Tips and precautions for attracting new customers!

Every merchant will conduct some new customer acquisition activities from time to time to attract new users at low prices or for free. However, this kind of free-for-all is inevitable. If it is not controlled, it may become a major hidden danger in the activity. Based on his own experience, the author of this article makes some security suggestions on registration, activities, payment, etc. at the product/operation basic level. I hope it will be helpful to you.

With the increasing rampant gray industry, almost all profitable platforms will become their "prey". Based on my own experience, this article will provide some security suggestions on registration, activities, payment, etc. at the product/operation basis level.

1. Registration

Registration/login is the most basic and important first line of defense for security. If this is done well, you can avoid many troubles in the future.

Let me introduce the current security risks and prevention measures for registration/login on the market.

1. Virtual number segment registration

The so-called virtual number segments are exclusive number segments of virtual operators. Licensed enterprises can rent the mobile communication networks of basic telecommunications operators to provide users with communication services based on their own brands. It can be simply understood as the operator's "special agent", but the actual management and operation are independent of the operator, so when an individual goes to the business hall to open a card, you generally will not be given a virtual number. (In some towns and remote areas, virtual numbers are actively sold).

So what can you do with these virtual numbers? Register, maintain, and sell small accounts in batches on the platform.

This is a time bomb. Once a new activity is launched on the platform, hundreds of thousands of small accounts will come online at the same time and let us know what "social" is in minutes. Not only will it affect the effectiveness of the activity, but in serious cases it will lead to huge economic losses. This is the biggest security risk and challenge in the current registration process. Financial products require users to perform real-name authentication and facial recognition when performing sensitive operations. This can avoid this situation to a certain extent, but there is no way to avoid it completely, as will be mentioned later.

Precautions:

When registering, virtual number segments are not allowed to register, and unified processing is required in the steps of "modifying mobile phone number" and binding mobile phone number after third-party login. This is currently the simplest, most direct and lowest-cost prevention method. However, not all platforms need to do this. If the platform itself has many business functions that do not involve the economy, such as information, tools, and open services, the platform can relax them as appropriate based on its own business environment. If you are worried about losing such users, you can prompt the user when registering: "The user is currently registering with a virtual number. To ensure the security of the account, please call ***** to obtain verification information." This step is to ensure that the current operation is not a program, but a real person with communication tools. However, with the improvement of the overall technical level of the gray market and the upgrading of voice recognition technology, the role of this method is being weakened.

What is mentioned above is that the platform itself creates security rules, which is relatively passive and uses a single method. Once a new number segment comes out, we have to maintain it, which consumes certain management and update costs. Currently, the mainstream cloud platforms on the market, such as Alibaba, Tencent, and NetEase, all provide services for registration security. Based on the big data mastered by the platform and corresponding security measures, the actual experience shows that the effect is better than building security rules by yourself. Those with strong capabilities and a large user base can consider it.

Currently known open virtual number segments:

• Mobile 1703 1705 1705 165
• China Unicom 1704 1707 1708 1709 171 167
• Telecommunications 1700 1701 1702 162

And the exclusive number range for Internet cards starting with 14.

2. Exchange/Buy Volume

Acquire new users by calling for traffic or purchasing traffic. There are many shady operations here:

• Pure fake traffic. The traffic that comes in does not move at all after arriving on the platform. The better ones register once, but then they are no longer active.
• Mixing amount by time period and proportion: slightly smarter than 1, more valuable new users will come in
• "Middlemen": The middlemen here do not mean to make a profit by reselling, but to use low-quality or unwanted traffic to fool the buyer. For example, a developer buys traffic on a real estate platform, and the real estate platform uses the traffic from a fan platform to throw a group of junior high school students' accounts over. Do you know how exciting the scene on the developer's side is?

Precautions:

• Rely on your own capabilities to build a channel supervision platform, or use a third-party channel data management platform to monitor all channels. Before this, the company needs to compare its own experience with the relevant channel conversion data of its competitors to measure the quality of the channel.
• Prioritize cooperation with people you know or well-known platforms
• Try to use cps and cpa as the billing method. CPC and cpm are for rich people.
• The terms of cooperation clearly list the effective proportion of traffic, which constrains the other party's behavior from a legal perspective.

