Sunday, December 27, 2009

A man on a plane

Following the latest news of the attempt to blow up a Delta flight, and the reintroduction of debates about terror and security worldwide, I want to share some random thoughts this incident brought about.

The weakest link

A reliable source is one that provides you data and information you can use with little to no validation; a source you can trust as part of the group of sources you use to evaluate the riskiness of a specific situation. Be it a credit report from Experian, a Whitepages entry from or a customer calling in to report, you need to know the possibility of your resource being compromised and the information you receive being mistaken or, much worse, maliciously injected by fraudsters. This is the basic malfunction that drives SQL injection attacks, if you don't sanitize DB entries you're most probably in for a big bad surprise. The weakest link – in this case, it seems to be Nigerian aviation security controls – has failed the whole chain. It may be improper screening, low budget security tools or just procedures not permeating through the system, but it let someone with malicious intent onboard and only luck failed him. The fact that Netherlands security just passed the stick on and let all passengers continue shows that the hand-over between security personnel in different airports might need some additional reinforcement, because terror is constantly looking for ways to inject itself in. There should be additional focus around determining the reliability of various airports as a reliable source of validated passengers and acting accordingly.

Lists don’t work

So his name was on a list. So what? Here’s what lists do: they make legitimate people’s lives harder (ever tried boarding a plane in domestic US with an Arab name or with a Middle Eastern passport? Enjoy the ride…) but much worse than that, they transform risk measures into binary checks (on the list? Stop. Not on the list? Carry on), a classic case of “searching under the streetlight”. So he WAS on the list but not under “really bad” but only under “naughty”? Come on. I have preached against black lists in the past (Hebrew only) and this is another case where, clearly, some old fashioned flight track analysis crossed with previous alerts could have made the trick. The data was there – it’s all a matter of interpretation.

Hindsight’s 20:20

I take off my shoes in remembrance of the shoe bomber; I don’t carry liquids in remembrance of the 2006 bomb-as-a-soft-drink plot; and I get sniffed by an automated sniffer every once in a while in a random US terminal. As far as I’m concerned, I should probably stop flying soon and leave air travel to terrorists and security, in an everlasting cat and mouse game. The most important thing about attacks that materialize (even if they fail) is learning from them. If all we get is another restriction, we are missing the point here. Every false positive and false negative (in any automated or manual decision making process) needs to serve as feedback to the system to improve on – in its ability to make better decisions, not in the restrictions it applies on the general population. Hopefully, the conclusions will not end up only bringing another top-dollar cutting-edge new machine to sniff people at airports, but will aid in making flying safer and easier for legitimate travelers while shutting it down for terror.

Monday, December 14, 2009

42% of users have a good reason to fear

Working in the risk management business, I often get these layman questions about ePayment security. They are close relatives of questions IT people are being asked about hardware purchasing; when people finally find that item they wanted to find or a bargain they can’t resist, they want to make sure they don’t get scammed. Who’s better for that than your friendly neighborhood risk management specialist? I’ve given my part to eCommerce, you should know, and if retailers felt a $3000 shift in their revenues this year – this one’s on me, guys. No need for commission this time.

Seriously, though – why are thousands and maybe hundred-thousands of interactions related to purchasing on the web really important? As I mentioned in my previous post about Square’s trust issue, good payment services instill trust (among other things); and for an industry based on users exposing themselves and their financials, trust – created, in my case, by getting a recommendation from an authority – is one of the main challenges for emerging companies.

Sunday, December 6, 2009

Payments start from Square one

In the 1998 movie “half baked”, the main characters sell weed to various buyers to get their friend out of jail. Not the most sophisticated movie, if I may say so, but decently funny. While they’re selling, you hear a voice over by the main character Thurgood Jenkins (Dave Chapelle) telling about the type of people you meet. One of them is the “enhancement smoker”, the one that thinks every deed is better done “on weed”. It boils down to quotes like:  
  • Enhancement Smoker: "Did you ever see Scent of a Woman?"
  • Scarface: "Yup."
  • Enhancement Smoker: "You ever seen Scent of a Woman... on weed? That's the way to see it. It's just wacked." (yeah, I know)
Let me tell you something: people in the valley are enhancement “smokers” too. Only they’re not using weed (or they might. I’m not judging). They’re hooked on the iPhone (and the “app economy”). Hey man, did you ever play console games? Ever did that… on the iPhone? Ever acquire a payment on from a credit card? Ever done that… on the iPhone? Seriously, guys, smart phones are cool, but international market adoption is still slower than one would imagine looking at the hype around the iPhone. Not that it won’t succeed – it will, but it will definitely take more time, and personally, if I had to bet on apps vs. mobile web, I would bet on the latter (late addition: see Giff Constable's post about the app store, especially the first few paragraphs). See my (future) mobile #3 post on technology and risk for more thoughts.

What Square is, and what it isn’t

Don’t get me wrong: the new Square gadget on the iPhone is cool. How cool? Way cool, not only because it’s a smart idea but also because they managed to pull it off in such short time. Kudos. It’s going to allow people who always planned to charge cards to start doing so – seemingly very comfortably and quickly; in developed countries, where credit card and smart phone penetration is high, Square has the potential to become a smashing hit. But among all the crazy positive coverage and superlatives it is getting, I’d like to keep a few things in proportion.

Friday, December 4, 2009

In defense of offers

Question: Who’s the bad guy in the house? (All together) OFFER WALLS! (Once again) OFFER WALLS! (Didn’t hear ya) OFFER WALLS!

Ok, ok, enough with the chanting. Bashing offers is so popular these days it’s almost a new sport. Can’t blame most of the commentators, it’s tempting, and the whole “scamville” charade just made it even more fun. And why not? Offers can be easily portrayed as devil’s spawn, the portal to mischievous premium billing without your consent, money laundering, call it what you may. It’s so easy to terrify non-technical people that you’re almost inclined to join; and if one can benefit a bit from it (no paid service to rid your computer of scam offers yet? Don’t worry, it’s just around the corner), then why not. So looks like we’re covered. Or are we?

Monday, November 30, 2009

Mobile payments part 2 - a tale of princes, laws and treasures

In the previous post we've looked at mobile payments in a glance, why there's a huge chance today and what are the biggest challenges. In this post I will start diving deeper into them, and suggest a few ideas.

