I Built a Fraud Prevention API with Laravel - Here's What I Learned

Ever wondered how to build a collaborative API where businesses protect each other from fraud?

I just launched BlacklistHub - an open-source REST API that lets companies report and search for problematic clients across 17 countries.

In this article:

• Why I built it
• Technical architecture (Laravel 11, trust score algorithm)
• Challenges with international support (currencies, tax IDs)
• How you can contribute

Live API: https://api.blacklisthub.io/docs
GitHub: https://github.com/krathos/blacklisthub.io

#laravel #api #opensource #php

Comments

[Stas]

Just an imho... it is pretty much broken by design?
What if I want to eliminate my competitors? Phew, as simple as just submitting hundreds of reports! All nicely done via API :) Five-minute job to build for any non-tech manager with AI.
So, without thorough checks of both the company (e.g. with doc uploads, etc., verification of the company's legitimacy), and also review itself check (e.g. some dummy companies can easily spam-bomb fake reviews)... this definitely will have critical trust issues with such blacklist reviews.

P.S. by the way I already saw same similar situations on Amazon\Trustpilot\etc. Some scammers just submit bad reviews and then send you a letter: "want to remove bad reviews? send 0.1BTC on this wallet" :)

[Michel Solis]

Hey, thanks alot for taking the time to review this and sharing your toughts! You're absolutely right and I really appreciate the feedback.

Honestly, I never tought about those scenarios 😅 The truth is, this API was originally designed specifically for logistics companies. I actually own a logistics company myself and have many friends in the same industry, and we've been dealing with this exact problem for years.

The issue we face is that fraudulent customers will scam one logistics company, then just move to another platform and do the same thing again. So the idea was to have an API where we could quickly check if a client has been reported by another logistics company before accepting their business. Its basically a shared warning system between logistics companies that trust each other.

But you're definetly right - if I open this publicly without proper verification and moderation, it becomes vulnerable to the exact attacks you mentioned. I didn't fully consider the extortion scenario until you pointed it out, wich is a really valid concern.

After building the initial version for logistics, I tought "hey, this could work internationally and for other industries too" - thats why I made it more generic. But now I see that was maybe too optimistic without adding the proper security layers first.

Since this is my first open source API project, feedback like yours is incredibly valuable =D I think the best approach would be either:

1. Keep it as a closed B2B network with strict verification (like you mentioned)
2. Or at least add strong disclaimer that this is MVP/educational and implement rate limiting + verification before going public

What do you think would be better approach? Should I focus on the logistics niche first with invited companies only, or try to solve the verification problem for a broader audience?

Thanks again for the reality check! This is exactly the kind of feedback I need 🙏

[Stas]

No probs, that's the matter of going to public space - to get harshly shamed feedback! :)

I am not sure, but imho the second option is not an option; it is a necessity until fully implemented security layers... imho all the blacklists are too dangerous. Imagine anyone can leave you fake negative feedback and block your purchases in shops.
P.S. Oh wait... it is a harsh reality already in the UK by the way ( story here or here )

Regarding protection, yeah, I would name a few. But there are some mentioned on the project description page already, so probably I will just name them again and repeat existing functionality, so pardon in advance:

• introducing positive feedback to balance the system out (it will be less damaging to bad reviews with long-trusted history companies)
• fairly slow rate limiting (e.g. once a week?!)
• add reporter trust scores (based on internal checks like SSN numbers and etc, plus based on their reviews (e.g. all negative reviews), probably paid person "verification" (opportunity for income as well as offering paid access to API\features), and else
• add a trust score for the company based on reviews. it should not be just a bunch of feedback, but a score-based system (slowly gaining over time and drops\alerts or investigation kick off on reports). I am not sure what the current implementation tbh, the next point is crucial:
• make a complex formula that affects the final company rating based on the reporter's rating that gives positive or negative feedback (e.g. a new company with a trust score = 1 and an old or verified company with a trust score = 100, obviously should give different contributions scores towards the company's final rating) and other side factors. the stronger and the more complex the formula is, the better :)
• make let's on nuisance activity (e.g. for example, all of a sudden in like 1 month some company gets 10 bad reviews in a row -> kick off manual check for validity)
• etc etc etc

Just keep in mind that absolutely any system can be used for bad (even positive feedback can be abused). Without human moderation, it is likely can go out of control as soon as it gets somewhat popular (or drag someone's unwanted attention).

Anyway, good luck, you are doing a good job :)