

Ask HN: How to protect our service against fake requests/trolls? - sgb_QQ

We are a small startup operating a service where people make real appointments at various venues around the city.<p>To request an appointment, all you have to provide is name, email, phone number &amp; some other basic details. You also have to select the details of the appointment prior to this. It takes a normal person about 2 minutes to get from entry point to appointment confirmed.<p>We have been experiencing periodic fake appointments, which is really disrupting our business and damaging our relationship with our venues. They&#x27;re obviously created by humans, only a few a week, but we&#x27;d like better protection against these people.<p>We deal with them reactively using our admin tools and contacting people, but it&#x27;s wasting our time and the relationship damage is already done.<p>The only measure we have in place to proactively prevent this right now is strict rate limiting.<p>We&#x27;re considering:<p>- Recording IP&#x2F;UA info for every appointment (then blacklisting). But thats easy for someone to get round, and they might just do it from different places, agents, etc.<p>- Email verification for your first appointment, but thats an experience trade-off. We&#x27;re small and every conversion counts - so we want to avoid adding new barriers if we can. Plus, some of the requests have working emails.<p>- Moderating our appointments before they get passed onto our venues. This adds a barrier to the process, and there are times where requests happen when the whole team is not working or asleep. A compromise would be a delay where the team can intervene before an appointment is allowed to continue, but that makes for a worse experience for our users (+ some appointments need to be sorted out quickly).<p>- SMS verification, however, we called a couple of the trolls, and they are real numbers (no response, of course).<p>Does anybody have any experience of this, or any advice?
======
darrennix
It sounds like you would benefit from offering a menu of registration choices:
\- Facebook / Twitter / Google \- Email+ other

As with AirBnB registration, you would strongly encourage users to register
using a social media auth but allow them to use an email + nothing else if
they desire.

You can then apply a simple risk scoring model that says (I'm simplifying
here):

* Facebook + 200 friends + > 3 year account age = auto-approve

* Email only = red flag; manual verification

Critically, you don't reveal to red-flagged users that they've been placed in
a sandbox.

~~~
sgb_QQ
That's an interesting idea, thanks. We wanted to avoid any concept of
registration (ie all appointments are currently 'checkout as guest'), since
it's an experience barrier, but Fb/Tw/G+ are good human verification tools.

------
lovelearning
Make credit card number a mandatory field, and charge anybody who misses out
on an appointment.