There's a group of very talented guys I know, who used to work at this IT Company in Israel that was a part of the mobile industry. They basically made some peripherals, a few applications and other mobile related products. One of these products was a relay to transfer contacts from one cell phone to another, in case the owner wanted to upgrade or downgrade (yes, there are people who do not have smart phones and Outlook sync). When, at some point, they started their own company to manufacture and sell a similar relay, they found a very interesting (well, in a sense) thing: a huge chunk of their dev and QA time was not spent on improving the product; instead, it was spent on porting - making sure that the software matched all cell phones out there.

This is the time when industry experts read and think: "what else is new?" (And also: “we don’t have this problem now with the iPhone!” Yes, you do. But that’s for the next post).

Saturday, November 21, 2009

Why you should love (and fear) mobile payments [part 1]

A month and a half ago I discussed the mobile payments opportunity in India, a country where the mobile phone is often the consumer's sole financial entity (no banks, credit cards or anything else but cash). Boku's press release is a good opportunity to take a closer look at the US mobile payments market (see a previous post), and tell you why I think that it has great potential, but should also look out for a few obvious challenges.

You're all busy people, so I'll save you the time reading through my first paragraph and give you the bottom line: mobile payments are here, are growing, and have the potential to kill all other payment services. BUT it won't happen the way you'd imagine, and there are many pitfalls along the way, yet there are many chances for success.

Phew! Now that I got this off my chest, I can start explaining.

Saturday, November 14, 2009

The A-Team: building the best risk management teams

WWII basically ended unemployment in the US. Increased wartime production and the drafting of millions of men had created so many new opportunities, that the effect of the great depression was finally countered. It was a time when millions of women would join the work force. They filled traditionally "female" jobs but also opened up many previously "male" jobs, from operating heavy machinery to traveling sales people. In a sense, it was a revolution stemming from necessity, which is often the case even when the necessity doesn't arise because of a world war; someone's next promotion might occur with the same dynamic.

It was in this atmosphere that Katharine Cook Briggs and her daughter, Isabel Briggs Myers, started working on a personality type test that would help new female workers find the right job for them, where they could be more effective. More than 60 years later, MBTI is a commonly used test to assess personality types and help people of various preferences understand each other's perspective of ideas, data, decision making and planning, among others.

Monday, November 9, 2009

Where is my mind? Way out, in the water

(As I'm writing this, EA has announced it has bought PlayFish. All the more reason for a call to the industry to stop panicking and start taking responsibility for its own faith with big fish coming to play. But read on...)

One of the many highly useful skills I learned in Officers' course was artillery aiming. There was a lot more fun stuff I could imagine doing in any given afternoon, but there's definitely nothing like it. And when you just don't have an option (and believe me, in officers' course you don't have an option), you just give it your best shot. Pun intended.

So there I was, trying to get 155 mm cannon to hit a barrel. I don't know if you know how these things go, but artillery aiming is some simple arithmetic and a lot of art. You aim the cannon one way, then course correct the other, then again - in shrinking intervals, until you hit the target (or 50m away from it, which is considered good enough). It must have taken me 5 or 6 attempts to hit the goddamn thing - the gun crew was not a group of happy campers, nor was I. But all in all, it was a good drill, and I passed the test, and got my rank of deputy lieutenant, and mom was happy.

Friday, November 6, 2009

Offer walls and marketplaces: the real alternative to "scamville"

Let me just say one thing up front: well done, Mr. Arrington! From the first clash with Offerpal (former, it seems) CEO Anu Shukla, through this post and others, there's been quite a stir around offer walls and the big question of the legitimacy of their offers (some news sites in Israel literally copied the post's words. But that's another type of scam). Beyond the provocation, there are a few actual issues here, that I think are left out since "scamville" and CEOs being replaced are much more sexy.

Here's the thing: if the social gaming industry is a viable industry (which I think it is) it should, at one point, start to mature as one. Maturing doesn't mean moving slower or becoming less appealing to users, on the contrary, there's still huge potential and a momentum so strong can't just be stopped by a few posts. But what it does mean is that you start getting attention for your mishaps and you need to start addressing this attention in a tone that is way, WAY milder and more responsible than just saying "this is sh*t and bullshi*t" (look here for some current thoughts of industry leaders and how I'd respond to them).

Friday, October 30, 2009

Amazon PayPhrase is a nice, risky step (plus some PayPal platform)

Today, TechCrunch posted about Amazon PayPhrase going live. It appears that Amazon customers were notified of this feature, allowing them to set a phrase they can later use on 3rd party sites to check out quickly - just type in your payphrase and PIN and you're out. The TC post mentions a similarity to PayPal's student accounts, I am not sure I agree, but that's not the case. The interesting question (one also raised in the post) is - what new risks does a new feature introduce into the system?

There's a lot to be said about modeling the possible risks in a new payment feature, and I find it to be some science, some art. You have to weigh not only what users and fraudsters are doing now, but also what opportunities will they have once you introduce a feature, and understand how to design controls that mitigate the major issues without hurting functionality. That's why there's some art in it.

Saturday, October 24, 2009

The EU is less united than expected

This mystery research, widely advertised today by the EU union's research department, puts cross border shopping declines inside Europe at 60%. I once wrote a post about 3rd world shoppers unable to shop, but this situation is a much graver one. Unfortunately, the pros' call to invest in better, more intelligent risk management to open up to international purchases goes unnoticed, while merchant insist on making lives harder for legitimate buyers.

Hopefully SEPA will help solve at least part of the issues dealt with here, at least giving a head start for merchants and buyers on their mutual trust issue.

Thursday, October 22, 2009

Reconstructing Zynga: the industry's opinion on fraud in social games

My previous post about fraud in Social Games raised a few objections and spun a few sub-discussions. That's great, because it shows people are interested, and there's a LOT to be discussed in this field. I wanted to circle back to some of the main points that were raised in this discussion.

There's nothing new about fraud. Really. Ever since people walked this planet, I would assume, there has been fraud - more and more as time advances and human kind introduces additional currencies that replace tangible goods. It's beyond the limited availability of tangible goods; being able to control supply and demand through a symbol (call it cash, checks, virtual currency or repackaged subprime mortgages) is the basis for modern economy. But is the fact that fraud isn't new merely a reason for underestimating it? Definitely not; if it were, then why is the Spanish Prisoner scam, better known in its current days' reincarnation as the Nigerian Scam, still rampant on the web?

