As I'm going on vacation, the blog will be inactive for a few weeks now.
See you on the other side of India!
Sunday, August 30, 2009
Monday, August 24, 2009
There's a kind of hush
Yes, it's gaining momentum. TechCrunch posted today of an acquisition in the field of micropayments for gaming. We're at the verge of an explosion - the mass proliferation of startups and technology companies trying to get a share of this growing industry. They're goig to face a lot of challenges (beyond fraud - even managing a payments or dispute resoluion operation is costly), but I'm personally interested, obviously, in the rise of marketplaces.
Yes, buying virtual credit using a stolen credit card gets you... virtual credit. That you can later find a way to sell, that's true, but marketplaces are such an ever-green environment for fraudsters to operate, since they let you exit funds so much easier. And these guys, no doubt, are going to be a lot more creative and tech-savvy - in a non-tangible, rapid environement.
Why is this a problem? Because most risk controls today rely of the item being shipped (to a real address, that matces the billing address of the card, and also matches at the bank). They also rely on the ability to delay shipment when yuo suspect someting. Don't buy tales about sophisticated "dynamic risk scores", I tell you, it's all AVS and some additional blacklists. And at this point exactly, in these quick, electronic transactions with no account history, statistical models and standard risk controls are failing. Let the arms race begin.
Yes, buying virtual credit using a stolen credit card gets you... virtual credit. That you can later find a way to sell, that's true, but marketplaces are such an ever-green environment for fraudsters to operate, since they let you exit funds so much easier. And these guys, no doubt, are going to be a lot more creative and tech-savvy - in a non-tangible, rapid environement.
Why is this a problem? Because most risk controls today rely of the item being shipped (to a real address, that matces the billing address of the card, and also matches at the bank). They also rely on the ability to delay shipment when yuo suspect someting. Don't buy tales about sophisticated "dynamic risk scores", I tell you, it's all AVS and some additional blacklists. And at this point exactly, in these quick, electronic transactions with no account history, statistical models and standard risk controls are failing. Let the arms race begin.
Labels:
micro payments,
risk controls,
social gaming,
techcrunch
Thursday, August 20, 2009
Heartland my love
So the security-related part of the web is stirring over the Heartland breach going to court, and having fun mocking Heartland for falling for the oldest trick in the SQL-injections book. Since Israel's IDF's chief of staff was also a victim of his credit card being stolen, newspapers in Israel feasted over this "hot news" item, to the extent that one blog even names Albert Gonzales (the "brain" behind the attack. I wonder who Pinky is) "The Al Capone of Cyber Thieves".
Geez.
A flurry of blog posts and articles followed, telling us that checking your credit report is important (really?) and pulling some chargeback stories from the attic. One even went as far as interviewing the manager of operations for one of Israel's issuers. Don't get me wrong, while I'm against trying to scare people, public education makes sense (though many time is useless, as I have claimed in the past [Hebrew]). But the part I'm much more interested in is not the fact that a breach happened, those happen all the time although some retailers just hide their negligence. What I’m interested in is the publication of such an indictment, and its effect of the psychological aspect of committing internet fraud.
You see, analysts profile people. We know who the average fraudster is: a young, tech-savvy male with a knack for gadgets and digital goods, who thinks he could get away with it pretty easily. The “getting away with it” part is the important one; be that the average fraudster or a desperate housewife looking to earn a few dollars defrauding buyers on eBay, the mental state needed to commit a felony on the web is much less delinquent in nature. Because the web is not “the real world”. Because doing it over the computer pushes it away from me. It’s not me; actually, it’s my avatar. And pressing charges in the real world against people who wronged in the virtual world makes it as real as it gets. This, in turn, makes people a lot more aware of what they’re doing when they’re stealing – and the heuristic of a self-aware fraudster are different than those of one that isn’t. A fraudster who isn’t afraid of getting caught looks a lot more like your average Joe, and this is something we want to prevent. This is not only because risk analytics become easier (and legit people’s lives become better, since we need less “tricky” controls), but because indicting fraudsters is the right thing to do. Security and trust are, I believe, the key foundations of a thriving online community, and I’d like to help keep it as such.
Geez.
A flurry of blog posts and articles followed, telling us that checking your credit report is important (really?) and pulling some chargeback stories from the attic. One even went as far as interviewing the manager of operations for one of Israel's issuers. Don't get me wrong, while I'm against trying to scare people, public education makes sense (though many time is useless, as I have claimed in the past [Hebrew]). But the part I'm much more interested in is not the fact that a breach happened, those happen all the time although some retailers just hide their negligence. What I’m interested in is the publication of such an indictment, and its effect of the psychological aspect of committing internet fraud.
You see, analysts profile people. We know who the average fraudster is: a young, tech-savvy male with a knack for gadgets and digital goods, who thinks he could get away with it pretty easily. The “getting away with it” part is the important one; be that the average fraudster or a desperate housewife looking to earn a few dollars defrauding buyers on eBay, the mental state needed to commit a felony on the web is much less delinquent in nature. Because the web is not “the real world”. Because doing it over the computer pushes it away from me. It’s not me; actually, it’s my avatar. And pressing charges in the real world against people who wronged in the virtual world makes it as real as it gets. This, in turn, makes people a lot more aware of what they’re doing when they’re stealing – and the heuristic of a self-aware fraudster are different than those of one that isn’t. A fraudster who isn’t afraid of getting caught looks a lot more like your average Joe, and this is something we want to prevent. This is not only because risk analytics become easier (and legit people’s lives become better, since we need less “tricky” controls), but because indicting fraudsters is the right thing to do. Security and trust are, I believe, the key foundations of a thriving online community, and I’d like to help keep it as such.
