Post Syndicated from Katie Williams original https://aws.amazon.com/blogs/architecture/preventing-free-trial-abuse-with-aws-managed-services/
Free trial promotions are a popular marketing tactic, but they can also be a common source of fraud for ecommerce retailers. So, how do you identify fraudulent users? And what are some effective ways to prevent free trial abuse?
This blog post outlines common free trial abuse attack vectors and presents prevention techniques. We’ll show you how to incorporate Amazon Fraud Detector into your architecture to catch free trial abuse faster and more frequently.
Additionally, our fraud prevention solution shows you how you to use managed AWS services and Serverless on AWS. This solution shows you how to quickly build a scalable prevention system that doesn’t require machine learning (ML) expertise and offers a cost-efficient, pay-as-you-go pricing model.
Common free trial abuse attack vectors
Attack vectors are how users gain fraudulent access to an application. For the determined attacker, or for high value services, methods are often combined and automated. In this section, we familiarize you with common attack vectors to help you protect against them.
Fake emails and disposable phone numbers
Applications generally limit free trials to one per account. They use a unique identifier such as an email address or phone number to enforce this restriction. To bypass this, fraudulent users create multiple fake email accounts or use disposable email services.
Other applications use browser cookies to track if the user has been to the site. If the user has visited before, they are prompted to log into their account instead of creating a new one. Enabling a browser’s privacy mode can defeat cookie tracking, or a user may delete individual cookies.
Stolen/fake credit card information
Users may bypass credit card verification steps by obtaining a stolen credit card number. Or they can create fake credit card numbers using automatic credit card generator scripts.
Free trial abuse prevention techniques
Now that you’re aware of common attack vectors, this section will show you how you can prevent bad actors from taking advantage of free trial promotions.
Verify phone numbers and email addresses
Because it’s usually the easiest to implement, phone or email verification is a common prevention technique.
The application sends a confirmation code or link to the phone or email contact provided by a new user. Then they pass this confirmation token back to the application to verify that they have access to these contact methods.
To strengthen this approach, you can incorporate expiration times for the code or link used. With a confirmation link, applications can further block outside threats from by including parameters in the URL that specify additional identification information.
Cross-check against lists of disposable email addresses/phone numbers
Disposable email addresses and phone numbers are commonly used to safeguard online privacy and anonymity. However, they also provide an easy way to create throwaway accounts for free trial abuse.
While it’s impossible to identify all disposable contact methods, you can reduce the number of disposable emails and phone numbers used in a few steps.
- First, validate users’ email input. Applications should check the validity of the email format and prevent users from implementing plus addressing in their emails. For example, [email protected] and [email protected] will have confirmation emails delivered to the same inbox.
- For an additional layer of protection, you can scan actively maintained lists of disposable email addresses and phone numbers and cross-check them against new user information. These lists are available on open-source GitHub repositories or through third-party APIs.
Our prevention solution architecture shows you how to periodically call these lists using AWS Lambda and update an Amazon DynamoDB table that is used as the main source of truth for fraudulent emails and phone numbers.
Verify credit card information
Free trials often require a credit card that will be charged once the free trial period ends. You can verify these credit card details two ways:
- Ensure that the card number is valid using the Luhn algorithm, which validates credit card numbers upon entry.
- Once you have validated the credit card number, perform a second check to validate that your new user is the cardholder. To do this, request additional information from the user such as the credit card CVV, full name, or billing address. Payment vendor APIs will then securely pass this information along for an identity verification check.
Note that this additional logic deals with personally identifiable information and payment card industry data. AWS Compliance provides resources and tooling to help you secure your customer data and adhere to compliance controls.
Use machine learning to learn and identify fraudulent behavior
While the previous techniques offer quick fixes, a custom machine learning model offers a more permanent and powerful solution.
ML provides you greater accuracy in fraud prevention. By building custom fraud detection ML models that detect patterns presented in historical user sign-up data, you can learn and adapt to changing attack vectors. To get started, Amazon SageMaker allows you to build, train, and deploy custom ML models, and Amazon Fraud Detector provides a simplified model building approach, as shown in the following section.
Using Amazon Fraud Detector for ML-based fraud prevention
Amazon Fraud Detector automates the time-consuming and expensive steps to build, train, and deploy an ML model for fraud detection. It customizes each model it creates based on your specific dataset, making the accuracy of models higher than current one-size-fits-all ML solutions.
Amazon Fraud Detector distinguishes between legitimate and high-risk customer account registrations so you can selectively introduce additional steps or checks based on risk. Figure 1 demonstrates how Amazon Fraud Detector can be used to train and validate a model and then host the model endpoint so that it can be called through the Amazon Fraud Detector API.
Building fraud prevention into your AWS environment
A well-architected application should incorporate a combination of the prevention techniques described in this post to block free trial abuse from multiple attack vectors.
Our sample architecture (Figure 2) demonstrates how you can apply these techniques using managed AWS services to build a comprehensive fraud prevention workflow into your application, which is summarized as follows:
- A user enrolls by providing an email address, phone number, and credit card number. A Luhn algorithm check is run on the credit card number input to verify that the number is legitimate.
- If the credit card number passes this check, a call is made to the payment processor API to verify the cardholder’s identity.
- Amazon Cognito creates a user sign-up workflow, stores user details, and employs a pre-sign-up action that invokes a Lambda function, which performs two additional fraud checks.
- The Lambda function checks if the email address or phone number provided matches those stored in a DynamoDB database. This database contains a list of known disposable contacts. An Amazon CloudWatch event initiates a Lambda function to update these lists hourly.
- Upon passing the first check, the Lambda function sends the enrollment data to Amazon Fraud Detector. The data is evaluated using ML to assign a fraud score.
- If the score is within the range allowing enrollment to proceed, Amazon Cognito sends the user an email with a confirmation link.
In this blog post, we identified some of the common attack vectors that lead to free trial abuse, and we provided you techniques that you can use to prevent them. We showed you AWS services to quickly solve these problems and build a solution.
You can look at other ways Amazon Fraud Detector has been used to detect and prevent fraud in AWS environments on the AWS Machine Learning: Fraud Detector Blog channel.