Sunday, October 18, 2009

And now for something completely (?) different

I'm diverting from Risk per se the deal with another decision-automation question I'm wondering about.
High-tech fluctuates. It boomed on the verge of the new millennium, and did so (albeit differently) before the latest downturn. And when booming, help is required. High-tech companies don't usually post a "help wanted" sign on their office wall (though some in Israel did), and getting to a good position requires some work beyond coming from a good school. In the days of the "bubble", just knowing a few people would secure you a position somewhere in the space, but nowadays it takes a lot more than that - employers demand good grades, subject matter expertise and experience - all of which are no mere feat for new graduates.

Tuesday, October 6, 2009

Jacob doesn't mind

Let's say there's a guy names Jacob. This guy, he's 23 years old, has somewhat of a steady job, largely sales and maintenance for a nice apartment complex in southern California. He uses PayPal, a lot more than he would like. He also has a Facebook account and a MySpace page; he follows friends on Twitter (and sometimes updates his own status messages there). He has an iPhone 3G; he's on top of things. If he was ever hit by fraud, he would probably tell his friends about it.

You know what? The industry is missing on many of Jacob's friends. Not because they don't have credit cards or because they don't shop online - it's because we haven't changed with them. Why? Because Jacob doesn't mind - he doesn't mind his information being out there on the web (as long as it's kept with a privacy policy). He doesn't mind some interaction with risk controls because web 2.0 and post 9/11 safety education taught many users that it's ok to be asked questions by those with authority. And in the land of risk management online, we are the authority. And we are limiting our business. Jacob and his friends don’t mind working with us to make their lives better – we simply won’t let them.

Sunday, September 27, 2009

Deconstructing Zynga: what's up in Social Gaming fraud

Talking to friends in a party I had to hold myself from becoming too smuggy-smug-smug. Yep, the lot of "I'm too good for Mafia Wars" geeks fell prey to the eggplant-growing rhythm of Farmville. Eggplants. My friends. I don’t even like eggplants, but still felt responsible in a way, though they’re only a drop in Zynga’s estimated 15M+ daily users (the numbers keep growing...). But things were only getting better for me that day.

“You know”, said one of the guys, “this social gaming stuff is really worth a lot of money. I know someone who made $100K off this thing”.

KACHING!!! Immediately he had my full attention. You don’t just MAKE $100K playing social games by the book, even if you break a finger playing Texas Hold’em. I had to know.

Thursday, September 24, 2009

What I learned about India [Part 1]

Preparing for a ceremony in Rishikesh

  • "Did you see they have 'Hello to the King' here?"
  • "What's 'Hello to the King'?"
  • "It's basically a 'Hello to the Queen', only with a Bhagsu cake"
  • "What's a Bhagsu cake?"
  • "It's basically a Banoffie pie, only without the bananas"
  • "I give up"
(Two Israeli backpackers, Dharamsala)

I'm not such a big traveler, but it seems to me that there is no single country you can capture in a blog post after less than a month of travel. That wouldn't be fair, but nonetheless, I have to say something other than "WOW". India is amazing, colorful, and extravagantly diverse; it is also noisy, dirty at times and completely frustrating when western perceptions of time and place collide with the Indian way of getting things done. But hey, you don't go on a backpacking trip to get five star treatments, do you?
India, at least the parts I visited, still seems very conservative. Sometimes it's obvious (you wouldn't believe how much of a standard Jason Biggs flick is censored in some Indian channels); sometimes it's subtle, though, like the highly sophisticated techie, sitting next to me in Barista coffee in Connaught place, holding an E71 but reading the caste-sorted "groom wanted" ads in the Hindustan times. It's there, and coming from a somewhat religious, symbolic country I appreciate the contradictions this creates. But the thing that amazed me the most is the fact that anything on the crust of this culture, ever so slow in its rituals and conventions, is by definition ever changing, at lightning fast pace. I'm not only talking about the highly western desserts those backpackers from my prelude discuss; what I'm actually thinking about is technology – and specifically, mobile phones.
They're everywhere. And not only are they everywhere (I had a 3G signal in the hills of Parvati valley! This actually beats some major US cities), it seems that they're actually used not as a luxury but indeed as THE major gadget. The taxi driver uses it instead of a radio; the young man on the bus to Kasol watched his favorite videos; and the old man, carrying a huge pack of firewood outside of Tosh, walks barefoot but talks on his mobile. And there's another part to it: I've explained in the past why using your mobile to pay isn't another steps towards the "stash", since the operators bill to a credit card or a bank account, not manage the user's money directly. But the case is different in India; many people do now have any financial entities in a financial institution, and a large chunk of the mobile market is prepaid. This means that other than cash, the mobile phone is the type of "currency" these people carry. Developing a mobile-phone-based, easy to use P2P payment solution is a must, the next step in payment evolution and something that will boost India's economy. This goes way beyond being able to send more ringtones and premium online content – this actually means gaining control over people's financial entities. If you can pay with a mobile phone, why not let it be your bank?

So why doesn't this happen? For various reasons (that can be overcome, but are still obstacles). One of them is the fact that a prepaid model prevents proper identification. This limits the ability to manage identities from afar, without any details from the user. It can be overcome (from installing a client, though models of incremental identification requirements when initiating payments, to rigorous vetting processes), but creates a major challenge. Another major problem is the fact that old phones have little processing power, and cannot sustain any type of payments application; if you don't install any type of software, you have a high unsecure medium, that can be easily breached and allow access to user credentials. These are the two major technical and risk related issues, and I'll discuss near-field communications and mobile authentication in future posts. The two other obstacles I learned about when I was in India are very interesting as well: one is consumer adoption, in a world of cash payments and little to no money; and the other, for which I would love to get comments from readers, is the fact that the Indian VC industry is smaller than needed, and geared towards American standards for business models and success. This is a very interesting reasons I would like to investigate, and will share my findings as soon as possible.

Bottom line, if you're looking for your next startup, maybe P2P mobile payments in India is your best guess. What's better than driving progress and technology into rural areas, while reaching amazing business success? And you get to taste "Hello to the King" as well. Next one's on me.

Sunday, August 30, 2009

Taking some time off

As I'm going on vacation, the blog will be inactive for a few weeks now.

See you on the other side of India!

