Tuesday, December 14, 2010

PayPal Digital Goods Risk Management Talk is Live

I gave a risk management talk with a few other risk experts in PayPal's Innovate convention last October. The video is now live and can be found here.

There is also a risk best practices guide I put together with Mike Liberty from PayPal's risk management team, and can be found here [Careful - PDF!]. Mike is, among other things, in charge of risk management for digital goods and is doing an impressive job.

Saturday, October 30, 2010

Merchant fraud: a Nasty Little Secret

Over the years we’ve been accustomed to talk about risk from buyers. The paradigm was simple: established and new businesses go to ecommerce to go global, expand reach and sell more conveniently to multiple buyers. Since this is a card not present transaction, the retailers are liable for risks of chargebacks and other types of complaints, and they need to protect themselves from fraudulent buyers, flakes and defaults. The barrier to becoming a merchant was pretty high almost everywhere – getting a merchant account required interaction with a bank and documents that at least looked real. The strain in this process meant that becoming a merchant was not a scalable operation for fraudsters who were looking to make a quick gain; buying multiple stolen credit cards and running them through retail websites was much easier. Sure, there were fraudulent sellers on eBay but that was a rather contains phenomenon. This is not the case anymore.

With the appearance – or should I say reappearance – of marketplace models, merchant/vendor fraud is quickly becoming a very profitable operating model for fraudsters. Companies that enable commerce around tangible goods (Etsy, PayPal, Square), services (AirBnB) or digital goods (Apple and many others) attract many new businesses that wouldn’t have existed otherwise since they wouldn’t have crossed the barrier to getting a merchant account, for various reasons. While mostly the reason is prohibitive cost (if you’re an iPhone app developer, it’s not cost effective to start a company and build your own capability to acquire payments), to some extent it is also because they strike on and sometimes much below the lower bound  of credit score and history needed to establish a merchant account. And while these marketplaces and ISOs are doing an amazing job on enabling new commerce activity, they are also very exposed: being an intermediary, they are exposed to disputes and chargebacks, and must support a dispute process that can be very costly – not to mention brand problems if their merchants are not sporting good business practices. This, and not consumer fraud and risk, is the growing issue of current ecommerce – and it’s a growing one.

So how do you control the risk from merchants and vendors? Here are three initial thoughts to get you started:

1.      Identity: you don’t want to push potential merchants away, but basic identity verification and authentication should be imposed so that they can get through the door. Don’t wait until it’s too late – real merchants should be proud of their brand identity and be able to prove it exists, as well as show themselves as individuals. This doesn’t necessarily mean doing a credit pull; it does mean making sure that their address exists, that their name is real, credit card working and domain is hosting a website that looks like more than a template.
2.      Velocity: one of the most concerning aspects of the ability to easily establish a merchant/vendor relationship with marketplaces is that returning fraudsters have a ball. Opening an account, making a few sells then not delivering then repeating this action in a new account is very common. Identifying significant links between accounts and acting on them to prevent a group of fraudsters from scaling is thus one of the most important aspects of merchant fraud prevention.
3.      Holds and graduation: while I’m not a big supporter of the escrow/delayed disbursement model, because of the limitation it places on legitimate businesses’ cash flow, it’s obvious that in many cases (especially in cases of delayed fulfillment) you need to be protected. The best advice in this case is to prevent from using holds and delayed disbursements as a blanket policy for all new merchants. Limitations should be correlated with risk level – based on transaction velocity, history, authentication level, industry and more. Tying limitations to a defined “graduation” process that in turn provides added benefit for the merchant is my personal favorite since it brings added value that compensates for the burden of coping with the limitation.

Merchant fraud is a complex issue but a few simple steps can go a long way for managing it correctly. The most important thing is thinking these things out before you start course-correcting in the midst of a fraud breakout case – that’s when the worst decisions are being made and your legitimate merchant population will suffer greatly.

Interested in merchant fraud? Looking to get more help in thought and implementation? Schedule an assessment with us through this page today!

Wednesday, October 20, 2010

Smart risk management: why the "factory" approach could bring you down

If you deal with payments in any shape or form, you know you’re going to end up with a “risk management” team. A lot of times it creeps up on you: volume picks up and so you know you need someone to look at orders. If you’re running a small shop it’s most probably going to be you, but a lot of companies just hire one or two folks. These people use whatever tool you have to look at transactions – most times a customer service tool – and make up their technique as they go. With time, and sometimes with chargebacks coming in, you realize that your few analysts can’t review all transactions, so you turn to set up a few rules to make queue and transaction hold decisions. Since your analysts are not technology people you resort to hard coding some logic based on a product manager’s refinement of the analysts’ thoughts, again based on a few (or many) cases they’ve already seen. Not a long while passes, and you realize that the analysts are caught in a cat and mouse game where they try to create a rule to stop the latest attack that found its way to the chargeback report, and put a lot of strain on the engineers who maintain the rule-set. Even after coding some simple rule writing interface the situation isn’t better since the abundance of rules creates unpredictable results, especially if you allowed the rules to actually make automated decisions and place restrictions on transactions and accounts.

It’s at this point that you realize you need a statistician to run regressions, so you bring someone in. Hopefully, you have enough of a data set for them to create a decent regression model, and you can just get anyone off the proverbial street since regression is a very common tool. The statistician comes on board and creates a model that has industry standard false positives, let’s say 80%. Your review volume grows with transaction volume and you have to hire even more analysts and customer service folks to deal with complaints by legitimate customers – makes sense, since placing restrictions with 80% false positives will get you a lot of incoming calls. Then you discover that the regression model’s effectiveness degrades pretty quickly since they’re trying to predict what transaction will get a chargeback, but there are multiple reasons for getting a chargeback, making it harder to predict correctly. You then also discover that to create an updated regression model you need to wait for most of the chargebacks to come in so you’d have a good enough set of problematic transactions, meaning that you have at least 3 months’ lead time before a new process can be kicked off. That’s, of course, given that you have engineers on board to code the model.

Next thing you do is buy fraud prevention tools to add to your modeling power; you start creating black lists of IPs and Emails to mark problematic transactions. This improves things a bit but leads to additional false positives since people share resources. You consider buying a platform to manage rule and model deployment but decide that cost is prohibitive and generally, it looks like risk management is taking over your dev resources. So you decide to hire more analysts to do manual reviews, and a product manager to decide on the rule and model roadmap, and a risk operations manager for the growing group of analysts, and a head of risk. The rules and models you already have in place are blocking so many transactions you start to wonder if they’re not slowing down your growth instead of helping you protect your business. It looks like risk is managing you.

