How companies can beat scalping and win over customers

What is Scalping?

You might be familiar with the gruesome act of removing an enemy’s hair (and scalp!) featured in many Hollywood westerns. However, there’s another meaning of scalping which is used increasingly in business.

A definition of scalping, in a business sense, from the Cambridge English dictionary:

The activity of buying things, such as theatre tickets, at the usual price and then selling them when they are difficult to get at higher prices.

Scalping is most prevalent online. The coronavirus pandemic has benefited online scalpers by creating the perfect storm of:

  • A huge consumer shift towards online purchasing.
  •  Delays in product delivery due to problems with global supply chains.
  • Other purchasing channels, such as high street retail, being closed during lockdowns.

What’s the problem?

The Scalpers say that buying up desirable items for sale on the internet, like the new PlayStation 5 console, and selling them for a handsome markup is just good business. They claim they are only being entrepreneurial and it’s not illegal to do it.

Indeed it is not illegal, but it’s certainly regarded as pretty unethical and angers many consumers who can’t get items they really want, like the PS5.

Scalpers often use bots to trawl the internet to find websites selling these desirable in-demand items. This practice adds to the view that this is unethical, with ordinary customers standing little chance of finding items in stock on a website against such mass volume automated techniques.

Many people have written to their MPs complaining about the practice and a debate on scalping was raised in parliament specifically about the unfairness on consumers of scalping in the computer consoles market.

Very few retailers have protection in place against scalping

In the gaming market, most retailers recognise the problem of scalping.

Our very quick mystery shopping exercise found that the current ‘hard to get’ PS5 cannot easily be bought on the internet at it’s RRP of £449.99 because stocks on retailer websites are all sold out.

However, you can get one if you’re prepared to pay the inflated cost of the scalpers on reseller websites like Ebay, some adding on hundreds of pounds. The cheapest PS5 we found on Ebay was £535.00, going up to £999.99.

Currys PC World seem to be one of the few online retailers trying to offer a fairer system. You can enter their PS5 VIP pass draw and if you’re one of the lucky winners you get a code to purchase a PS5 when they secure more stock.

Companies have a choice to retain their brand reputation and win over customers

The use of automated bots has only been made illegal for buying tickets for concerts and gigs.

For all other items currently in high demand scalpers can continue to use bots and buy up stock from websites that aren’t doing anything about it. There are many items that attract scalpers, here are just a few examples:

  • Game consoles
  • New technology and computer equipment
  • Hot tubs
  • Gym equipment
  • Special edition records
  • Limited edition trainers and clothing

Companies risk losing their brand reputation and customer loyalty when customers go to their website and cannot get what they want as it’s out of stock, scalpers with their automated bots having got there first and purchased the items in bulk.

Customers are less likely to return to a website in future when looking for other items if they have been unable to get their in-demand item before because the company has allowed scalpers to buy up much of the stock.

In fact, because it’s becoming such an issue, there’s an opportunity for companies to get ahead of their competitors by introducing anti-scalping operating procedures onto their website. This will create a fair and level playing field for consumers, plus a real positive PR story for their brand which in turn can increase customer loyalty and sales.

The Anti-Scalping solution for companies to keep their customers happy

Companies can use Person Identity Verification on their website to ensure an order is from a genuine name at the delivery address given. Person Verification matches the order details against the full Electoral Roll dataset. Steps for companies are:

  1. Restrict a product liable to scalping to 1 order per person.
  2.  Check the name and address typed in hasn’t already been used to buy it.
  3. Someone scalping would need to invent false names at their address, or other addresses they are using. Running this through Person Identity Verification would then tell the company that the name and address doesn’t exist and so refuse the purchase.

This data-based method of verification is easier and cheaper to implement for the company, and much less hassle for the customer, than having to find photo ID and upload to the website.

Our API for websites can integrate our Person Verification method easily into your website. We also offer Person Identity Verification on our public website ukphonebook.com.

Contact Us or visit our website for more information.

Selling age-restricted products to under 18’s is illegal – how to comply as an online retailer?

Companies will be aware that selling certain products such as alcohol, tobacco and fireworks to anyone under 18 years of age is illegal. However, companies may not be so aware of the positive steps they are required to take under UK Government guidelines to check the age of customers buying these products.

Proof of age can easily be done in a shop by judging whether the customer looks old enough, or asking for photo id if the shopkeeper is unsure. It is much more tricky for online retailers to be certain a customer is over 18, yet the same responsibility applies to a website owner as it does to a shop owner.