Monday, August 24, 2009

There's a kind of hush

Yes, it's gaining momentum. TechCrunch posted today of an acquisition in the field of micropayments for gaming. We're at the verge of an explosion - the mass proliferation of startups and technology companies trying to get a share of this growing industry. They're goig to face a lot of challenges (beyond fraud - even managing a payments or dispute resoluion operation is costly), but I'm personally interested, obviously, in the rise of marketplaces.

Yes, buying virtual credit using a stolen credit card gets you... virtual credit. That you can later find a way to sell, that's true, but marketplaces are such an ever-green environment for fraudsters to operate, since they let you exit funds so much easier. And these guys, no doubt, are going to be a lot more creative and tech-savvy - in a non-tangible, rapid environement.

Why is this a problem? Because most risk controls today rely of the item being shipped (to a real address, that matces the billing address of the card, and also matches at the bank). They also rely on the ability to delay shipment when yuo suspect someting. Don't buy tales about sophisticated "dynamic risk scores", I tell you, it's all AVS and some additional blacklists. And at this point exactly, in these quick, electronic transactions with no account history, statistical models and standard risk controls are failing. Let the arms race begin.

Thursday, August 20, 2009

Heartland my love

So the security-related part of the web is stirring over the Heartland breach going to court, and having fun mocking Heartland for falling for the oldest trick in the SQL-injections book. Since Israel's IDF's chief of staff was also a victim of his credit card being stolen, newspapers in Israel feasted over this "hot news" item, to the extent that one blog even names Albert Gonzales (the "brain" behind the attack. I wonder who Pinky is) "The Al Capone of Cyber Thieves".


A flurry of blog posts and articles followed, telling us that checking your credit report is important (really?) and pulling some chargeback stories from the attic. One even went as far as interviewing the manager of operations for one of Israel's issuers. Don't get me wrong, while I'm against trying to scare people, public education makes sense (though many time is useless, as I have claimed in the past [Hebrew]). But the part I'm much more interested in is not the fact that a breach happened, those happen all the time although some retailers just hide their negligence. What I’m interested in is the publication of such an indictment, and its effect of the psychological aspect of committing internet fraud.

You see, analysts profile people. We know who the average fraudster is: a young, tech-savvy male with a knack for gadgets and digital goods, who thinks he could get away with it pretty easily. The “getting away with it” part is the important one; be that the average fraudster or a desperate housewife looking to earn a few dollars defrauding buyers on eBay, the mental state needed to commit a felony on the web is much less delinquent in nature. Because the web is not “the real world”. Because doing it over the computer pushes it away from me. It’s not me; actually, it’s my avatar. And pressing charges in the real world against people who wronged in the virtual world makes it as real as it gets. This, in turn, makes people a lot more aware of what they’re doing when they’re stealing – and the heuristic of a self-aware fraudster are different than those of one that isn’t. A fraudster who isn’t afraid of getting caught looks a lot more like your average Joe, and this is something we want to prevent. This is not only because risk analytics become easier (and legit people’s lives become better, since we need less “tricky” controls), but because indicting fraudsters is the right thing to do. Security and trust are, I believe, the key foundations of a thriving online community, and I’d like to help keep it as such.

Saturday, August 15, 2009

O Master, where art thou?

As an Israeli, discovering Corporate America was a shock. Not that I never heard of the term; still, for someone who just joined "the industry" (as the hi-tech sector is usually referred to in Israel) a few years back, discovering that this kind of thing exists (and has many types of interesting positions, some are far from the usual computer-science-only cult of Israeli hi-tech) was mind boggling. I'm not sure how eBay strikes locals in California but in Israeli terms it's a pretty big international corporate - and now I'm relocating straight to HQ, to live in the belly of the beast with my wife and dog. What an adventure.

Tuesday, August 11, 2009

Fraud Fighting 2.0

“Wow, I've been a victim of fraud for 10 days and didn't even know it until now. Holy crap.” (A random Twitter user reporting)

During FraudSciences’ fraud operations days I was never keen on letting analysts and agents call people who were defrauded. Old school credit card users, who have had their details stolen, were never too happy hearing about it from someone they didn’t know, calling from another country and sounding like the fraudster himself - with a thick accent and all of their personal data at hand. It didn’t help that the company was called FraudSciences either, but that’s a completely different story. As time went on it became clear that most users we encountered preferred that fraud be dealt with out of their sight. They didn’t want to know about, or be involved in, any process regarding their identity being stolen. Sure, we’ve had the occasional angry customer calling back to understand whether we know the person’s name, who they were and their whereabouts to get even (and even had one person explaining that she always suspected her next-cube neighbor at the office), but generally speaking – no involvement. And we were completely fine continuing to work, undisturbed.

Tuesday, August 4, 2009

PayPal Israel is looking for Analysts!

Disclaimer: This blog is not intiated nor endorsed by I am writing it not as an employee of the company and my opinions are strictly my own. I am, however, posting a publicly available job opening since I find it to be a very interesting position, to be our single source of truth.

Read more about the domain and the type of people.

PayPal Israel is looking for Risk Analysts


Analysts in PayPal are highly motivated team players, working within the Live Analytics group, specializing in understanding, creating and applying advanced proprietary fraud prevention models. The group members work in a variety of fraud related fields while using state of the art tools and methods (profiling, forensics, network analysis, machine learning and more). The ideal candidates have a passion for solving fraud "riddles" and strong analytic skills allowing them to analyze various kinds of data and information and come up with new understandings. The role encompasses acquisition and application of vast knowledge areas over a short period of time and requires a strong sense of personal responsibility. The position is shift based, in a hectic live environment, held in regular working hours. Role development includes increasing contact with cross-organization research groups, project and product management roles and various other positions inside the greater global risk organization inside PayPal.


- BA graduate or a final year student
- Full time position
- 1-2 years work experience
- Proven analytical skills - scoring more than 700 in the psychometric test or an equivalent is a must
- Quick-thinker, fast learner, wide general knowledge
- Team worker, responsible and trustworthy
- Strong deliverability within strict time frames
- Computer skills: experience with programming /scripting language, Excel, SQL - a plus
- General familiarity with Internet technologies and protocols - a plus
- Excellent English. Other languages - a plus

Wednesday, July 29, 2009

This summer is about digital goods

"Bogdan Ghirda is paid £70 a month to do what most bosses would fire him for. From the moment he arrives at work he plays computer games on the internet."
(From the 2005 Observer article, "Virtual sweatshop")

Gold farmers didn't invent digital goods, though they've been around for quite a long time. People are not only buying MMO money - the market has expanded. What started as a black secondary market for harvested goods soon became a profitable channel for gaming companies that make their money - surprise surprise - based on the interface of your all-favorite social networks. Yes, while Facebook is struggling for monetization, companies like Zynga make hundreds of millions of dollars by running social games that are multi player, asynchronous, and let you buy any type of addition, from "special powers" for your vampires to "new clothing" for your soccer team.