There’s something wrong with this model. Sure, some of what I’m describing makes sense for a company that’s just starting out, but getting caught in the factory approach to risk management is a huge burden in later stages, one that can be prevented by realizing that risk management is just one of a series of classification and inference questions a company needs to deal with, and that those require a different way of upfront investment in building a team.

I had two very interesting conversations about this very subject last week with two very inspiring people, but there’s one thing I remember a colleague telling me a few months back when they took a new job. The person insisted on being responsible not only for the new company’s risk management efforts, but also generally for their data and business intelligence. That was based on the same understanding: with the abundance of data created by organizations’ activity, all attempts to organize that data and make sense of it should be bound together. It doesn’t matter whether you’re qualifying leads, improving conversion or reducing fraud – you’re dealing with users and their actions, and how automated decisions impact them. It is the practice of making sense of data, and it transcends using data to control the experience of bad users. Once you realize that, you start demanding more of your analysts: that they be technical, know how to generalize on trends beyond targeted rules, become sources of truth. You understand that off-the-shelf regression cannot be just carried between domains without adjustment. You build a system that can correct itself. And with that, you create a team that can win risk, and do much more than that:  develop data sources, identify trends in huge data sets, and reach actionable insights that transform the way you work with your users, both fraudulent and legitimate.

What’s missing? I think there first needs to be a critical mass of people dealing with data in a way that sees beyond “intuition” but doesn’t get lost with over complicating inference using huge data sets. It takes time for these people to develop skill and want to continue solving difficult problems; my analysis group had less than 20 people in it and a good part of them have had enough of payments risk and classification for the rest of their career. I’m not even mentioning starting a company. But when you start a risk or data team, make sure you seed it well, or you’ll find that the bad start costs you a lot more money and effort than you have planned. 

Wednesday, September 29, 2010

Data Myths: The Misconception of Intuitive Decisions

A lot of the discussions I hear about data and analytics revolve around what and how to measure, and many interesting startups deal with creating new data sources. We deal with clicks, interactions, graphs, heat maps and surveys. We look at networks, assess nodes and links, and analyze service providers and browser information. We create masses of (often useful) information – but what do we do to organize and make sense out of it? While measuring and tracking is important, excess data can drive people to either give up on using it completely, or turn to use complex, sometimes very unfriendly analysis tools that require a lot of effort and ramp up time.

The most common claim by those who give up on using data is that talent or experience replaces data with “intuition”, and the rest of us should succumb to the wisdom of those who have good intuition. Indeed, it is mind boggling to work with highly talented people that seem like they can make correct decisions in a split second, without really being able to articulate their decision (“I just know!”). But what is this intuition? Actually, it is far from something supernatural. As discussed in research, intuition is a result of micro-learning that one might not be able to articulate, since it differs from standard and identifiable learning setups (read more in Matthew Lieberman’s paper here. Careful, PDF for download!). We learn from example but often unconsciously, and those result in intuition that seems to transcend logic.

Furthermore, since intuitive decisions are usually taken under stress, they often have a positive effect in preventing decision biases that arise when you rationalize or over-analyze your decision. I really like the Cook County Hospital example from Blink since it’s a great case of how a succinct procedure, applied by experts, removes the potential bad effects of excess data and over-thinking. And lastly, like in everything else, there are people who are better at this learning than others; they “see the matrix”, so to speak, and understand patterns better than the rest of us. But intuition is hard to quantify, and finding people who can both understand patterns and articulate them in a way that makes sense is very, very hard even for experienced modelers. Getting the “I just know” mantra is much more prevalent than finding an expert you can use, and the result is that such real intuition is often either lost or applied only by a few that are well capable, if they are lucky enough to get into influential roles.

How do you find the right people do approach data “intuitively”, but at the same time be able to articulate what they understand? I suggest you start with your customer service reps. Generally speaking, if you want to learn about customer behavior you talk to the people who talk to them on a daily basis (and make sure that all of your people do) – obviously – but day to day interaction with users causes reps to develop keen insight, intuition, as to what this customer will do next. Granted, not all of them get it and certainly not all of them can translate that into actionable patterns – but some do. And those that do are your key to making sense of data quicker and in an actionable way. Translating this knowledge into automated, actionable insights, however, is a completely different issue.

Tuesday, September 21, 2010

Why don’t you become a payments provide – Part 2 – Niches and Networks

Previously on “Why don’t you become” (here): people put their money in wallets (be those banks, or just stashes). Methods then pierce a hole in these wallets and create a widespread network that allows money to be transferred easily (cash in the stash case but we also have credit, electronic checks, credit cards and mobile phones. I don’t mean carrier billing – but rather those that replace the card using a chip and NFC or similar technology). Networks then put buyers and sellers together and manage the relationship with and between them; engagement drivers build on top of methods and add an improved interface for better conversion.

Of course there’s mobility between types and it’s also clear that people who are doing X are sometimes actually trying to get to Y; Zong is my usual favorite example with their attempt at moving from being an engagement driver (mobile payments for games at a very high rate due to carrier fees) to Zong+, a direct relationship with the customer and their funding instrument of choice. But why haven’t more companies gone that route? Some companies might be waiting for a certain stage (Boku might be waiting for wider acceptance, as I learned from P.), but most don’t because it’s really that hard to create an actual, viable payments business.

Risk management is a huge issue that can make or break a company, but for the benefit of this post I won’t delve into it – there’s enough about Risk in other posts. The two other things I stated in this post are simplicity and new volume. You identify an unmet need and you answer it with an innovative, easy to use solution – you find a sustainable niche that is your core strength while you expand your business. It’s clear why payments for games, offers and carrier-billing-based payments are having troubles becoming more than engagement drivers (I like offers, but do not see these companies evolving into the next PayPal): their existence is a function of a niche that’s shrinking as the industry that defined it matures, and their business models, unless changed, are only sustainable within that niche. When limited like that, your ability to actually own a relationship with a user base is greatly diminished because your business model is only relevant in that niche. As an example, a 30% take rate in exchange for full fraud protection will only fly when your customers have a 95% margin; and as user acquisition and retention costs rise and people in games learn how to do analytics, the math stops working. So you can end up being bought in Google’s shopping spree, which is NOT a mere feat but will not make you the next PayPal; and performing the way customers in other segments expect you to is difficult. This is, obviously, why I’m so excited about Square now that I’ve learned more about it: a new underserved market segment that adopts an easy way to conduct business is a great user base to build on further.

But there are two other issues that PayPal had to deal with when it grew, that could fail other companies: compliance – the reason that PayPal (and not only PayPal) has to be a bank in Europe and something I won’t discuss in this post – is one; the other is the lack of networks to expand on.