In this article we explain what an online retailer’s responsibilities are and how to comply with Trading Standards guidelines.

Duty of online retailers

It is the responsibility of online retailers not to sell age-restricted products to customers under the minimum legal age.

That is no surprise, but importantly it is also the duty of online retailers to use effective systems capable of verifying the age of potential purchasers to ensure they are old enough to buy a product.

The list of age-restricted products in the UK includes:

  • Alcohol
  • Tobacco and vaping products
  • Fireworks
  • Spray paints and hazardous chemicals
  • Cooking and camping knives
  • Certificate 18 films and games
  • Pharmaceuticals and medicines

What age checks are not likely to be viewed as taking ‘due diligence’ ?

What we mean by ‘due diligence’ here is all reasonable checks made by an online retailer to verify the customers age before selling them age-restricted products.

According to the Business Companion website (who describe themselves as “Trading Standards law explained”) the following checks are unlikely to satisfy ‘due diligence’ , and thus not be a reasonable defence if an online retailer appeared in court for selling to an under age person.

Not sufficient to satisfy ‘due diligence’:

  • Using tick boxes to ask purchasers to confirm they are over 18.
  • Asking the purchaser to give a date of birth.
  • Relying on the purchaser confirming that they are over 18.
  • Using a general disclaimer on your website – e.g. “anyone ordering this product will be deemed to be at least 18”.
  • An ‘accept’ tick box that the purchaser has read the website terms and conditions where it states they must be over 18.
  • Only taking credit card payment. Credit cards are not available to under 18s but some debit cards and pre-paid cards are.

Age verification methods that are likely to show compliance

Age verification checks are much more likely to display an online retailer’s compliance with ‘due diligence’ and their responsibilities when selling age-restricted products. Examples of these age verification methods are:

  • Age Verification of a purchaser by matching name and address details against a frequently updated dataset comprised of the Electoral Role and other UK data sources. See more details on T2A’s pay-as-you-go Age Verification method.
  • Obtaining proof of age at the door when delivering the product. However, third party delivery companies may not want to take responsibility for this on your behalf.
  • Follow up checks after the product has been ordered, for example if proof of age could not be done at the time of purchase. This can create time consuming admin for website owners and can be a problem if purchases slip through the net and forget to be checked.
  • If a website has stores as well, click and collect can be offered and age checks can be done face-to-face when the customer comes in to collect the product. This option is not likely to be viable for the majority of websites, just big brands with stores nationwide.

Conclusion

Considering the options above, the first option of verifying a purchaser’s age against third party data, seems to be the best for the vast majority of websites that sell age-restricted products. The reasons are:

  • First and foremost the online retailer is doing the most they can by checking age at the point of purchase. This represents a good level of ‘due diligence’ should the retailer be accused of selling age-restricted products to someone under age.
  • Matching against data sources like the Electoral Role before the purchase is confirmed make it a reliable way to verify the purchaser’s age without the admin that results from making manual age checks.
  • The online retailer does not have to rely on courier companies making an age check for them on delivery. A driver may forget to ask if they are busy with many deliveries, or the purchaser may not be at home which creates logistical issues when the product cannot be left at the door.

For more information on T2A’s Age Verification method for online retailers, please click here.

This is also available as an Age Verification plugin for websites built using WordPress and WooCommerce.

How to use bulk options for Person Verification and Age Verification.

Our API offers the option, on both Person Verification and Age Verification, of a bulk method so you can check a file of multiple names and addresses in one go.

This is ideal for companies that want to check their customer database to verify that they hold the correct and genuine name/address details in the case of Person Verification, or that customers are 18 years old or over if running the file against our Age Verification.

Person Verification

To check that a person applying for your product, or that has registered an account with you, is who they say they are is invaluable as a way to prevent fraud and money laundering within your business. Our Person Verification method does just that by checking against our vast dataset of over 48+ million UK people.

‘Knowing Your Customer’ (or KYC as it’s commonly abbreviated to) by using our Person Verification facility is vital in many business sectors including:

  • Banks and Building Societies
  • Lending companies
  • Insurance companies & brokers
  • Rail industry (for ticket inspectors issuing fines)
  • Legal practices and solicitors

Read more on the bulk tab of our T2A Person Verification page.

Age Verification

Under UK law any business selling age-restricted products or services must check that the customer is old enough to purchase them. Trading Standards guidance from the Government states that a customer ticking a box on a website to say they are 18 or over is not sufficient to verify their age.