3. Verification Code

Verification code is currently the most basic and widely used login method, and it is also the weak point that is most easily attacked.

1) Scan the code

Violent code swiping does not happen often, but once it happens, it will result in direct economic losses. If you obtain the verification code three times, and the scammers use 1 million visits to scam you, based on the current price of mass SMS between 0.3 and 0.1 cent, the direct economic loss is 9,000 to 30,000, and your performance for this month is gone. Such incidents often occur as a result of deliberate acts that result in direct conflict, or when a third party uses the device as a zombie and becomes the source of text messages for a "text message bomber."

Some platforms seem to have no abnormalities in the number of daily verification code service visits, but in fact they have already become other people's "zombie machines". [SMS bomber] I have never used it, but I have at least heard of it. It has long been a mature basic skill in the field of "black hat". When scanning the code, it can create a virtual environment that is more real than the real machine. No matter how many tricks you have, I can defeat you with just one move of "building a virtual machine environment". In recent years, with the investment in various computing and big data, the defense of this type of security time has been improved, but basically the defense measures are broken as soon as they come out. The defense is always after the supply, which is extremely passive.

Prevention measures:

1. Keep a low profile in daily life, do more good deeds, and don’t act arrogantly. Violent code swiping is an illegal act. If there are no special circumstances, this kind of thing will not happen.

2. Build a sound verification code security mechanism

• The APP obtains the user's mobile phone, device model, IMEI number, filters out simulators, and can capture gyroscope data if necessary
• Verification code acquisition time interval 60s
• Set the upper limit of the number of consecutive acquisitions per natural day (single-time mechanism, cannot be reused)
• When users continuously acquire? Verification code is entered again and the platform is not logged in. Graphic/slider verification is turned on. (We do not recommend some Tencent services that require users to send text messages to fixed numbers to verify that a natural person is currently operating a real communication device.)
• If the daily continuous acquisition limit is exceeded, the number/IP lock mechanism will be activated. It can be locked in sections, 2 hours, half a day, one day; or it can be locked directly for one day. Segmented locking requires setting the number of acquisitions after unlocking according to the situation. Generally, this number is less than the daily continuous acquisition threshold. It is recommended to only give it once.
• Set the maximum number of acquisitions per natural day. If the number exceeds the upper limit, the verification code acquisition will no longer be triggered.
• continuous? The verification code is sent after the trigger, but the user does not receive it, so the user is prompted to enable voice verification. Here we would like to expand on voice verification as an aid to SMS verification. On the one hand, it can prevent code scanning to a certain extent, and on the other hand, it can solve the problem that users cannot obtain the code. (Don't worry about the problem of whether users can make/receive calls if they cannot receive the verification code in a weak network environment. The underlying technology used in our voice communication is still 2,3G technology, and the network requirements are lower than those for data communication. If you are interested, please check the information yourself)
• Continuously enter the verification code incorrectly? times, that is, to enable the graphic/slider verification mechanism, or to enable the number/IP lock mechanism
• Avoid exposing the SMS verification code in the response. The verification code only exists on the server and cannot be directly obtained through any API (the test environment is arbitrary)

Let me tell you a heartbreaking truth. For real gray market bosses, if they really want to tamper with the registration and verification codes, the above methods are directly ineffective. The current technology of cloud control + cloud phone (pictured below) is already very mature and is showing a trend of scale and groupization. Those who work in finance and gaming should be familiar with this. It can be said that they hate it deeply. They will appear wherever there is money to be made in APP to attract new users or group buying, and they often suffer heavy losses. It can be seen that the security risk situation we face is still extremely severe. This shows how important it is to use technology for good as Brother Pony has been saying.

I would also like to emphasize the big guys who are confident in the "image recognition" security mechanism. There are already mature platforms on the market to overcome this mechanism, and the supported scenarios cover almost all graphic verification methods on the market. Take a look at the introduction of the coding function of a certain platform and feel the power of technology:

II. Activities

Almost every platform will hold activities, product promotions, new customer acquisition and brand marketing. After designing the main functions and processes of the activity, please be sure to include the safety of the activity as a required item.