You gotta love this culture. Honestly, it's amazing to see the thought, time and money invested in these games. There are numerous trends in this area, attracting more and more talented people who feel the buzz and want to take their share. And as they advance in creativity, these games move to main stream social network users but continue to evolve in the complexity they provide and the story they allow you to tell.

With them, obviously, come the fraudsters. In an industry so used to checking physical shipping destinations (via AVS) and managing proofs of shipment as a tool for dispute resolution between sellers and buyers, how do you deal with instantly delivered, non tangible goods where quality is sometimes purely in the eye of the beholder? In addition, fraudsters looking to steal digital goods are usually a mixture of sophisticated internet users and kids using their parents' money, sometimes referred to as "friendly fraud". So, if you're in the Risk business, mobile payments or into social networking in general, expect a pretty hot summer in everything digital, with fierce behind-the-scenes competition and major losses to fraud. I am looking forward to seeing which will be the winner in this field - is Paypal stirring something up with the new API, are small players like going to lead or is Facebook going to make its debut in payments supporting the tidal wave of social gaming on its site? The coming months will tell...

Saturday, July 25, 2009

Who do I get on board? The skill vs. experience dilemma

One interesting tension I noticed in complex Risk management organizations is apparent in job descriptions: the big difference in relying on experience vs. skills. Makes sense - when building a team, in most cases you're looking for the seasoned professional that can hit the ground running and scale to meet expectations in no time, while leaving time to hire inexperienced, cheap recruits further down the road.

I'm not underestimating experience and this is not another plea to let these talented young people run the business. However, there are some caveats to focusing on experience only:
  • Experienced people bring their past, for better or for worse. Yes, they are experienced, but they are also very dependant on what worked for them in the past, whether it matches your new org or it doesn't. You get less flexibility when you hire for experience only. So, when you do, look for someone with the right experience and, sometimes, acknowledge that there is no-one with the right experience, because your business is that unique -and you need to promote someone from inside the org with a fresh view.
  • Experienced people bring their ego and know-how to the table. Put a few of these in the same room, and what do you get? Endless discussion, much less agreement. When you're hiring for experience, make sure you hire a group that's not too heterogeneous.
  • Experienced people tend to hire people from the same school o thought. How do you refrain from groupthink? Well, understand this and you've got a cornerstone for top performing teams. You need to make sure your experts are sometimes out of their comfort zones, because if they're not, you'll get a replication of their old work place.
  • Finally, experienced people underestimate formal training in the work place. Why? Because they've seen it all. Not having a decent training program (very common practice in the hi-tech industry) gets you to the point where each person speaks their own language, and a tower of Babylon in far from the ideal way for properly managing risk.

If you have a unique blend of risks in your org, if you have a new language to develop, if you need a fresh look at things, do not underestimate hiring young, inexperienced yet talented people, and trusting them with aspects of your operation. Do not, however, forget that by doing so you must commit to proper training, documentation and feedback – or else you’ll get all the childhood sicknesses you can ever imagine. Balancing your org to be a flexible Risk Management unit is a tough job.

Monday, July 20, 2009

Ain't doing it right

"How many legs does a dog have if you call the tail a leg? Four; calling a tail a leg doesn't make it a leg." (ascribed to Abraham Lincoln)

In our business, to make a good decision, it is essential to know what really happned. So we discussed finding the single source of truth, but have not discussed ways for keeping it truthful. Oddly enough, the concept of immediate, detailed feedback is not as common as one would expect.

In your community of domain experts, the concept of "truth" should not only be determined but also enforced by members of the community. Note: not by a moderator; the members must know what the "truth" is (in procedures, in decisions and in deriving conclusions) but also be ready and empowered to call out their and others' mistakes. Because direct feedback is what enforces people to improve in the specific of their work. You do not only need people who can tell a tail from a leg - you need to give the one who detects it the means to show their finding to the general community.

This is not a matter of virtue, it's a matter of getting your business runnig the way it should. What happens if you under develop this area in your organization? Well, first you get only hindsight feedback, allowing you to know what's happening in delays of months and months (how much time does it take 90% of chargebacks to come in? exactly), but you also get feedback in aggregate levels (saying, for example, how many of person X's decisions were reversed) - meaning that you can't really find the trend and fix it.

I can't tell you it's fun - commenting, moderating or acting on the results of such feedback cycles - but one thing's for sure, it's way more effective than pretending your Risk experts live in DisneyLand. Giving and receiving proper feedback improves every bit of the cycle - and makes your business better at one of its core competencies.

Tuesday, June 16, 2009

So your mobile phone is your new wallet?

Congratulations to, going live today with the (old, yet renewed?) promise to turn your mobile into your new credit card. Looking at the site an judging by what I know, I wonder what's the biggest challenge lurking at their door: is it merely traction? Is it going beyond micropayments, while managing merchant vetting and credit risks with the mobile provider? I think it's a combination. But that's not my question here. My question is - are mobile phones the next "thing" in payments?

Payment services are fighting to increase share of wallet, and remove as many boundaries as possible between the merchant and the customers' money. Obviously, the mobile phone is always there, available to use, it's really a gadget, you know, it's not really as serious as a credit card. We all know credit cards are dangerous to use on the web. But taking a closer look reveals that a mobile phone isn't a step closer to the customer's money, it's actually the same distance. You don't own the "stash", only another funnel for getting some of it.

This, by the way, doesn't mean that mobile payments isn't a good idea or that it's going to fail (it might, though, but not because it's not the biggest funnel), and I wish Boku and friends all the luck; but fact of the matter is that your phone is pretty much the same as your bank account, debit card, credit or any other payment method - it's a key to the treasure chest. Get a hold of the chest (in other words - become the bank) - and you've REALLY got an advantage. Until then, I'll continue buying my Mafia dollars the same way, be my proxy what it may.