A sustainable niche to start with and a business mode l that can expand are important, but having the infrastructure for expanding payment services is crucial. Early in its time PayPal realized that in order to maintain growing margins it needs to get people to add and use their bank accounts. The struggle to get that to happen is described in the otherwise difficult to read “The PayPal Wars” and doesn’t even cover 10% of it. So PayPal ends up with a highly useful way of using the stone-aged batch ACH processes to drive bank payments – but that’s not a network nor is it intended to be one – it is a unique capability that PayPal built for itself. Actually, the only two available network infrastructures are cash and credit card. Sure, controlled by a centralized entity and require killer fees, but commoditized, widely acceptable and easy to use. So if you want to pierce another hole in the wallet you have to do it yourself instead of working with a network; the one company that was close to creating a lower-cost credit network (Bill Me Later) was rightfully snagged by PayPal, and there’s no general solution for mobile payments – mobile payment companies are integrating with operators one by one. So to make worthwhile margins you either need to wait for a method (see why I like the idea so much?) or build something yourself. And that’s a whole new pain.

So – a viable niche to start from and real expansion capabilities is what you need to have to really play it big. That part of why I think the Klarna story is interesting; but that’s a topic for another post.

Monday, September 13, 2010

The Snowflake Complex: behavioral modeling and you

“You are not special. You are not a beautiful or unique snowflake. You're the same decaying organic matter as everything else.”

 Fight Club, 1999

Whenever a highly improbable event occurs, I’m immediately inclined to find that one missing detail that may explain it as part of a pattern; maybe a rare permutation of indicators and events but a pattern still. It’s not due to a firm belief in determinism, but rather a fascination with the observation that human experience is diverse while at the same time we all go through the same (culture- and geography-dictated) crossroads in life; these crossroads also provide us with the common grounds on which communities are formed. Examples to such patterns are manifold but let’s just call out two: Joseph Campbell’s The Hero’s Journey is the canonical textbook of myths, while Malcolm Gladwell’s Outliers is a recent, nicely written example.

Recently I had this conversation all over again while describing my new project to a few folks. Every time I talk about modeling human behavior, I get asked how I can generalize on human beings – we’re such unique creatures, and the spectrum of our reactions is immensely broad. True and untrue; while we’re all unique individuals (well, you are. I’m not), we’re limited by two degrees of constraints that make it easier to understand who we are and why we do what we do.

One is our immediate and general social environment forcing us into behavioral patterns – forget the fact that people end up succumbing to the way they were brought up, let’s talk about the present – the only difficulty here is deciding on the right frame to compare to when trying to make a prediction. Sure, you’re very smart, and you dropped out of college to join a startup. Quite a unique move in your small town, maybe, but can’t say you’d stand out in a crowd in San Francisco. Being part of a startup that was successfully sold, then relocating to the US is something that happens to – I’d say – 1 in every 10,000 people in specific areas; put otherwise, there are thousands of people with a similar experience running around.

The other constraint is much more mundane – when you try to model behavior on the web, people are just limited by the interface. Trying to create complex interaction models or make arbitrary decisions usually fails because there’s no button for that (if you ever played Sierra quests, you know what “I can’t do that” means). Even when examining seemingly more complex MMOs like World of Warcraft, you see how simple the actual interaction model is.

We want to be a unique snowflake. I hope we are. But those who want to track and understand human behavior shouldn’t let the snowflake complex hinder their efforts. Ask the guys at Hunch.

Wednesday, September 1, 2010

Why don't you become a payment provider? A disambiguation.

Every once in a while there comes a question about why doesn't company X become a payment provider, or what would it take for them to become one. Lately, I have seen this come up in Quora regarding Skype. Parts of what I want to say about this matter were brought in this Quora question but there are a few other issues and a couple other basic assumptions to sort out.

I'm a big proponent for competition in payments; rates are too high, systems are archaic and self-imposed limitations by incumbents are just crazy sometimes. Even Paypal can use the competition to shake up some of its ways of doing business as the 8000 pound gorilla. But before you dive right in, you have to sort for yourself where in the food chain are you going to compete. I covered this a little bit in my previous posts about mobile payments, but I see 4 links in the payments chain you need to mind: engagement drivers, networks, methods, and wallets. Of course you can play in all of them, and many companies do so in more than one, but it's important to understand them since they have different implications to your product. Once we understand those, we can really look at why providing value in payments is not as easy as it sounds; we can also understand where most people choose to compete and where other opportunities might be waiting.

"Engagement drivers" is the model for many companies in the gaming market. You're competing in driving engagement when all you do from the payments perspective is resell someone else's ability to provide a method of payments (and therefore, build on top of the second group's systems). Note - not some other company's ability to acquire payments, as the companies whose services you'll use are not banks or V and MC. As I noted in my post, I see the mobile payment providers of the world in this category, and to a large extent offer wall providers as well. Players in this category don't own the customer service liability with the customer but at the same time don't own the relationship either; their product is a promise for improved conversion and hassle free UX, and at times they act as "aggregators", presenting end users with multiple payment methods. Quite a few companies have been pushed to this part of the chain or chose to go here because Methods incumbents are too strong and the barriers to playing there are high, while the gaming industry was and still is very supportive of pricey added services as long as you can drive engagement.

Networks is where most of the big players are playing or intend on playing; this is where Paypal, Facebook credits, Google checkout, mobile operators, the future Apple product etc are in the food chain. Players in this area have a direct relationship with the buyer and the seller, and discover the joy of customer service for payments. They emerge because they either identified a new merchant and customer relation that was needed and not catered for (examples: Paypal rules in online payments and P2P/U2U, Facebook is solving virtual currency fatigue and small WePay is looking at group payments). At this level customers already have stored value accounts that are sensitive to fraud as well as may default on some type of credit you've given them. This is the true battlefield of payments to many people - and many people, in my honest opinion, are missing the point - but when question askers think about payments this is what they have in mind. And for a good reason - owning this type of a relationship, as well as identity details, is important value add that can and should be leveraged by current payment companies.

Payment Methods and Wallet is where I find things to be extremely interesting - try to draw a graph of Visa, Mastercard, Amex and banking through the world and you can realize why - how small and fragmented is the online payments world compared to this opportunity, and what opportunity lurks there. But first I must make a point about differentiating methods and wallets, since some companies might claim to be both. Here's a simple test: when your customers get their paycheck, where do they put their money? If it's in your system you're the wallet. If it's not, you're not.

