Cheers,
Nils
Apple now will allow the same email address to be invited to multiple itunes connect accounts and no longer allows new emails to be added with the +. Just a word of warning to others who were doing this the original post is now out of date with Apples new policy it seems.
#knl: The problem in the original question is specifically with iTunes Connect. If you want to be able to manage the Provisioning center -- to make profiles etc -- ask your client to add you to that account. Here are the steps:
Go to "Member Center"
Select the "People" tab
Click on invitations
Select "Invite person"
in the next screen they can select your role including "Member" (limited access) and "Admin" (full access)
From apple documentation:
You can only create test user accounts using an iTunes Connect
accounts with the Admin or Technical role assigned to it. Test users
do not have access to iTunes Connect, but will be able to test in-app
purchases in a development environment on a registered test device.
Link here