Friday, June 12, 2009

Too much data, too little information

So, you have this big 1000 user system, with its flows and checkpoints and flags and pointers. If you've grown it well you have a dashboard showing you login numbers, counts of transactions, dollars moving around. You control it all from your NOC, pressing the little red buttons whenever necessary, moving dials and reading graphs. But the thing is, that seeing the bits and pieces of online life on your screen doesn't necessarily, and sometimes doesn't at all, help understand what's going on.

What IS going on in your system? What are users doing, and will that translate into the bottom
line? What can the numbers tell you?

Well, we've been through a few ideas. Experts knowledge ties symptomatic indicators with identities and with what they intend to do, so that you can at least start making sense. Collecting the data is one aspect, and using it to understand is a whole new area. When we reach tips and tricks on how to develop your own methodology, some of this might start ringing a bell. But this post is about one system that shouldn’t be adopted as your main tool if you’re the risk management expert – it’s about advising you to not count on hindsight based on business results.

No, no, don’t get me wrong – business results are important, one of the most important aspects of the business (and some will argue – the single most important – but that is another discussion). But using the bottom line (or even a highly detailed version of it, including a drill down of, for example, every auth rejection code) to indicate what the risks are in the system or worse yet – to indicate what needs to be fixed – is a call for bad judgment. Consider my favorite example, a hospital. If you needed to weigh two hospitals one against another, would you use the percentage of deceased patients as an indicator? Would it matter that one has an oncology department and the other doesn’t? Would it matter that one is in Mozambique and the other is in Mexico? Of course it would, since when all else is equal (in staff, training and tools – like your company compared to other retailers), fraud-on-entry (the hospitals’ location and the indigenous diseases you’d expect) and fraud MOs (the types of diseases that are actually seen and treated or not treated) have a big impact on the bottom line. Trying to use the numbers post risk controls, chargeback, CHB dispute and collections to understand what could have happened is trying to pin down a moving target – and the wrong one at that. Worse of all would be trying to design future systems based on the current snapshot, since you do not have any indication of what users do – just how much money it costs you, and user behavior is much more volatile than your incoming chargeback count.

When you come to understand what’s going on, business results are highly important. But letting them steer all of your team from looking at user behaviors will put you exactly where you don’t want to be – patching up holes in your system using a highly delayed hindsight mode. To be successful, combining data analysis and behavioral research is a must.

Tuesday, May 5, 2009

Differential diagnosis, people!

House - "Haven't done the MUGA."
Wilson - "Then how do you know she needs a heart transplant?"
House - "Got my aura read today. Said someone close to me had a broken heart."
(Season 1)

Yes, I admit it, I'm an avid "House, MD" fan. The fun part about this show is that a lot of people find meaning that's beyond the plain action to relate to - much different, I assume, than what the writers meant. Some watch it for plain medical aspect, like a good mystery story; some treat House as their fictitious mentor; some like the twists of the tale. I sometimes watch it like a tale of business intelligence and a general case of decision making with partial information.

Here's how it usually goes: in comes a case. It either looks suspicious upfront or bad indicators come up immediately at the beginning (by the way, did you notice that in most of the first half of season 1, it was seizures?). Then they go through "Differential diagnosis" and run various tests; additional symptoms are discovered, and usually the truth is discovered by connecting details that hid from the doctors (because "everybody lies") or simply because they didn't connect the dots.

Yeah, real life medicine isn't that simple, and sometimes even knowing what happened is too complicated to be nailed down case by case. Obviously catharsis doesn't come, like clockwork, every 35 minutes - just in time for the drama. But it's pretty similar, isn't it? In comes buyer A, and presents the details of person B. Not much to say about buyer A - their IP connection (anonymized?), their email (opened yesterday?), purchase details, maybe shipping address. Nothing much on person B either - name, address, credit card number. Would you let the purchase go through? Differential diagnosis, people! What test can we run to verify this person, or establish fraudulent behavior? What does it mean if they can verify the email, answer a call to their mobile phone, tell you that the issuing bank is Citi? What additional indicators are we missing? Because that's what the "game" is - in comes a case - what do you do? No one is dying, but your balance sheet is going to look pretty bad.

The trick about decision making in this case is understanding what the next step is. Our goal, whether asking the customer for additional details or looking for an additional data source (what's next - Family history review? MRI? CT scan?), is to reach a conclusion in as little steps as possible, meaning that we need to be able to choose the steps that contain as much information as possible. BI experts sometimes tend to get as much data as possible, sometimes at enormous costs (these external vendors don't come cheap). House's department costs the hospital millions of dollars a year, but that's human lives. We need to be cost effective.

One major way to work with this is automated decision making systems - expert system - which help experts reach decisions by dealing with the quantity of data by using statistical models for classification. Advanced systems, when correctly fed with symptoms (or fraud indicators), can even suggest tests to rule out corner cases. Constructing such a system is the end station of the long road that starts with the single source of truth - in House's case, the doctor. In fact, expert systems in the field of medicine usually outscore doctors in identifying illnesses based on differential diagnosis - it only makes sense, when you hear House's staff shooting diagnoses based on remarkable memory and years of experience. Which brings out the question - why doesn't House use one? It would immensely scale his ability to save lives.

But then again, how much fun will that be?

Monday, April 27, 2009

Who are these guys?

The investigators were baffled. After 3 hours of investigation, they still haven't made any progress in understanding who should they be looking for as the prime suspect for the assault case. The problem? No, not a mismatching DNA sample. Not a picture that's not on the immediate suspects list. Not even scarcity of able people willing to crate a drawing based on the description from the victim. The problem, suprizingly, was that the victim would not let out any revealing detail about their assailant: gender? against the sexual harrassment act. Skin color? Dude, we're against any type of discrimination. Religion? get out of here. Lucky for the investigators, the guy (oops) was of average height. At least that went through.

Imaginary? Indeed. Possible? Of course. I once spent 15 minutes listening to a friend of a friend describing a very similar case, until I was able to understand what the person's profile was. Because in social interactions PC sometimes deters us from using specific observations. Makes sense. In the world of Risk management, however, such a starting point can be the blow of death to your ability to understand what exactly is attacking your system, and stop it.