1. Take [Sign-in Lottery] as an example to introduce the security vulnerabilities that have been overlooked

• Multiple account switching operations on a single device can also be classified as registration security
• There is no cap on the daily prize pool value. This can be ignored if the operation plan is well thought out, but if the prizes are real, please be sure to consider this issue.
• There is no upper limit on the number of high-value prizes that can be won each day. If the value of a single prize is very high, the probability of winning it should be considered in addition to the number of times it has been drawn.
• Sign in with a large number of small accounts to accumulate sign-in points, maintain the accounts, and redeem the points for rewards. More common on financial platforms

2. Attract new customers

As the new customer acquisition activities that were hardest hit by the wool-making scam, almost all valuable new customer acquisition activities were not spared. In most cases, we are helpless. Here are some of the worst situations we encountered during new customer acquisition activities:

• A huge number of trumpets, a bottom-up raid activity, a large number of new players' rights and prizes were taken away in a short period of time
• Once the first "igniter" finds a loophole, the "*** Guide" will spread throughout the entire network within a day. Although it will also bring a certain amount of spread and new registrations, most of them are freeloaders, which is of little significance to the platform. It will only increase many "zombie" users, and will definitely be accompanied by economic losses to the company or the intervention of the company's public relations/legal resources.
• For new customer acquisition activities that require certain requirements to be met in order to receive rewards, users can initiate after-sales refunds after completing the requirements, obtaining and using the rewards. At this time, if you bind the order status to the order status, that is, the reward will take effect after the goods are received, it will affect the effect of the activity. How to choose depends on the company's emphasis on the conversion of new customers and the cost investment of this activity.
• Users have multiple mobile phone numbers and attract themselves. The number of registrations has increased, but it does not play a big role in subsequent business conversions.

There are many other similar ranking/voting activities. As long as you spend some money, a large number of third-party voting platforms can meet your various needs, including but not limited to: the voter's gender, age, IP address, device model, voting frequency and other requirements. The price can be as low as a few cents each, and it’s totally worth it to spend a few hundred bucks to get a high-value prize.

Let’s talk about another extreme bank consumption ranking activity: you can participate in the activity if you spend a certain amount of money in a unit of time, and the top ten people who spend the most will receive additional high-value prizes. As long as the reward value is high enough, it doesn’t matter how high the spending threshold you set. Why? Because the big guys who dominate the list have more than a dozen POS machines each, they can set the city where the consumption is located, the type of store and even specify the store. When the bank swipes the machine, it will doubt that the cardholders of the bank can spend so fiercely! In the end, I found out that this was just a routine operation of others. The loss was the handling fee of the X, but it was completely negligible compared to the prize. Later, the money that was taken out was returned. The prizes can also accumulate a lot of points. The points can be exchanged for a wave of prizes on the platform. The tricky operation can make the planner cry at the counter in the lobby, and he can't get up~

So, is there any practical solution to solve the problem of wool-collecting and protect the platform from losses?

Answer: No.

Why are we so sure? Let's see what happened to the fruit tree planting activity of a powerful group like Boiling Water? ! The key to obtaining rewards is to get a large amount of fertilizers and water drops to water the fruit trees, promote the ripening of the fruits and obtain prizes. Let’s refine the resources we want: fertilizers and water drops. Fertilizer can be obtained through lotteries and shopping, and the ones given by Waterdrop will never run out. The platform has a large number of 1-cent goods/services. You can get large amounts of water drops and phone bills by purchasing them. A box of fruits every 2 or 3 days is really too good to be true.

At the beginning of the event, the phenomenon I mentioned above occurred where users initiated a refund after receiving the reward after purchase. Later, the event rules were updated: too many refunds will permanently delete the task corresponding to the reward. But it still can't resist the "smart" people. Some of them buy super low-priced goods, and some buy coupons but don't spend them, waiting for the platform to automatically refund them after they expire. However, I have already received the fertilizer & water drop rewards. This is a case of a user blatantly exploiting loopholes in your platform rules, and there is nothing you can do about it.