I am very interested in Methods since they are the rails that enable payments, while getting a piece of the pie in a (relatively) lower risk environment. Methods connect wallets with networks and they do this, ideally, in a seamless integration. Yes, they're in the back unless they have great brand strategy, and that's a challenge for any player to solve, but the reward is huge. It's a high-volume-low-margin market, but a profitable one, and is one that is ready for competition, as long as you can bring more value than just another credit card. I can say I know at least two companies that are working in this area and will provide what I perceive as immense value, and I'm following them closely.

Lastly, Wallets are where you put your money when you get it. For regulatory and other reasons mostly this place is a bank, that then uses various other services to allow you to spend your money. While quite a few companies developed as means for helping you spend or creatively save your money (Mint would be one example), not many are trying to provide an actual wallet. While there are many barriers here as well, this is a unique type of relationship with a customer, one that has much more upside once established but a rough way until it is established.

If you're thinking about payments, you're probably thinking about one of the first two in terms of fighting for market share in a crowded space while disregarding the third. Now that we have them defined, we can look at the perils of trying to establish yourself as any.

In a future post: what are the challenges of becoming an engagement driver and a network 

Monday, June 7, 2010

How not to sell your product, or: is there really a "Silver Bullet" for Mobile Payments security?

Engineers tend to frown at marketing and BD, but creating leads or closing a deal is never easy. No matter where you are you want to be able to clearly articulate what is the customer’s pain point that you are solving. And you want your solution to be as straight forward as possible, too. If you resort to detailed tables and text you’re bound to lose most of your potential customers along the way. One thing I like about mobile payment companies’ pitch is that it’s pretty straight forward; both Boku and Zong articulate very clearly that yes, they have higher fees, but overall their much higher conversion rates increase revenue. Simple and straightforward; I like that. Other mobile payments vendors follow suit with similar pitches.

Why some Mobile Payments vendors are missing the point

Some of these vendors are veteran companies rebranding for the digital goods space and as such talk the “new” mobile payments talk but do not walk the walk. You can’t, for example, claim you’re providing a seamless experience when you require a three page signup process on first payment; your product must support your value proposition. Still, I have encountered companies that claim exactly that – and fail to understand why a cumbersome sign up process is an issue. I can imagine how some of these products evolved: starting in technologically limiting environments, with little to no data sources available and nothing but premium SMS billing. Faced with these difficulties, the ability to create any sign up flow or get an integration agreement with an operator looked like a huge achievement. And it was. But as depressing as it is to see your market changing, empowering payments in a card-not-present environment is today almost a commodity and operator integration is a limited, narrowing edge. He who wants to survive adjusts, or continues to try to sell payments triggered via, let’s say, IVR call to a landline. I’m sure there’s a need for first-generation payments somewhere on the globe; in most developed markets these look displaced.

Commodities and risk management 

I find this obvious since commoditization also creates pitch and product distortions in my own back yard, risk and fraud management. How did that happen? 5 years ago it was harder to compete with internal risk departments. With the eCommerce boom, however, came the proliferation of fraud as fraudsters (and the average Joes of the world) realized how easy it was. With this came a demand for risk management tools and methods. Many companies emerged in response, and each had to evolve quickly to gain market share and capitalize on an almost vacant market. Since the business was so nascent (and, I would argue, still is far from full potential), little technology innovation was required to reach stellar improvements in any point in the funnel; and since all of these companies provided indicators to help support the retailer’s decision (rather than the decision itself), the sales tactic was geared toward convincing the customer to add your score to the variety of scores they were already using. And it worked: merchants are using on average between 4 to 5 different decision supporting tools and indicators. But the cost was commoditization and an ever degrading technological edge. This has already started to come into effect and change the way risk and fraud are discussed.

Scaring them used to work

Sometimes finding a pain point is complicated since the customer is either unaware of a problem or aware of it but does not think it merits attention. When pitched FraudSciences’ product, even though we offered an insured decision to merchants to expand their business to new markets, often times the initial response was negative. Getting merchants to understand “why now” is always a challenge, and with the growth we see in Digital and Virtual Goods publishers sometimes don’t even have the time to consider (as I noted in the past, zero cost of goods produced is both a blessing and a curse). But it seemed as though for some of the companies the approach changed into forcing customers to realize they have a problem, even when they don’t necessarily have one. This is the “scare pitch”; I recently spent some time with a content publisher that told me about a similar conversation with another payments provider. A good part of the talk was aimed at explaining why fraud is so dangerous while fact of the matter is that currently, content providers aren’t immediate targets (since content is not as easily monetized as other goods). Why try to scare customers into buying your service when they have no actual need? Because most tools and services provide negligible incremental value and this is the only way to get customers to add another one to the pile – like any premium-hungry insurance company, scare them with hell and make sure they sign the policy. The alternative is, of course, enabling an experience that unlocks more revenue rather than catches all the “bad guys”. And that’s exactly where the product is lacking.

Is there really a new silver bullet?

Since the pioneers of risk management in eCommerce were mostly web-security geeks, a fraudulent transaction was (and still is) viewed as a transaction made from a “bad machine” (rather than “by a bad user”, a very important distinction). If we could only map all the bad boxes in the world, says this logic, we can stop fraud. This is what “machine fingerprinting” is about. Most leading companies hence focused on black-list type systems geared at collecting as much anonymous information as possible to be able to identify machines without necessarily identifying its owners. The story repeated itself with IPs, cookies, browser profile and now the latest addition – mobile device ID. As with its predecessors in the role of silver bullet or even better than some of them, mobile device ID is not easily spoof-able, is relatively easy to retrieve and is (supposedly) unique. Problem solved, right? Not so. With so many phones manufactured, stolen and exchanged in a year, it’s easy to see that simply keeping a list of “bad devices” won’t cut it – same as with other devices and boxes, if you base you classification on a “device bad history”, you fail every time you see a new device; and you fail every time good and bad users share a device since one bad user “contaminates” the device for all others. A hacked phone is, like a hacked machine with a proxy set up in it, simply a relay. The real “badness” of a device should always be viewed as probabilistic, in the current context of the actions made on it, and compared to other details we may have on the user allegedly using it. That is why a system without Personal Identifier Information is nothing more than a mildly sophisticated black-list.

This is not a subtle point but it might be lost if all we're looking to gain is that small edge. In dealing with mobile devices I find that creating a pattern to recognize still encounters major issues: geolocation reliability, network topology and new patterns of user usage are just three considerations that make mobile payments more than just an extension of desktop purchases. Focusing on adding device IDs to a device fingerprint, without creating a viable solution to initial encounters or devices being transferred between users is similar to looking at a problem space through a keyhole. It just won't cut it. 