Profiling is the name of the game, and some of us are not playing it, and are wrong at doing so. Because fraudsters lie every time they need to. They lie about their identity, they hide their connection, they use other people's details and they will come back to demand the service you are not giving them and might end up convincing you. But what's their motivation? Is a WFH scammer the same as a 419 fraudster or a WOW gold trader, or for that matter - a cusotmer that maliciously reports not receiving an item they have in fact received? Of course not. They have different starting points, different sets of tools and conceptions, they might even be from completely different regions of the world (quick hint: they are). And that renders behavioral attributes that either are not reflected in your analysis (beacuse the fraudster's age and favorite social network do not reflect in the account time-on-file or time before a Chargeback comes in).

When not profiling, you are bound to looking at losses as they appear, and then reverse engineer them using business dimensions to try and understand what going on. You might discover that your UK market for new intangible item transactions is high on chrageback rates. Is this a bad finding? Absolutely not, data driven analysis HAS to be the first step of any research - because segmenting the world is the first step toward prioritizing work and creating a souns results-related risk policy. But whan you don't ask yourself "why is this happening" and "who are these users causing losses" and even "what's their story?", you are missing on three big things:
  1. the ability to further segment the world based on how bad user behaviors look in your system, and differentiate malicious intent from system errors (classification errors and others) and mistakes (the human factor - flakes, friendly fraud and others)
  2. the ability to identify the good guys, and provide them with better treatement, even when they resemble bad guys in business segmentation
  3. the chance of foresight - understanding where the bad guys might go next

Behavior based analytics isn't the sole answer to all BI problems. On the contrary - without a proper data driven segmentation, experts' intuition is both invalidated (and though usually is useful, is risky when it's the only thing you're using for long term planning) and will take a lot more time to create (since prioritizing where to look first is the proper use of your Oracles). But it is the single most important frame of thought your risk management team is probably not using - and whether this is happening because of PC, lack of domain expertise of just disinterest, you cannot let it pass you by.

Monday, April 20, 2009

Stop! Are you a fraudster?

A few days ago, Slashdot reported this blog post which neatly explains why CAPTCHAs are doomed. The post is very interesting; first, because the analysis in the post hits some good points such as why developing explicit, single factor screening mechanism in a global economy just doesn't make sense (and why a good ESP game is much cheaper than the next generation of OCR). Second, because it raises (maybe unknowingly) the most important point - that screening mechanisms and risk controls often turn away a lot more good business than they stop the bad guys. But third, and most importantly, is that it falls into the same pit by suggesting a few alternatives that are just as bad.

Let's admit it - we're not dealing just with a bunch of script kiddies with a knack for defacing popular sites. We're dealing with serious "bad guys" with a lucrative opportunity to use our systems, with a big shiny dollar sign at the end. And we want to stop them from doing so. Our only problem is that when we do so, we tend to make the legit buyers' lives much harder, because fraudsters are always more prepared and have more incentive to complete a purchase than the average buyer.

If you go back to square one, you'll discover that when coming to design a payment system one has to choose between an open and closed door approach. This might seem simple, but closed (only allow buyers you trust to make a purchase) vs. open (allow all to buy, then detect the bads while they buy) approaches not only define your risk aversiveness in general but also dictate your risk management strategy. True, the long term goal in each is to get to a nearly-perfect system and hedge the risk (more on hedging - thank you Tal - in a future post), but how do you get there?

All in all, we're looking to prevent scalable negative actions; reach a point where every frauster can only hit you once and you're in a completely new ballpark. For most merchants, the problem is the fact that fraudsters return to known exploits, and for most fraudsters the problem is finding and reusing without bouncing off rules and limitations. CAPTCHAs and Captcha-like mechanisms reduce the ability to quickly open many accounts ("horizontal scalability") while soft limits and caps limit the ability to create large losses through a single account ("vertical scalability"). By combining the two, one would expect, we make the fraudsters' livesharder, raise the "cost of fraud" and reduce risk. Somewhat right, somewhat wrong.

In themselves risk controls are not bad ideas, but to make good use of them they need to be utilized properly. Here's a common approach: "Heck, the last fraudster did one hundred 5$ digital goods transactions, let's stop anyone from doing that. Then that other one opened 5 accounts that are linked, let's not let any linked accounts in our system". Synchronous, always on controls, espcially explicit ones, raise the incentive to reverse engineer them. Use too many quotas and limits and you reach an unmanageable system with thousands of rules you forgot exist, and which effect on future (legitimate) buyers you cannot predict. This is why, among all recommendations, I would support heuristic profiling. It's a big word, true, and we'll need to shed some light on this subject before we move on; but only right profiling and segmentation of your legitimate and fraudulent users can allow proper use of risk controls and authentication mechanisms - one that doesn't strain legits for something fraudsters are trained at overcoming, and doesn't create a overgrown operations center (that doesn't justify itself) to manage.

Tuesday, April 14, 2009

That one small detail

"When the Chinese government instituted the policy in 1979, it touched off a wave of sex-selective abortions as pregnant couples decided that if they could have only one child they would benefit most from having a boy. That helped leave modern China with the largest gender imbalance in the world. Today, there are 37 million more men than women in China, and many of the boys are growing up unable to find a job or start a family.

So what are these “surplus” boys doing to fill their time?"

This isn't just a story about risk management - it's a story of pure business intelligence - it is a story of freakonomics. The German police has spent years chasing down someone that turned out to be a phantom, a woman who wasn't really a feared killer in many different, distant crime scenes - but merely a lab worker whose DNA "slipped" onto the cotton swabs German CSI people used to collect evidence (on another note, wouldn't it be just morbidly funny if that person turned out to be a real-life German "Dexter" copycat?).

So what does an unsanitized cotton swab have to do with abortions in China, and with risk management?

When one approaches modeling of complex situations (either to explain what just happened, or to improve decision making in the future), often the "sense" made in the process gets deterred by the fact that not all the data is revealed. This is why when Freakonomics' author Steven D Levitt says something along the lines of "if we had enough data, we could unravel the mysteries of the universe", many of us nod (however, I must say, we are not always right); we are in constant search for the added detail that, when added to the equation, will help the story make sense. It's not only as extreme as claiming that a rise in abortions is correlated with a drop in crime rates - retailers are always looking for the additional factor that will verify a bank account, provide details for a phone number or do this automated super sophisticated AVS check. But fact is that most of the added data doesn't do the trick, since looking for that additional detail requires a system.