Recently, the maturity of fruit trees has expanded to three decimal places, and the progress increase ratio of each watering has also decreased a lot. On the one hand, it can be seen that "smart" users account for a large proportion, and on the other hand, it can also be seen that this activity has indeed played a significant role in promoting activation and order conversion to a certain extent.

If this is the case for large companies, there is no need to say more about the situation of start-ups and small and medium-sized enterprises. But when we are doing activities, do we have to strictly control the rules of the activities? Quite the contrary. Users have been sweetened by the extremely sweet honey. If they are given seven points of sweetness or half sugar, the effect of the activity will inevitably be compromised. It is recommended to set normalized rules and try to provide more rewards for new users within the cost-permitting range, while product and operation departments should focus on formulating reward rules . Currently common operations are: timeliness (such as valid on the same day), scope setting (not necessarily products needed by users, but definitely high-profit or overstocked inventory), and continuity (after one round of rewards is used up, there will be new rewards, and the degree will gradually decrease).

No matter how it is set up, it is nothing more than focusing on two aspects: time cost and total order amount/quantity. In a short period of time, users are encouraged to use rewards to place orders, or continuous orders can obtain continuous rewards. Rewards are constantly used to increase the frequency of user repurchases, and the revenue obtained can offset part of the platform's losses. However, in reality, when all the costs of purchasing, transportation, warehousing, and labor are taken into account, more than half of the activities are loss-making. However, if the traffic introduced through activities is managed properly and can remain active and retained on the platform, the accumulation of time will eventually turn losses into profits, provided that the company can hold on.

I have talked a bit too much about the activities. There are too many outrageous operations in this area, and some cases of broken legs are not mentioned here so that others will not follow suit.

3. Payment

The rise of mobile payment has made people's lives more convenient, but it has also made people's property less secure to a certain extent. Currently, there are many types of payment security for the people:

User side:

• Trojans and viruses: common things. Even though the country and units attach great importance to publicity, such things still happen every year.
• Phishing SMS and email: Open an unknown link and enter your mobile phone number to get a verification code. The bank transfer SMS came.
• QR code: Replace the payment QR code. After identifying the QR code, it turns out to be a virus link.
• APP downloaded through small channels: This one is for men. I won’t go into details. Those who understand will understand.

Platform side:

• Malicious ordering without payment: The literal meaning is very clear, which means not paying when reaching the payment page, locking the merchant’s inventory and interfering with normal sales. The recent fierce "graphics card war" has once again staged this kind of operation. The main impact is on the interests of individual merchants/scalpers on the platform. For the platform and brand image, the damage caused by such operations is worse than cupping, and it will soon pass.
• Malicious refunds: Users frequently purchase large amounts of goods and then initiate refunds. This operation has little impact on the platform, but it is as uncomfortable as eating a fly. It was used to increase credit card limits in the early days. Currently, mainstream payment platforms are connected to government regulatory platforms, and this phenomenon has become less common.
• XiQ: Mainly for finance, games, and some large-scale trading platforms, it is still a gray area. Although there are companies in China that can handle related businesses, there are no effective and comprehensive defense measures. We can only hope that the government can take the lead and work with major financial institutions to improve the digital construction in this area.
• Network attacks: mainly include protocol vulnerabilities (silent SMS, fake base stations, IMSI capture, GSM middleman), code implementation vulnerabilities (TMSI overflow, Intel/Comneon, AUTU overflow, Qualcomm, SMS PDU overflow) and other means to replace or tamper with payment data. Once the user's touchID or faceID is intercepted and copied, the consequences...

Whether we are just a small cutie with a payment checkout page, or a large or medium-sized enterprise with the support of a payment center platform, we should pay enough attention to the security of the payment environment and protect the property safety of users.

Finally: I sincerely hope that you will never encounter the above situation. I sincerely hope that people will be kind and every individual will use a good attitude to promote the country's economic construction and business development.

Author: Emperor Wu of Han

Source: Emperor Wu of Han