Why this is important

Turning eCommerce into virtual commerce and the mobile phone into a wallet will require a high level of trust between participants, since virtual communities and f2f proximity payments are new ideas and new experiences. Enabling that exchange is one of the best outcomes of effective risk management and user identity and intent assertions, but the current trend isn’t necessarily heading at that direction. I believe it should, but that would require profound pitch, product and point of view change. 

Tuesday, May 18, 2010

Facebook showing Traces of Crowd Sourcing in Risk Management (?)

Picture by Matthew Filed/Creative Commons

If you're following the blog, you know I'm a big advocate of using the "wisdom of the masses" (well... at least their accumulated computational ability) to crowd-source complex tasks that cannot be easily automated. The way I see it, it's not that users merely "don't mind", they actually expect that to happen. This is the reason I'm pro offer walls (well, at least some of them) and like the concept of “jobs” or “tasks” incorporated into these walls. There's a lot to be done in the area of engaging users around various complex decisions, risk management being one of them (see other ideas on gwap). Now, I don't think that we cracked the code of making financials and risk interesting – whether it’s because financials are less “sexy” or because or more elusive reasons - but I do enjoy seeing interesting attempts.

That's why I liked the feature I discovered in a TC post

Yeah, I know, you’re wondering what I am so excited about. Well, for me it goes back to the dynamics that help establish and nurture communities. Online communities are here to stay, from Habbo hotel to SL to social networks. Communities like Facebook are growing by mere network effect; every day, people are pouring into the platform to interact, share, play. And at the same time, you can’t help but hear the murmur: Facebook did this, Facebook did that, I don’t like the new layout, I hate the privacy policy. This might means that we have (potentially) passed the docile stage of throwing sheep at other users, to the involvement period. What’s that? Basically, creating a real, lasting online community requires more than a news feed and a constant unedited stream of brain farts (dad, I actually like yours. Really). It requires users’ engagement, their involvement in regulating their environment, in setting its rules and in actively helping to make it better. It requires some kind of ownership, a sense of responsibility. This is what creates a healthy community that can be actually leveraged as more than a collection of unrelated, though somewhat connected, individuals. And that’s the reason why I like the potential of this nascent form of crowd-sourcing risk management: from my point of view, it’s a fair attempt at starting to enable users to assume that kind of responsibility. It’s a call to action where Facebook’s Risk team, effectively the police in a network that’s around 1.5X the size of US population, is asking you to join the neighborhood guard. If it’s really your neighborhood, won’t you act to keep it peaceful?

That’s why I like it. Or, at least, that’s the potential I’m loading on one poor notification feature… The other reason is, of course, the poetic justice of using the same type of resources fraudsters are using to overcome standard risk controls to actually deter fraud. Gotta love that.

What is your take on crowd sourcing risk-related process in your system?

In case you’ve never seen it, catch this remarkable piece of the performing arts.
Lyrics are here.

Saturday, April 24, 2010

Blizzard, secondary markets and the gaming industry

Phew... after two months of work, I can take a step back and go back to blogging.

Who won the "Pirate bay" trial?

The simplistic answer is obvious: though currently in appeal (scheduled to open September of this year) the site's operators were convicted on April 17th, 2009 in accessory to crime against copyright law, and were sentenced to a year in jail and over $3.5M for fines and other damages. I would call this a pretty decisive decision.

So the publishers win, right? I don't think so.

The trial itself is a cornerstone in the fight against piracy, but focusing on that misses the point. Don't get me wrong, I'm not pro any illegal activity, however some illegal activities stem from a need that's not met by what the industry has to offer; something people are willing to pay for. It's not that people didn't want to pay for music and movies - they just didn't want to pay for them in the way they were bundled by the publishers. And from this perspective, the publishers lost. They lost their old business model to the vast end-user-driven movement that spun piracy: iTunes (paying for single songs), Netflix (subscription based streaming), Spotify (free music discovery) and Hulu (ad based streaming) are examples to models that evolved since publishers had to change. Who won the pirate bay trial? Irrelevant in the long term. The important thing is that users get more of what they want.

The same rule applies to secondary markets in online games.

I spoke to a few publishers over the last few months, and especially at GDC. I asked a simple question - why don't you support p2p trade and secondary markets? The answers varied, but most of them responded just like a music publisher in the pre-iTunes era: it just doesn't fit their business model.

Most games provide their players with progression - along skill levels, story lines, levels, goods. When stripping them off fancy mechanics, in essence Farmville and WoW are similar in the sense that you have "stuff" you accumulate (be those points, ranks or cows) and you have a series of actions you can do you get them. In some of the cases, you also go through an internal narrative that adds another layer of "stuff" to achieve, this time story progression. Players get rewarded by the game, and invest in challenges that the game provides them with - and so gameplay, long hours of engagement and investment of time and money against game-initiated calls for action are what drive profitability. Secondary markets undermine this dynamic - players are supposed to buy content, currency and items from the publisher only, and buying them from other players ruins gameplay and works against the game's planning.

Sounds familiar, doesn't it?

The way I see it secondary markets represent something the player community needs and wants, and a necessary change to the way games are played. Allowing players to create value themselves and trade it with other players will only increase engagement with the game, not decrease it - provided that there is really an option for open ended play. Of course it creates additional challenges - farming, scams, fraud in p2p trade - but most of those are current issues for most online games and worlds, and instead of seeing its value churned by piracy and chasing down pirates, the gaming industry needs to make a decision to take this activity into the games. With the digitization of commerce, there's no reason why actual entrepreneurs cannot work in the virtual space as much as they would in the real world, and virtual worlds can be direct beneficiaries from sophisticated ecosystems. You only need to look at the numbers from Blizzard's latest launch of the "pets" on WoW to understand that reselling, and later turning these now-commodities into high value collectibles, is just around the corner - and gaming companies cannot allow themselves to not participate in one way or another.

It does seem, however, that gaming companies have identified this need and are working to accommodate it in future publications. Going back to the opening of this post, this is another place where "piracy" showed the industry where it needs to go; choosing to fight such a clear message from users doesn't really make sense. I, for one, am looking forward to in-game, open marketplaces booming.

Monday, March 8, 2010

Looking for candidates: Paypal New Ventures Risk

Over the past months I’ve been telling you about my take on risk management, automated decisions, digital goods and various other areas. I am now starting to look for candidates for my team to deal with these exact areas within Paypal – so if you’re one or think you know one, please let me know. Find the formal JD in the eBay site with req number 38550BR. But read on before that - the description in this post is much more important).

