I'm reading the terms-service
https://developer.yahoo.com/flurry/legal-privacy/terms-service/flurry-publishers-network.html
I can read this:
"Publisher shall not, directly or indirectly, authorize or encourage any third party to (i) generate fraudulent impressions or fraudulent clicks"
I understand the app should not encourage users to click on ads. It makes sense and I'm totally fine with that. But what are "fraudulent impressions"? How an app can create a "fraudulent impressions"? For example, if an app asks a user to see an ad (example an interstitial) in exchange for something, is it a fraudulent impression? We often see reward videos, does a reward video is a fraudulent impression? At what point asking a user to see an ad become a fraudulent impression? Worst-case scenario, offering real-life things to see an ad, is it a fraudulent impression? For example, if I draw a t-shirt to users who saw some ads, is it fraudulent impressions?
I'm just trying to understand at what point we start to create a fraudulent impression. Because I see we can create a reward video, so, when asking to see an ad and giving a reward to the user become a fraudulent impression?
Thanks
From https://developer.yahoo.com/flurry/legal-privacy/terms-service/flurry-publishers-network.html
Publisher shall not, directly or indirectly, authorize or encourage any third party to (i) generate fraudulent impressions or fraudulent clicks, or (ii) take similar fraudulent actions or any other actions that interfere with, disrupt or interact in an unauthorized manner with the FFP Network (or servers and networks connected thereto), including but not limited to, through repeated manual clicks, the use of robots, scrapers or other automated query tools and/or computer generated search requests, and/or the fraudulent use of other search engine optimization services and/or software. Flurry may terminate your account at anytime for any reason, including but not limited to because of such fraudulent activity. Publisher acknowledges and agrees that Flurry may, in its sole discretion, review impressions, click-throughs or other actions, and Publisher shall not be entitled to receive any revenue share applicable to actions that Flurry determines in its sole discretion are fraudulent or improper.
Related
I am after the best practice for handling incomplete stripe connected account onboarding.
When onboarding goes smoothly, everything is simple. But there are fiddly edgecases everywhere, which results in a lot of permutations of values for account requirements
These include
current_deadline
currently_due
disabled_reason
errors
eventually_due
past_due
pending_verification
This creates a lot of complexity.
I need a simple way to:
figure out if the connected user needs to be notified of something (i.e. that they need to give more info), and
what to tell them.
My current strategy is to check if errors is empty, and if not, simply display them along with a link to manage the user's stripe account so they can address the errors.
But I'm worried this strategy will miss things (perhaps minor things that could be addressed before they become errors).
TL;DR I suspect most users will onboard without any problem, but for the few who do have issues, I want to ensure the app notifies them that they need to address them. What is the best way to do this? (using the information in requirements or other info)
When handling identity verification manually using the API, a simple way to check whether your connected user might need to be notified to provide more info is to look at the charges_enabled and payouts_enabled properties on the user's account object. If either of these two properties are false then you might need to reach out to the connected user for more information.
In cases where the connected user's charges and payouts are disabled, you would use the disabled_reason property on the requirements hash to learn the reason why charges and/or payouts are disabled. The possible disabled reasons are all documented here, but I'll list them out nonetheless:
action_required.requested_capabilities You need to request
capabilities for the connected account. For details, see Request and
unrequest capabilities.
requirements.past_due Additional verification
information is required to enable payout or charge capabilities on
this account.
requirements.pending_verification Stripe is currently
verifying information on the connected account.
rejected.fraud Account is rejected due to suspected fraud or illegal activity.
rejected.terms_of_service Account is rejected due to suspected terms
of service violations.
rejected.listed Account is rejected because
it's on a third-party prohibited persons or companies list (such as
financial services provider or government).
rejected.other Account is rejected for another reason.
listed Account might be on a prohibited persons or companies list (Stripe will investigate and either reject or reinstate the account appropriately).
under_review Account is under review by Stripe.
other Account isn't rejected but is disabled for another reason while being reviewed.
Using the disabled_reason, you can assess whether the user needs to be notified with a request for more information (i.e., requirements.past_due), whether they need to be notified for another reason (e.g., rejected.listed), or whether you need to make programmatic changes to the user's Stripe account (e.g., action_required.requested_capabilities).
For example, let’s say I wanted to create my own Instagram API (I’m aware Instagram has an API but let’s imagine they didn’t and I wanted to make my own for them). Could I make one to post, like photos, DM, etc? Or does Instagram themselves need to make an API to allow me to access these functionality and commands?
You can certainly make one but you could be in violation of the service's Terms of Service (ToS). If you violate the ToS, the service could shut down your access.
In the scenario where someone publishes an unofficial SDK, it can be taken down under DCMA. For example, such a private Instagram API was made and published on GitHub before Facebook filed a DCMA claim with GitHub to have it taken down:
Facebook DCMA Takedown Request:
https://github.com/github/dmca/blob/master/2020/01/2020-01-22-facebook.md
Discussion:
https://news.ycombinator.com/item?id=22209892
Here's an excerpt from the Takedown Request:
Instagram-API repository (and its forks) offers a tool expressly designed to circumvent the Company’s effective access controls and protection measures by avoiding, bypassing, removing, deactivating, or impairing the Company’s technological measures without the authority of the copyright owners or the Company. Mgp25’s Instagram-API is designed to emulate the official Instagram mobile app when communicating with Instagram’s servers, which allows users of mgp25’s Instagram-API to send and receive data (including receiving legitimate, copyrighted posts by Instagram’s users) through Instagram’s private API. Mgp25’s Instagram-API also permits other types of access to, and collection of, Instagram’s users’ copyrighted works in manners that exceed the scope of access and functionality that would be permitted by a user with a legitimate, authorized Instagram account.
