You can also force a given MAC address to use a specific IP address via a static DHCP lease to help keep track of who is who, and then as mentioned only allow those IP addresses through the firewall. This won't protect you from a non-customer spoofing someone else's MAC but it sounds like that's not as much of an issue (plus, they'd need Canopy to get on your system it sounds like).
Are these people changing around their MACs and routers paying customers? I'd add in your TOS/AUP that this kind of behavior is prohibited, and give them the boot if they continue.
Actually, I've tried that already, and once I get the filters in place that Valens suggested that'll work really well. I'm not too worried about somebody dropping $400 on a canopy modem to hack our system, also, they'd really have to know what they're doing, cause I'd figure out there's an extra connection on our system within a day or two. I currently have all of our customers IP's assigned through DHCP, but I make them static as soon as they're up and running. Problem is, we've got 3 MT routers and over 100 customers. (as I keep telling my boss, THIS IS A PART TIME JOB) It's not really a problem with customers who use an internal router, they almost always leave it on and I simply queue the IP of that router. When the DHCP lease is up, it re-assigns that IP address and all is fine. It's the customers who switch MAC devices on me that are a pain. As to the TOS, we're a small, "FRIENDLY" ISP. But we do let people know that if they blatantly try to circumvent our system we'll shut em down.
Thanks again for all the help guys. Great to have a resource.