The team is Paypal's New Ventures Risk team, in charge of risk management for Paypal's newest, most innovative ventures, leading Paypal's growth in new markets and with new technologies. The role is for a leader of the seller risk aspect of new ventures, dealing with sellers and developers using our most innovative products. Note: though the position is titled "manager", this is not a people management position.

What I’m looking for is results driven, quick thinking do-it-alls who want to be involved with new products, markets and risk challenges within Paypal. You should have the passion for consuming a lot of data and information, be able to learn quickly and identify and define trends in concise terms. You should be analytical and with a quantitative approach but not a data cruncher without any understanding of the big picture – we are playing at all fronts. Know or be able to learn how to drive processes through other people and organizations; working in ambiguous situations and coping with change is a must, as well as an ever changing operating rhythm. This is not your classic 9 to 5 and I’m not your classic 9 to 5 manager.

Experience is not a must (=graduates are also encouraged to apply), definitely not previous experience in risk management. However, please be an avid internet user, preferably a gamer in your past or present. Some security experience or tech savvy is a big plus – don’t get intimidated by developers, architects and tech talk. Impress me by having interesting hobbies out of work that you maintain although you are an aggressive achiever, and by having vast general knowledge (as in: you shout answers at “who wants to be a millionaire” while watching it on TV).

Read the blog. Process. Understand. Talk to me.

Monday, March 1, 2010

Dealing with International Fraud - a Few Basics

When we started looking for customers in the first payments startup I worked for, low hanging fruit were obvious. All you had to do to find them was look for a merchant's international shipping policy - or lack thereof - and continue from there. The value proposition we offered, where we would make final accept/decline decisions and insure them, was just good enough to be true and be worth a lot of money for those who wanted to expand internationally. Still, it wasn't easy to convince these guys to expand, I'll tell you that - for every one who was willing to check us out, at least ten were pretty happy selling internally in the US. Who thought of the international market at that time? Looking back at it, this was around the dawn of managed fraud and risk services, and though we spearheaded the offering for the more dangerous segments we most definitely weren't the only ones.

Now, however, of all the questions I am asked, the ones I hear the most - and with the most urgency in them - are the ones regarding international purchases. Unlike a few years ago, when merchants let themselves brutally limit international buyers and focused on domestic markets, it's clear today that global expansion is a key for sustained success. Every beginning publisher wants to talk localization. And they should: this is way more general than digital goods and content. While US eCommerce is forecasted to grow to 8% of all retail purchases in 2012, according to Gartner, European b2c sales are forecasted to outgrow US sales, and grow 20% in 2010, according to eMarketer. This is an amazing opportunity – and it means that a lot of real goods need to be shipped around the world. However, when you get to actually approving these transactions, often you find that you just don't get the tools you're used to outside of the biggest eCommerce markets and some don't even exist outside of the US.

So how do you deal with those tricky international purchases?

• Remember what international fraudsters aren’t – they’re not the people they are stealing from. Sounds very basic, but it will serve you well – most fraudsters are young, computer savvy males from 3rd world countries trying to use Western world cards and bank accounts. Note obvious mismatches in details: if details given for the customer (phone number, card bin country, address) just don’t match, come from distant parts of a country or look invented, beware.

• Purchasing history from other merchants, through a 3rd party vendor, serves you mostly when you delay shipment (either because it’s standard practice or you’re suspicious). For all other cases, you need to have velocity checks and an ability to identify returning fraudsters alternating details. There are some good machine-ID companies out there, but you also have to complement with rules that identify purchasing behavior that is different than what you are used to in your industry and shop.

Contacting users makes sense – but only when you understand what contacting them tells you. Calling a VoIP phone does no good, same as emailing someone whose email domain ranges from the ridiculous @legit.com to the less obvious @army.com; some seemingly fine domains host sites that are nothing but a blank page, so checking occasionally makes sense.

IP intelligence can teach you a lot – you wouldn’t be surprised to hear that there are more fraudsters and more exploited, Trojan infested computers in big cities with high speed internet. It’s always good to know more about your user’s connection, especially if they are risky – if someone is initiating a payment to your site from within Microsoft’s Azure cloud, you may be up for some trouble.

• Find alternative data sources. No other country has such extensive public data sources of its citizens as the US, but free and paid data bases exist outside of the US too. A good address and name resource like 192.com helps you know more about your customer, and social networks span world wide. Too bad fraudsters can use this too…

• And, last but not least – know that there are legitimate people out there acting very ordinarily, but in a way that might strike you initially as dangerous. Where people relocate between states in the US, in the EU they do so between countries. Belgium and France share a language, and exactly as an Austrian might have a German bank account, so can someone from the Turkish minority. Time to polish your skills in geography, and read some Wikipedia pages!

Applying the above should take you a few additional steps in your way to open up your site to international commerce. And one additional thing to remember: deploying a great set of filters in place is close to useless without having a team reiterate on it and improve it as user behavior changes - the alternative is reactive risk management, slowly closing down itself using black lists and limitations until you resort back to the good ol’ US domestic shipping. Don’t let that happen to you, the international opportunity is too big to miss on.

Monday, February 22, 2010

New York under zero: some thoughts on the Engage! Expo

"If there are any Mattel engineers in the audience, the astronaut Barby's space suit is not crash proof" (loose paraphrasing on Will Wright's keynote)

Yep, the keynote was entertaining and Engage brought a lot of vendors to snowy New York's Javits center. The two day event, though a bit low on developers, had a few interesting sessions and some interesting chances to share opinions. So what did I pick up from these two full days?

Payments and mobile

This Engage was heavy on payments companies, and by payments I mean mostly - if not exclusively - mobile payments focusing on SMS billing through carriers (obviously Paypal was there - a few of my colleagues and me - and additional sponsors). While the value of mobile payments for a streamlined, high conversion purchasing experience is clear (on the verge of overstated), the abundance of these companies over such a small space only served to emphasize how not-that-different these companies are from one another. Better coverage, low fraud and a promise for lower fees in 2011 were the value propositions.

Now, while I think mobile payments are clearly an avenue the industry must pursue, it was clear to me that until operators make a big leap of faith to embrace mobile payments, this field will not move much unless the companies themselves move to a Zong+ like, account based system that allows users to add a financial instrument and for the mobile payments company to charge it directly. And, as you are soon to find out, account based systems are a whole new world of pain - while with direct billing you charge a prepaid or underwritten balance an operator is liable for, accounts are a much more complicated structure. Plainly put, you start writing big fat checks directly to fraudsters' pockets. Looking at chargebacks in hindsight, as at least two of the participants suggested, just doesn't cut it. So mobile payments are looking for the next big breakthrough, and if fees don't drop soon (and they probably won't), I'm expecting some M&A work as competition heats up.