Yes, having a single source of truth helps give foundation, but even the brightest have a hard time without a system - and the right one at that - for collecting, validating and understanding data. I've seen this in organizations here and there and the German CSI story demostrates it well. The CSI department has a system for examining a crime scene and extracting evidence, and they came up with a concrete linking theory between cases. It didn't shed light on the actual identity of the misterious killer, however it gave an interesting spin to a bunch of unsolved crimes, until it didn't make sense anymore.

What the CSI department lacked was a key component of creating robust linking stories - indetifying common resources. That common BIN number in your last week's transactions might be a result of a data breach in the processor level, but might also be a result of a marketing campaign for a new eCard; and that repeated IP creating new accounts may be a script attacking your system but may also be a whole trend-struck fraternity house shopping through the same computer for that special item only you are offering for a great price. Noticing the trend, understanding it and making the right call on how to handle it are key decisions we are facing every day, and not only in eCommerce. Common resources are one simple example where correct classification, using an external resource, makes the difference between turning away good business and letting the fraudsters in; between chasing a phantom killer and tracking down a less-than-perfect lab worker. Using the right contructs for doing this is key in our ever-changing profession.

Tuesday, April 7, 2009

The single source of truth

"Great Oracle, sleeping through the centuries,
Awaken now at last
And tell us how to save us from ourselves
and how to survive our own rulers
who would make a plutocracy of our democracy
in the Great Divide
between the rich and the poor
in whom Walt Whitman heard America singing"

(Lawrence Ferlinghetti, "To the Oracle at Delphi")

Ok, no politics. Here's the first rule of proper engagement with complex decisions: know the truth. It's so simple yet one of the hardest tasks ever in a large organization, especially one that deals with transactions every day. Because the Knowledge Boom hits hardest where you actually need to make sense of it. This isn't just going through your Google reader and finding the 5 interesting posts to read between the dozens you got last night from TechCrunch and Slashdot. It is (first and foremost) about finding those pieces that really matter, and using them to make money, or prevent from losing it; it is about finding what's the most important piece of data you aren't logging or don't have, and getting it; and finally, it is about making it all connect. Because without all of these, you're left with a blur called your payment system, and your best chance is third party vendors and Chargeback representment, and you know my opinion - it's not the best place to be in.

So, you say, what's the problem? I'll hire someone who understands Risk and I'm good.

Not quite. Here's an interesting dynamic: since many merchants either relate risk management to CS or demand a clear ROI for any headcount they're hiring, the risk or fraud management department often ends up as an underdeveloped group with CS responsibilities. Yes, this means that they'll start calling a lot of people. On the other hand, when the organization grows, in comes the industry veterans with their zest for business intelligence, segmentations and graphs. So you end up with a group of "factory" workers on one hand - who feel the "field" but do not know what to do with this knowledge (little to say generalize on it), and on the other hand you have the top squad, segmenting the world but never actually meeting the real fraud cases on a non-aggregate level. When the second group need to find what is happening exactly, they cannot rely on the first group, and they end up reverse-engineering the answer to "what really happened?" by digging deeper into your already-huge data warehouse, always reaching something that is just that-much better than a random variable, but never the actual answer. I know this is industry standard, I know it works well to a certain extent, I also know it loses flexibility and degrades after a while. In addition, I can tell you that this is the reason to not only fraudsters having a ball, but also (and much worse!) for legitimate people not making it through the grid of filters. So my advice to you is: get an oracle.

Who's or what's an oracle? You can think of this position as, at the very least, the missing link between your field agents and the BI experts. The "oracle" knows what's a good transaction and what's a bad one; they can rationalize the case and furthermore, they can generalize. Because proper usage of rationalization and generalization are key for an efficient decision making process: they lay the foundations for understanding why bad things happen, how do you spot them on time (and not in restrospect analysis of business performance or when the processor is already knocking on your door with chargeback fines), and what should you check. They have the ability to dive into the material and resurface with additional insight, and the ability to test your systems while you develop them. This is much more than a field agent becoming the newest member of the BI team - the oracle is not only a person with a specific talent, but also has the right system to enable their way of thinking that has nothing to do with Customer Support - as important as CS might be in your organization.

What's the talent profile, and what's the right system? Allow me to call this my little trade secret. But you have an important tip now - find an oracle. Find two. Have your own source of truth, that isn't just your most experienced field agent, and make sure they are all in sync (which is a challenge in its own). Then, finally, you'll be able to start planning automated systems that actually do the work your way.

Tuesday, March 31, 2009

Here comes the scary part

It is a dark night in Tel Aviv, the kind in which bad things lurk in dark corners. Sitting in a small cafe with the security expert, I hear the wind blowing between the trees. The waitress looks worried as well. A dark night indeed. I look across the table to my partner, a serious person with thick eye glasses that add to his already grim demeanor. Then, to accent his last sentence, he leans towards me - his glasses almost opaque in the dim light - and barely whispers: "but you know, man, you know what the real problem is, right? the real problem is BOTS!".

Oh, is it really?

I didn't go to the MRC conference this year. Somehow, boogieman stories from interested third parties (over early morning session, in Vegas!) sounded less appealing for someone who needed to fly 18 hours for the experience. I did, however, read excerpts and ideas. Boy, I have to admit that the set up was a lot more successful than a Tel-Aviv cafe. Because here's the thing with 3rd party vendors - they are looking to sell, and if you're looking for the real gap in your system (rather than the perceived one), you probably shouldn't be looking at that direction. Let's see what's hot this year: it sppears that Malware and Botnets are attacking everyone, and that Machine ID and phone verification might be the only way of stopping this.

Now's probably the right moment to wonder what's my case. True. Here's my case: buying flashy new technologies when you haven't exploited the old ones is pricy, redundant, plain dumb sometimes. Most of the merchants that will purchase anti-malware and machine id solutions do not, I bet, have a decent user-location system in place, and are instead declining multiple good buyers who live in a set of black-listed locations; most of the merchants that will purchase phone verification products will double their fraud operation costs before they realize that calling alarge percentage of the transaction volume only slows them down instead of bringing that solution to loss mitigation. My case is - proper analysis of what you're dealing with, rather than going with the nifty, trendy new fraud filter, will bring you much higher ROI and a method for solving your own problem. It does, however, require some extra effort that cannot be bought off the shelf: training the right kind of people to do the right kind of work. More on that in future posts.