Our Age Verification method checks a UK person’s age against actual date of birth data within our comprehensive set of data sources including the Full Electoral Roll.

There is a need for reliable age verification amongst a wide range of industries that sell age restricted products including:

  • E-Commerce retailers of alcohol, tobacco or DVDs
  • Pharmaceutical companies selling their products online
  • Retailers of kitchen knives and other items that can be classed as “offensive weapons”
  • websites selling potentially harmful cleaning products and other dangerous chemicals.

Read our Age Verification page on T2A to see how we check age against actual data. Click the bulk tab for information on the bulk age verification method.

How our bulk Person Verification and Age Verification services work

Step 1 – download the names and addresses from your database that you want to verify into a csv file.

Step 2 – make sure your file has these fields included as a minimum:

  • First name
  • Surname
  • Address line 1
  • Postcode

Step 3 – upload your file to T2A

Step 4 – T2A matches your information against our vast dataset which is updated daily to provide the most accurate, up to date results.

Step 5 – your csv results file will contain the original data plus an extra column to give one of the following results next to each person:

For Person Verification…

  • FOUND
  • NOT_FOUND

For Age verification…

  • FOUND_OVER_18
  • FOUND_ UNDER_18
  • NOT_FOUND

Try our verification services for free

There is a free demo for each of our verification methods:

Go to the demo tab on this page to try Person Verification.

Go to the demo tab on this page for Age Verification.

So if you want to ensure your customer database contains genuine verified UK individuals, and that they are old enough to buy your age restricted products in the future, why not get in touch.

Using T2A with Webhooks

A users interaction on a website and in particular eCommerce website can be described as a series of events. Whenever a user does something like sign in, register, request a password reset link, add an item to their basket etc. an event occurs. Webhooks are a way of responding to these events.

Age verification

With age verification becoming increasingly more regulated, it is important to make sure your website, if it sells age restricted products, is designed to check a customer is over 18. This can be achieved with webhooks and the T2A method age_verification. Most eCommerce solutions (e.g. WooCommerce) will provide webhooks that you can use. For WooCommerce you could set your Topic as “Customer created”, “Order created”, “Order updated” and then run the T2A age verification to check the customer information against our extensive UK people data sources to see if the user is over 18. Alternatively, you could select Action as your topic field and create a webhook that fires after a particular WooCommerce action occurs e.g. “woocommerce_after_checkout_validation”.

Identity Verification

Another use for webhooks is to check customer information to prevent fraudulent card transactions. Stripe, Braintree and other merchant account providers will provide webhook interaction which you can use by checking customer input against our person_verify method. This could be a first step in flagging a transaction that needs further investigation. Our person_verify method checks a name and address against our 48+ million data set of UK people and indicates whether they exist in our data.

Contact Appending

As well as verification you could use webhooks and T2A to improve your customer database.
We have substantial information on UK people and businesses. Using a “Customer created” webhook you could use our person_search method to enhance the customer record. The person_search method returns telephone numbers, mobile numbers and links the person to associated companies if they are a company director. Alternatively, if you are dealing with a UK business you could get further information on the company using our business_search, company_details, company_credit_report and director_details methods. Our business data includes telephone numbers, company website, company appointments, credit reports and information on directors. This appended customer information could help with marketing, profiling, order fulfillment and other customer service requirements.

Alternatively, if you don’t need to update customer records on the fly during webhooks you can take advantage of the bulk telephone number appending API method.

TPS Checking

The last use case in this post is the tps_full method. Again using a “Customer created” webhook you could check if the customers telephone number is on the TPS or Corporate TPS register and flag the record accordingly. You could also periodically check all your records with the bulk tps checking method tps_bulk (though this would not be during a webhook).


How one customer has harnessed the power of our API

The T2A API is powering lots of companies’ websites, apps and internal systems to help them deliver new efficient processes in their business. They depend on our UK data sources, the most accurate and up to date available, to deliver instant reliable results for their staff’s people, address and company information searches.

Our customers are wide and varied, from delivery companies to fraud prevention specialists, E-Commerce websites to estate agents, telemarketing agencies to building societies.

Here is a case study about one of our customers to give you a flavour of how we help companies, working with them as their data partner…


T2A Customer Focus – Raspberry Software Systems Ltd

Raspberry Software Systems, providers of software solutions to the UK rail industry since 2004, have been working with us for 10 years and have increased their usage of our T2A data during that time.