Offers and tasks

I'm a long time advocate of offers. Yes, offers have their "dark side", when misused, however they have a huge potential for creating incremental volume - something I personally love. When at the conference I heard that Offerpal are integrating tasks from Amazon's Mechanical Turk, and have been hearing assertions that competitors are going to follow suit (also heard it on stage from IMVU.com's CEO). Why is this good? I think that using social gaming to crowdsource simple but human intensive tasks is good for user education - do something good instead of just signing up for Netflix (nothing bad about Netflix, though); plus, it's good for the potential work providers - ideally, research institutes, advanced OCR services and others. In short, tasks are the new "green". Two caveats in this optimistic view, though: the first is that there is a serious chance of shortage of tasks, at least until this market picks up; the second is that abusing this model is still doable, maybe even easier than standard offers - if I were a fraudster, I'd immediately outsource my CAPTCHA operation to Amazon. Oops! Better read previous posts and do some risk analytics, guys, or you'll find you're breeding an ecosystem of thieves.

Zero cost of goods

I had this feeling in the past, but the conference reassured me: the "zero cost of goods produced" concept is both a blessing and a curse. Why a blessing? Because developers, bathing in the sensational bliss of high margins, were keen on trying new things - new business models, new payment options (30% take for mobile payments? come on) and various experiments in user interaction (offers, vanity items and many other really cool stuff). Why a curse? Because the notion has outgrown its proper boundaries, actually harming some of the developers. Assuming that if you just auto-refund your zero-cost virtual good, the problem of chargebacks goes away is a mistake, and not checking operational costs related to this "zero cost" work will make your bottom line look pretty bad eventually. Additionally, zero cost of goods got many developers focused on solely growing their user base and ARPU - both important but, as a few speakers noted, shifted attention from a few other very important stuff. Like fraud, like going international, but also like pricing - when the third pretty senior person suggested to developers that going all-in on a freemium model just isn't a good idea, I started to understand that the problem transcends risk management and controls; it's starting to detach companies from sound business judgment. So this is probably time to reconsider - it's all a part of growing up as an industry.

P.S. One last thing

I was delighted to meet a few young and talented entrepreneurs working exactly on the things I find exciting - namely p2p trade and new, great ways to engage users. It's fun to see how ideas evolve, and I'm looking forward to hearing more about them and others like them. Well done, guys!

Sunday, February 14, 2010

Fraud detection and User Interaction: why are Millennials slower?

A scientist was conducting an experiment with a fly. He pulled off one of its legs and set it down to see if it could fly. Conclusion: a fly without one leg can still fly. He pared off a second leg and set it down, saying "Fly!" Conclusion: a fly without two legs can still fly. He removed all the legs and set the fly on the palm of his hand, shouting "Fly!" Conclusion: a fly without legs can still fly, briefly, before crashing to the floor. He pulled off all the fly's wings and set the fly on the palm of his hand, yelling "Fly!" Nothing. "Fly!" Nothing. Conclusion: a fly without wings is deaf.

This was an old, lousy and a bit vicious joke even when I was a kid. It does, however, effectively demonstrate a long lasting truth: it is not the collected data, but rather how we interpret it, that renders its effectiveness in decision making. Errors range from confusing cause and effect (is it that customers who experienced fraud are more active, on average, or that active customers are, in average, more prone to experience fraud?) to gross segmentation causing severe false positives; a lot of these cases are triggered by analysts sticking to high level, big numbers rather than complementing their analysis with case-by-case review and customer engagement. Business intelligence is a very important practice, and we must use our tools wisely to reach the best possible conclusions to guide our decisions.

One interesting case of interpretation I found was regarding Javelin's 2010 Identity Fraud Survey Report. Here's an excerpt from the link:

"18 to 24 Year Olds are Slowest to Detect Fraud – Millennials (consumers aged 18 to 24 years old) take nearly twice as many days to detect fraud, compared to other age groups, and thus are fraud victims for longer periods of time. Millennials were found to be the less likely to monitor accounts regularly and the least likely group to take advantage of monitoring programs offered by financial institutions. However, Millennials were the most likely group to take action such as switching primary banks or switching forms of payment."

Why is that? Well, looking for interesting opinions I came across this blog post. It suggests that Millennials are optimistic about the economy and feel invincible, being young, not imagining that fraud could happen to them. Interesting, but I don't buy into this kind of explanation, for two reasons: one, is that it's over simplistic in its description of Millennials' psych, but the second is that it puts a cap on our ability to engage with a group of users about their financials. It's just too important to let go: being able to engage with your user community to deter fraud will be a growing need for payment services in 2010 and beyond, and I claim that they expect this to happen. It just doesn't resonate with me that social networks and games can get you engaged but your bank or eWallet, the place where all your money is, can't. It's just a question of the right engagement model. What is the difference between those that work and those that fail? As a user myself, I don't feel like I have compelling interfaces that help me monitor my financials - and I log in to my online banking interface on a daily basis. There's just too much information, too many buttons and graphs to make sense. To add insult to injury, many monitoring programs (such as the lately advertized Chase debit card program) require users and parents to set their own monitoring rules. This reminds me of another area, online predator monitoring, which poses the same challenge to parents - you set the rules to monitor suspicious words in your child's IM. Seriously? We force the laymen to do our job for us? Can we really not provide a compelling, interactive, machine learning interface that provides an appealing user experience? I think we can. Especially if the alternative is accusing Millennials of being too optimistic.

Looping back to the beginning of the post, I'm just hypothesizing (or pulling the fly's leg, if you'd like). It's now a question of actually engaging with users and examining behavior to validate basic assumptions; something that we must do to make sure we understand the data we are getting. But this is my own hunch on Javelin's results. What do you think?

If you liked this post, please subscribe to my blog!

Sunday, February 7, 2010

The Next Big Thing (and what is it takes to be that thing)

When something happens for the first time - it's avantgarde.
If you see it twice - it's original.
On the third time - it's plagiarism.
On the fourth - it's pastiche.
But when it happens for the fifth time - it's a genre...

In the never ending discussion on innovation vs. execution (see Sara Lacy's great post here) I tend to be an avid supporter of the execution point of view; I've yet to see a great idea execute on itself, but I have seen pretty dull ideas becoming hits because of laser focused hard work. And, of course, it is my personal tendency for building and running strong organizations rather than engaging only in ideation. The reality of the business, as well, shows us companies that succeeded with strong execution on the ideas of earlier, less successful and agile companies (see the article for some examples). This is why I really like the dynamics of a new genre of products and services - if you follow closely you can track the evangelists, the copiers, the big and small players all mixed together, fighting for their place.

