top | item 45264522

(no title)

As someone who implemented phone verification at a company I worked for, it’s 100% for preventing spam signups intending to abuse free tiers. API companies can get huge volumes of fake signups from “multiplexers” who get around free tier limits by spreading their requests across multiple accounts.

discuss

jiveturkey|5 months ago

I would caution any reader to generalize your statement. Just because you used it at your company to limit abuse, and yes that is a lazy approach and 100% what's going on with Anthropic and most API companies, doesn't mean that every company uses phone number gating for this purpose.

The (probably) most famous example being https://www.eff.org/deeplinks/2019/07/fixed-ftc-orders-faceb...

And it's not enough to say "well we don't use it for that". One, you can't prove it. And two, far more important, in an information leak, by taking and saving the phone number (necessarily, otherwise there's no account gating feature unless you're just giving fake friction), you expose the user to risk of connecting another dot. I would never give my phone number to some rinky dink company.

Now that said, I don't use lazy pejoratively. Products must launch.

anonym29|5 months ago

Because SMS verification is so cheap (under a dollar per one-time validation, under $10/mo for ongoing validation), this approach really only makes sense for ultra-low-value services, where e.g. $0.50 per account costs more than the service itself is worth.

Because of this low value dynamic, there are many techniques that can be used to add "cost" to abusive users while being much less infringing upon user privacy: rate limiting, behavioral analysis, proof-of-work systems, IP restrictions, etc.

Using privacy-invasive methods to solve problems that could be easily addressed through simple privacy-respecting technical controls suggests unstated ulterior motives around data collection.

If your service is worth less than $0.50 per account, why are you collecting such invasive data for something so trivial?

If your service is worth more than $0.50 per account, SMS verification won't stop motivated abusers, so you're using the wrong tool.

If Reddit, Wikipedia, and early Twitter could handle abuse without phone numbers, why can't you?

derekdahmer|5 months ago

Firstly, I can tell you phone number verification made a very meaningful impact. The cost of abuse can be quite high for services with high marginal costs like AI.

Second, all those alternatives you described are also not great for user privacy either. One way or another you have to try to associate requests with an individual entity. Each has its own limitations and downsides, so typically multiple methods are used for different scenarios with the hope that all together its enough of a deterrence.

Having to do abuse prevention is not great for UX and hurts legitimate conversion, I promise you most companies only do it when they reach a point where abuse has become a real problem and sometimes well after.

AlexandrB|5 months ago

This makes sense for free tiers of products, but if you provide CC info for a paid tier, you shouldn't also have to provide a phone number. One or the other.

moduspol|5 months ago

I think people can use stolen / one-time use / prepaid / limited purchase size credit cards fairly easily, too. And you might not find out until after they've racked up a non-trivial amount of costs.

derekdahmer|5 months ago

Theoretically yes but a few issues:

- Account creation usually happens before plan selection & payment. Most users start at free, then add a CC later either during on-boarding or after finishing their trial.

- Virtual credit cards are very easy to create. You can signup with credit card with a very low limit and just use the free tier tokens.