Labels:
fraud,
heartland breach,
heuristics,
profiling,
tips for risk management
Saturday, August 15, 2009
O Master, where art thou?
As an Israeli, discovering Corporate America was a shock. Not that I never heard of the term; still, for someone who just joined "the industry" (as the hi-tech sector is usually referred to in Israel) a few years back, discovering that this kind of thing exists (and has many types of interesting positions, some are far from the usual computer-science-only cult of Israeli hi-tech) was mind boggling. I'm not sure how eBay strikes locals in California but in Israeli terms it's a pretty big international corporate - and now I'm relocating straight to HQ, to live in the belly of the beast with my wife and dog. What an adventure.
Labels:
martial arts,
relocation,
silicon valley
Tuesday, August 11, 2009
Fraud Fighting 2.0
“Wow, I've been a victim of fraud for 10 days and didn't even know it until now. Holy crap.” (A random Twitter user reporting)
During FraudSciences’ fraud operations days I was never keen on letting analysts and agents call people who were defrauded. Old school credit card users, who have had their details stolen, were never too happy hearing about it from someone they didn’t know, calling from another country and sounding like the fraudster himself - with a thick accent and all of their personal data at hand. It didn’t help that the company was called FraudSciences either, but that’s a completely different story. As time went on it became clear that most users we encountered preferred that fraud be dealt with out of their sight. They didn’t want to know about, or be involved in, any process regarding their identity being stolen. Sure, we’ve had the occasional angry customer calling back to understand whether we know the person’s name, who they were and their whereabouts to get even (and even had one person explaining that she always suspected her next-cube neighbor at the office), but generally speaking – no involvement. And we were completely fine continuing to work, undisturbed.
During FraudSciences’ fraud operations days I was never keen on letting analysts and agents call people who were defrauded. Old school credit card users, who have had their details stolen, were never too happy hearing about it from someone they didn’t know, calling from another country and sounding like the fraudster himself - with a thick accent and all of their personal data at hand. It didn’t help that the company was called FraudSciences either, but that’s a completely different story. As time went on it became clear that most users we encountered preferred that fraud be dealt with out of their sight. They didn’t want to know about, or be involved in, any process regarding their identity being stolen. Sure, we’ve had the occasional angry customer calling back to understand whether we know the person’s name, who they were and their whereabouts to get even (and even had one person explaining that she always suspected her next-cube neighbor at the office), but generally speaking – no involvement. And we were completely fine continuing to work, undisturbed.
Labels:
facebook,
fraud fighting,
twitter,
visa,
web 2.0
Tuesday, August 4, 2009
PayPal Israel is looking for Analysts!
Disclaimer: This blog is not intiated nor endorsed by Paypal.com. I am writing it not as an employee of the company and my opinions are strictly my own. I am, however, posting a publicly available job opening since I find it to be a very interesting position, to be our single source of truth.
Read more about the domain and the type of people.
PayPal Israel is looking for Risk Analysts
Responsibilities:
Analysts in PayPal are highly motivated team players, working within the Live Analytics group, specializing in understanding, creating and applying advanced proprietary fraud prevention models. The group members work in a variety of fraud related fields while using state of the art tools and methods (profiling, forensics, network analysis, machine learning and more). The ideal candidates have a passion for solving fraud "riddles" and strong analytic skills allowing them to analyze various kinds of data and information and come up with new understandings. The role encompasses acquisition and application of vast knowledge areas over a short period of time and requires a strong sense of personal responsibility. The position is shift based, in a hectic live environment, held in regular working hours. Role development includes increasing contact with cross-organization research groups, project and product management roles and various other positions inside the greater global risk organization inside PayPal.
Requirements:
- BA graduate or a final year student
- Full time position
- 1-2 years work experience
- Proven analytical skills - scoring more than 700 in the psychometric test or an equivalent is a must
- Quick-thinker, fast learner, wide general knowledge
- Team worker, responsible and trustworthy
- Strong deliverability within strict time frames
- Computer skills: experience with programming /scripting language, Excel, SQL - a plus
- General familiarity with Internet technologies and protocols - a plus
- Excellent English. Other languages - a plus
Read more about the domain and the type of people.
PayPal Israel is looking for Risk Analysts
Responsibilities:
Analysts in PayPal are highly motivated team players, working within the Live Analytics group, specializing in understanding, creating and applying advanced proprietary fraud prevention models. The group members work in a variety of fraud related fields while using state of the art tools and methods (profiling, forensics, network analysis, machine learning and more). The ideal candidates have a passion for solving fraud "riddles" and strong analytic skills allowing them to analyze various kinds of data and information and come up with new understandings. The role encompasses acquisition and application of vast knowledge areas over a short period of time and requires a strong sense of personal responsibility. The position is shift based, in a hectic live environment, held in regular working hours. Role development includes increasing contact with cross-organization research groups, project and product management roles and various other positions inside the greater global risk organization inside PayPal.
Requirements:
- BA graduate or a final year student
- Full time position
- 1-2 years work experience
- Proven analytical skills - scoring more than 700 in the psychometric test or an equivalent is a must
- Quick-thinker, fast learner, wide general knowledge
- Team worker, responsible and trustworthy
- Strong deliverability within strict time frames
- Computer skills: experience with programming /scripting language, Excel, SQL - a plus
- General familiarity with Internet technologies and protocols - a plus
- Excellent English. Other languages - a plus
Subscribe to:
Posts (Atom)