The dynamic is pretty straight forward - after a need is established by the avantgarde, in come the strong execution oriented players; proliferation kicks in, and many companies rise to offer similar services and products, each with its own twist. This stage ends with convergence - first with aggregation services, and then with the big winners emerging from the crowd of competing companies. Finally, when these winners become too big or fail to innovate, new avantgarde kicks in, discovering new niche segments that the giants were overlooking.

Social networks are, generally speaking, beyond the genre stage. Facebook and Linkedin emerged as winners, and though there are aggregation solutions out there I personally don't see any need to mix my personal and professional business networks. In fact, Twitter has signaled a new niche (together with Yammer, its LinkedIn-like twin), taking the Facebook status line to the extreme - but the cambrian explosion of networks has passed. It might be best reflected in the coverage and attention Ning - the DIY social network platform - is getting (or not getting) these days compared to 2008.

Online games are in an earlier stage; although there are a few major players in every part of the ecosystem (hardware, portals, platforms, publishers etc.), the barriers are still low and any garage geek can develop the next game. Until now, major game publishers have overcome this by cloning, executing quickly and gaining more and more traction; but as the market becomes more sophisticated and gamers' expectations rise, we will see changes. Acquisition of smaller studios by larger ones to get hold of new IP, traditional game companies entering the space and introduction of known franchises (I vote for Star Trek!) will all come into play, signaling the the battle for control is far from over. But there's another interesting story here - and that's payments in the virtual space.

New ways to pay and be paid have caught the eye of entrepreneurs and VCs alike. Investment money is running like crazy, funding the next-next innovative, zero-click-super-social payment service. Kwedit gets $3 million for letting people pay if they feel like it, Square is making news by enabling coffee shop sales via iPhone. We have hit the spot where there are just too many payment options, and platforms try to answer the need for convergence. Now, I have the utmost repsect for new inventions, but as I started this post, you also need to know how to execute on them (Square is going to discover that, with Verifone's generous help). Remember the three pointers for a successful payments service? Easy, Enabling, Trustworthy. Getting those nailed doesn't take mere ideation, but good old fashioned execution on boring stuff like compliance, reconciliation and relationship management with card associations. And merchants are not early adopters like most gamers - getting them to expand to yet another payment service, in a highly fragmented market, is hard. Merchants are looking for a broad and established user base. Succeeding in this is much harder, and therefore constitutes a bigger barrier, than in other industries.

I can only give only two general advice: one, is do not underestimate compliance and regulation; they will either limit your market (SMBs don't usually work with non-compliant payment services) and you may be facing huge fines even before you start profiting. And two - make anything possible to establish yourself as reliable - it's a merchant's biggest nightmare to have their payment service vanish one day, or to see their customers' data accessed by fraudsters. Guard you system, adapt your best grown-up face, and think about availability because being cool is great, but will only last that much. For success, you need to understand the basics of executing on a successful payment experience, to complement the big technological and business ideas.

Watching the payments industry over the coming two years is going to be extremely interesting, much more volatile than we were used to. Hopefully, some of these incredible minds will adjust to the demanding type of execution the industry requires, and will make it on the other side of the convergence.

Two quick ones: due to a new role I'll be taking on in Paypal, the content and nature of my posts my shift a little. I apologize in advance to those who expected the deep dive on mobile payments threat analysis. On a similar thread, I will be at the Engage! expo next week - buzz me if you'd like to chat.

Sunday, January 24, 2010

Drawing internal buy in for improved Risk management

After my latest posts about risk management (identity management basics and getting the best out of your data) I was asked a great question I think about every day: it's great to have a methodology and a strategy, but how do you get other people in the organization (whether inside or outside of the risk management group) to agree and work with you?

Well, trying to both shape and implement a new terminology is as hard as any other change management, and is very similar to any type of internal marketing: the right catch phrases, proper branding and the right timing and location will do wonders. None of those will work if what you're "selling" is a bad product - an inconsistent, over-complicated or over-simplified method that people cannot use will never be as easy to implement as will a coherent system that makes sense and can be fairly easily comprehended - and used.

Nevertheless, even given a good system this is no mere feat. What are the keys to success? In my experience, there are three:
  1. Ownership: what this means is that you take responsibility over the area you are looking to improve. Too many times I have seen a person or a team trying to change a process or a notion while assuming the consultant position; in most cases, they will fail, because the key for making a change is rolling up your sleeves and making something happen. "If you build it, they will come", and "They" here are the aggressive achievers in your organization, the ones that recognize something that works and are not afraid to try and learn it. Stop saying "I told you so" and start doing!
  2. Transparency: no siloed organization make a change outside of its own boundaries. Only inclusion of other teams, clear communication and eternal repetition of your messages, coupled with deliverables, can make any type of substantial difference. Don't take the traditional risk management approach - don't scare people with the horrors that might happen if they invest in a project; instead, say: "this is what might happen, this is why, and this is how I intend to solve it. Want to help?".
  3. Gradual Enablement: think of new ways to say "yes". If your system is truly innovative it will allow you to take risks others can't because you can understand and manage them better. Still - don't rush into it, because small successes are key for maintaining momentum; use pilots and rapid prototyping to prove that something can be done, and expand responsibly. This way you can prove you can stop more fraud while not hurting users - and get the charter to expand.
Is this the magic bullet? No, but these keys will put you on the road to success, because they earn you the trust of partners while delivering the results you need to fuel your system. And, if we all adopt this point of view, risk will start being a driver of innovation of payment companies - definitely a time I would love to see coming.

Tuesday, January 19, 2010

No more secrets: managing risk when access control breaks

This post is a first in a series I will be exchanging with Allison Miller, one of my esteemed colleagues in Paypal's Risk organization, in her reinstated blog.

“Man may be defined as the animal that can say "I," that can be aware of himself as a separate entity”. (Erich Fromm)

“Identity” is a widely debated term, in various areas; Philosophy, psychology and social sciences discuss various aspects of the individual’s and a society’s identity and its representation in media, art and academic thought – from the Buddhist extremity of no-self to the capitalist self-definition based on what you buy, the variety of ancient and modern thought around definitions and applications of identity is vast. Loyal to the spirit of individualism in the Western world, the development of the New Age movement over the last decade led to the calling to each of us to find our own “true identity” through introspection; supported by modern psychology, the journey of identity constantly drives for defining, consolidating and presenting our personalities through titles that illuminate various aspects of our day to day behavior as part of a healthy, consistent and coherent identity that is who we are.