How do i track transaction details made from a particular credit card though geezeo api when credit card info (card no , expiry date and cvc no) is the only login credentials available. Ive tried with yodlee api but it requires usename and password of online bank account as login credentials.
I have worked for Credit Unions that have experience with all these types of APIs. The Geezeo and the Yodlee API will not allow you to do what you want since that would violate the privacy on the card and the card issuers will not allow someone outside of the flow of approvals to get to that data. There are a few APIs that you can get by working with partners like FirstData to look for a certain type of transaction or vendor that comes across their system if it matches a certain card number, but you have to be a key partner with FirstData, not an easy task.
As far as aggregating transaction data from accounts like credit cards, bank accounts, auto loans, mortgages, investment accounts and the like, you really want to be using an API like MoneyDesktop. Yodlee is good as well, it just does not have the coverage, uptime, or quality of data that MoneyDesktop has. Geezeo's API just does not have the critical features that a MoneyDesktop or Yodlee API has. First Geezeo does not do its own aggregation and it only has one partner to do their agg for them. Yodlee is only one source, but if there is a broken connection, at least they can control fixing it. If a connection goes down with Geezeo, there is nothing that Geezeo can do to fix it but wait for their aggregation provider to fix it. If your business, bank or credit union can't afford for aggregation to go down (reputation risk), you need someone like Yodlee that controls their own aggregation, or someone like MoneyDesktop that has many aggregation providers and can route between them the second that one of their connections has problems. Also, Yodlee and MoneyDesktop both do their own data cleansing and aggregation, where Geezeo does not and has to rely on their aggregation provider. This is extremely problematic because as users editing and input to the system as to the transaction being data cleansed incorrectly or categorized incorrectly is not taken into account properly or optimally.
I have also heard that Intuit Data Services has a good API as well, but I have never had any experience with it.
Good luck!
Some time ago, it was commonplace for smartphone apps to open a browser to a registration page with a CAPTCHA, or to require separate signup via web, because API signup was seen as vulnerable.
Now most apps seem to offer registration via native form, though endpoints for this are usually not documented in their public API. I haven't seen many reports of this being abused to create spam accounts.
How is this done? Is there a standard crypto/handshake process to verify real signups, or does signup typically rely on undocumented endpoints and simple API key passing?
Embedding yields a better experience but has the issue you mention. Yes, the service owners on the other end are still worried about this and combating the problem. And undocumented APIs don't help and the service owners know this.
One of the tools in the toolbox these days is keys assigned to devices which can be used for throttling. This would essentially let you limit the amt of service that can be consumed on a per device basis and it would require you have a device (or can steal the key from one) in order to provide service. So long as the process to issue keys to new devices is strong (a solvable problem) then you can offer a CAPTCHA-free signup experience within the confines of what you are willing to give to a device.
I'd also note that there are other well known approaches you can use, like IP throttling and handshakes with other service providers (like a phone carrier). Depending upon the problem domain these are on the table too...
I'm working on a simple web service that allows users to sign up for free and upload a small amount of data. I can easily establish a quota for each user, but malicious users could create fake accounts to upload as much data as they like in a denial-of-service attack.
Obviously, there's no perfect defense against this type of attack, but what can we do to mitigate this problem?
Tie it to a more-or-less unique identifier (phone number, bank account number, facebook/google/etc account) or to a finite resource (such as time, by using a captcha).
use a captcha on account creation to ensure that it's a
human and not an automated process.
require a valid email address and require that they click a link in their email to validate that that's their email address and continue the registration process. This cuts down on their ability to create many throwaway accounts because you can limit them to only having one account per email address and they have to then create a new email address for each account they want to create.
When the user signs up, the user supplies a valid email. Most accounts are not enabled until a response has been received, usually by clicking a link in the body of that email. When that click-through is received, you should be able to grab an IP address. That should help you curtail an abundance of casual DOS attacks.
Consider Phone Number Verification
Requiring phone number for account creation is the best approach I've come across; Creating a new email or cycling an IP address is pretty trivial, but genuine sms phone numbers cost money to activate & grant your service the ability to restrict access by country-code.
An important caveat: Virtual phone numbers (like google-voice), temporary-phone number services, & burner phones can make sms-verification ineffective at preventing duplicate user accounts. Depending on your use case, it might be worthwhile to use a service, like Vonage's Number Insight api, that lets you identify those types of numbers.
Authillo is a passwordless authentication provider that prevents duplicate/fake accounts by leveraging sms verification, liveness detection, & facial recognition. Depending on how critical it is that you prevent fake accounts on your service, their base plan might be what you're looking for.
Just log the IPs and assume the same user if the IP does not change within a time interval. This is bad, because it would prevent multiple users in the same house (same IP) but it is a good start.