Through Raspberry Software’s Ticket Inspection and Prosecution System (TIPS) their rail clients have been able to replace paper based systems, and arduous record checking over the phone by Revenue Protection Officers on the train, with instant passenger identification through the app on an Officer’s tablet or smart phone.

At the heart of the TIPS system is the T2A data upon which it replies, delivered by API methods that we worked on in partnership with Raspberry Software to help them deliver the unique tailored system they wanted to develop.

The feedback that Raspberry Software has had from their clients has been excellent. Rail companies using TIPS have reported a much greater number of Penalty Fare Notices issued and a marked increase in those settled.

Working with T2A has been a very rewarding process for us. Their agile and flexible approach to delivering quick solutions to the data requirements we had for our system has been very refreshing. Add to that the fact that through their API we have access to good quality data at very good value prices, this relationship has been a win for us and a win for our clients.

Peter Jarvis | Director
Raspberry Software Systems Ltd

In the case study example above, Raspberry Software are using our API methods relating to finding who lives at a UK address, accessing the Electoral Roll and our other data sources.

We have a host of other methods too within our API to help you with whatever people, address and company data searching you need to perform within your system. Here is our full method list to show what the T2A API can do.

Some of our most popular applications of the API are:

…and much more. See all our API services

Try before you buy!

One of the best things about our API is that you can sign up for an account and start testing it out straight away without any financial commitment. There are free demos (using limited access to live data) and example scripts to get an idea of how accessing the API could work for you with HTML, CSS and JavaScript.

So if you have an app, website or internal system (or you’re looking to develop one) and need an API to return results using comprehensive up to date UK data sources…let’s talk!

Quick links:

Sign up to try out how our API can work for your system, on a trial basis with no commitment!

Contact Us – we’d love to hear from you!

Find out more – a summary of what you can do with the T2A API

Web Service Problems and TLS 1.0

Introduction

By the end of June 2018, many secure sites will have changed the way in which they allow their users to establish and use a connection to themselves.

We have noticed that a number of web services have recently implemented the same security changes, and we’ve had problems connecting to a couple.

Here’s the background, and how we ensured that we are still able to communicate with those web services.

Payment Card Industry (PCI)


The industry body which regulates the payment card industry has stipulated that sites taking credit or debt card payments must remove access via SSL or early TLS by 30th June 2018, to prevent future compromising of card details and personal information, during sessions conducted under these old protocols and now insecure protocols.

In practical terms this means that users of older browsers such as Internet Explorer 6-9, or older versions of Safari, will be unable to connect to any sites that take card payments, or at least the relevant portion of those sites.

Windows Servers and SChannel

We use Windows Web Servers.

A feature of Windows (including Windows 10 etc) is that all secure communications is handled via a component known as SChannel. In order to, for example, prevent a web server from accepting TLS 1.0 connections, SChannel must be re-configured; this is done via Windows Registry settings (but see below).

A factor to consider is that any change to SChannel affects incoming and outgoing traffic that use it.

 

Use IISCrypto to Change SChannel

We recommend the use of the free IISCrypto tool, as a simple means to configure SChannel on your web servers.

The image below shows that TLS 1.0 has been disabled in the protocol section.

Problem 1 – Web Service Accepts Only TLS 1.1 or 1.2

Several web services that we use from Windows 2008 R2 servers upgraded their security to remove not only SSL 3 (which was done some time ago) but also TLS 1.0

Using .Net 4.5,it is necessary to make a minor change to a SOAP service or an invocation of the .Net class HttpWebRequest.

The C# snippet below illustrates the necessary configuration to System.Net.ServicePointManager:-

 //send using TLS 1.2
 System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
 
 //invoke the soap service
 ExtSoap.ExtSoap_Int.ResponseType1 response = client.Invoke(request);

Problem 2 – Our Server Cannot Communicate with a TLS 1.0

This is an unlikely scenario, but we did encounter it briefly early in 2018.

We made a change to SChannel, preventing incoming connections using TLS 1.0 on a web server. That same web server then attempted to communicate with an external web service that did not, at that time, allow a secure connection over any protocol above TLS 1.0. Since the SChannel’s TLS 1.0 capability had been disabled, this also prevents outgoing communications over TLS 1.0.

Our solution in the above instance was to move the invocation onto another server that did not have TLS 1.0 disabled, whilst the external web service was upgraded.

Problem 3 – Cannot Connect to External Web Service

We were using HttpWebRequest to connect to an external web service over TLS 1.2. A web browser (Chrome or Firefox), running on a Windows Server was able to connect to the external web service, but any attempt to do so using the above class instance, failed, with an unhelpful “connection closed” error.

Further investigation showed that the external web service had replaced their server certificate with an Elliptic Curve certificate.

Because .Net uses SChannel to achieve a secure connection (unlike the web browsers listed above) it was necessary to explictly enabable those ciphers in SChannel using IISCrypto.

The shot below shows IISCrypto runnig on the affected server, whch is now able to communicate with the offending web service securely.

Note the Cipher suites that have ECDHE, now enabled and prioritised.

Setting Cipher Suites in SChannel

 

 

New demos of the person searching API

Try before you buy!
We have added free demos of our person searching methods so that you can test our data coverage, of UK people, before purchasing credits.

You can try them here:
https://t2a.co/products/people/search_for_a_person
https://t2a.co/products/people/see_who_lives_at_an_address

 

Free API test mode
Remember you can always use the free test mode to assist your T2A integration development. This allows you to simulate calls to any method and receive “dummy” data (formatted the same as responses you would receive from live  API calls) without using any credits.
https://t2a.co/docs/index/free_test_mode

 

 

How to recover file contents after Notepad++ crash

Notepad++ is generally a pleasure to use but it does very occasionally crash and empty whatever file you happened to be editing at the time too… Here’s where you can find a backup version to recover your file if this ever happens to you too:

C:\Users\YOUR_USERNAME\AppData\Roaming\Notepad++\backup

Note: At the time of writing I’m running Notepad++ v6.7.8.2 on Windows 7 Professional, but you’ve not got anything to lose by trying this for other versions of Notepad++/Windows.

Thanks to Indrajit on Stack Overflow for posting the solution originally!

Preventing card fraud when accepting Card Not Present (CNP) transactions

If your business accepts Card Not Present card payments (e.g. an eCommerce website) you are probably aware of the built in checks provider by your merchant services provider:  *AVS, CVV, MasterCard SecureCode / Verified by Visa and Fraud Screening.

*Brief description of built in checks

  • Address Verification Checks   – checks the numerical characters of the transactions billing address and postcode against the details held by the card issuer. (This is not widely used by non-UK cards)
  • Card Verification Value (CVV) – Checks the transactions inputted CVV against the value held by the card issuer.
  • MasterCard SecureCode / Verified by Visa  – services created by the Card Schemes to protect you and your customers.
  • Fraud Screening – your merchant provider provides a score indicating the likelihood a transaction is fraudulent, they also highlight anomalies with the transaction (e.g. transaction billing address country does not match value held by the card issuer).

There is however additional checks you can make to help avoid a fraudulent transaction.

  1. Check the customer emails address – proceed with caution with free email address like Yahoo, Hotmail or Gmail as these are more likely to result in fraud. Subscription email addresses like ‘BTConnect’ or ‘Virginmedia’ are usually safer. Or if the email address is the domain of a company website go to that domain and see if it is an established website, if it’s just a parking page the transaction is less safe. You should also check the name in the email address. Does it make sense when comparing it to the card holder name?  Checking the email address should be a part of your overall checking as many of your honest customers may use free email addresses.
  2. Is the order too good to be true? Be aware if you have an order that is a higher value than your normal orders. Also be aware if you get several orders from the same customer in a short space of time. Have a look at your statistics, how frequently do you get orders from the same customer, if you best honest customer is buying from your website once a month and someone purchases from you 3 days in a row, something might be fishy.
  3. Is it unusual in another way? Is there anything else you can think of that doesn’t match your normal customers.
  4. Check the IP address of the transaction and see where it originates from. Compare this with the billing address.  Be aware that fraudsters can use proxy IP addresses.
  5. Where possible ask customers for a land line telephone number which can be checked using Directory Enquiries (unless they are ex-directory). You can also check the supplied name and address details against the details on the Edited Electoral Roll. This is not a guarantee as it is possible to opt out of having your details published. Try ukphonebook.com people search OR the T2A API search for a person and find a residential telephone number methods.
  6.  Have a look at all the transactions occurring on your website not just the successful ones. Was the customer declined several times before they were successful? You shouldn’t immediately think its fraud as sometimes people mistype things, but you should investigate further.
  7. When you do get a fraudulent transaction or charge-back – investigate the details of the transaction and see if there are any clues to help further improve your fraud screening.

These checks can help you when you are reviewing your transactions but you may want to consider building your own solution that uses a combination of these checks against each transaction before they are submitted to protect yourself further.