As risky as it gets - Ohad Samet's weblog

A quick point about buyer psychology

2011-12-21T22:43:00.000-08:00

There are multiple things I need to worry about beyond just fire fighting, but the thing I keep getting back to is users' mindset and how we are impacted by it. It fascinates me to what extent and how much deeper we need to go in understanding customer psychology. I wrote in the past about how much easier it is for people to steal online because of anonymity and distance from actual face to face human contact; one of the folks here at Klarna equates this to an open cookie jar in an empty room. Would you take one?

Most people would. That's the amazing, oh-so-human day to day situation we need to work with. The difference from your usual eCommerce payments risk situation stems from the fact that instead of trading tokens of trust issued by other financial institutions (issuing banks in the case of credit cards, for example) we basically establish and sell trust between buyers and sellers on our own, based on our data and inference (more on how this impacts the multiple facets in a payments business - maybe in a future post). That's a very different ball game when not only is the customer's identity not a given, but their mere ability or willingness to pay could be in doubt.

So instead of focusing on identity verification given a credit card (with a sprinkle of repeat offenders and hackers on top) we must look at a broader spectrum of credit and abuse issues. And the question about the customer's current and future mental state (future being upon receiving the request to pay) determines our ability to approve a purchase no less than the question whether this is a real person or not. The levers we need to pull, then, expand beyond identifying bad guys. Can I instill financial responsibility in a first time buyer through a well designed buying experience? Will the busy businesswoman forget about our payment request in her busy schedule?

The other interesting thing is that since Klarna owns the stack (we issue credit, acquire merchants, manage reminders to pay) I have many more touch points with the customer. That calls for more negotiation and, actually, relationship building that both sides are interested in (buyers keep coming back to Klarna-powered checkouts). That's a plus in many ways since I can control the buyer's experience and correct earlier mistakes, be them false positives or false negatives. But the question remains - and it's a complicated one - how do you impact the buyer's mental state within a very short sequence of clicks and without hurting conversion?

Have I mentioned that I love my job?

(BTW, we're hiring)

What I Hoped Would Be Announced At Innovate2011

2011-11-08T20:57:00.000-08:00

Late post, I know. Hyper-growth life (yes, that was a #humblebrag).

I went to x.commerce (ex-PayPalX-Innovate) to check on industry trends, meet friends and exchange ideas. I didn't have huge expectations but I did hope to see a couple of things emerge from the whole x.commerce effort that will extend both the Marketplaces and PayPal divisions beyond where they are today. This has yet to come in full, but some early signs are still visible and look promising.

eBay has made some very interesting acquisitions which have an obvious synergistic quality to them, and it seems that it's managing these integrations well - as in, not forcing them to immediately assimilate but rather trying to make their products available within the greater eBay portfolio context. Now the question is whether all of these acquisitions can be actually leveraged together into a coherent, complete set of products and services. This leads me to what I was hoping to see.

The two things I had hoped to see coming from eBay were (1) An integrated social commerce suite that allows commerce to go anywhere - basically showing that if sellers don't come to marketplaces, marketplaces will come to them. Preferably, this would be integrated with FB's open graph and allow real personalization based on social data. (2) A real transactional identity strategy and toolbox that allows PayPal's data and identity assessment to be extended by commerce sites to tie past purchasing behavior and enhance user experience. I was hoping for these two things since in my POV, both would have shown that the Marketplaces and PayPal divisions understand the limitation of their business model (mainly, the need to own the experience on eBay.com and the consumer relationship for PayPal) and they are willing to partner and really provide access to some of their assets for others to expand on them. x.commerce, in general, was the right evolutionary move from PayPalX, since payments alone are not enough to build a really big and vibrant developer community - the problems a more flexible payments API is solving are not big enough (vs a new payment rail, but that's not what PayPal was offering).

While both were sort-of touched upon and generally speaking the direction is impressive, both the general x.commerce vision in general and the PayPal Access product specifically seem, still, a bit limited. In the x.commerce case, demanding that all capabilities communicate through the "fabric", as well as the way APIs expose information about the buyer (categorical answers such as "engaged", "casual" etc) demonstrate how eBay is trying to maintain as much business logic behind the APIs rather than provide raw data based on varying permission levels (at the consumer's discretion). PayPal Access is very similar in that sense - as one participant noted, currently looking a bit like a re-branded Express Checkout with a nifty sign-in module. I (hope to) see both of those concepts evolving more in the coming year as eBay incorporates more feedback from users, and becoming more open with its data and services. There's really a lot to be done in social commerce if eBay wants to continue being relevant, and I think it recognizes that. Time to take the big, platform agnostic, open-web-style leap.

Identity Theft - Whose Problem is it?

2011-11-07T22:40:00.000-08:00

With Fraud Awareness Week happening this week, one of the main things I hear about (apart for, obviously ZEUSZEUSHACKEDMACHINESFRAUDZEUS) is identity theft and ways to deal with it. I wrote in the past about issuing additional secrets, basically, I don't believe in it - and the more I hear about two factor auth, the more worried I become. The problem is that because traditional methods fail, identity theft stops being the individual's problem and become society's problems.

Why?

When large entities (read: governments) realize that issuing secrets doesn't work (even digital passports and IDs get stolen and forged), they start thinking about solving that in the most obvious way (if you're a gov official): storing something-you-are type authentication factors. This is how biometric repositories are created (and then hacked. But that's a different story). If only everybody would be more laid back about behavioral profiling based on available online identities... but then again, this isn't a product nicely packaged with a nice RFP that gov and banks can understand.

Oh well. Don't come asking for my finger prints.

Klarna is looking for a Manager of Risk Forecasting and Analytics

2011-09-11T18:04:00.000-07:00

Tryingto purchase something online is still far from a perfect experience. Not onlyare you taken through a tedious sign-up process, you’re also expected to trustthe merchant and pay them before you even get to look at the merchandise. Nowonder that only 9% of total commerce is done online: it’s just not easyenough. Klarna is looking to solve all that.

Klarnawas founded 6 years ago by three Swedish entrepreneurs and has been growingrapidly ever since, thanks to its offering. It lets customers pay only aftergetting their product, while guarding merchants from risk – making purchasessimpler and safer for everyone while growing sales for merchants. This alsodrew one of the best VCs in the world – Sequoia – to invest in the company.

We are Klarna’s Risk Management and Decision team; we deploy stateof the art methodologies and tools (forensics, pattern recognition, networkanalysis, advanced statistics and even Theory of Constraints) to deliver thedecisions that make Klarna’s business model possible. We’re looking for anexperienced Risk Analytics and Forecasting Manager to join the team.

Thisis where you come in.

The Manager of Analytics and Forecasting will oversee Risk’sactivities in loss forecasting and provisioning, loss trend analysis andreporting, and risk controls and compliance. They will be required to maintainand further develop our risk reporting system including originations, portfolioquality, fraud etc. You should be well versed in and able to understand lossline development, its relation to the company’s P&L and how to best presentand explain it to internal stakeholders as well as external partners, banks andregulators.

The ideal candidate will be an impressive domain expert in thedevelopment and improvement of our provisioning and forecasting methodologiesand tools as well as deep dives into trends and their drivers; all this whileguiding and directing the teams that report to you in day to day tasks. Whilereporting and analyzing our performance and serving as a source of knowledgefor loss reporting, they should also recognize that Klarna is a growing and acceleratingcompany, and know how – even prefer – to successfully deal with the challengesof life in a company at the hyper-growth stage.

Some formal requirements:

This is a full time position inStockholm, Sweden. You should be local or ready to relocate.
Excellent communication skills inEnglish (written and spoken); Swedish is a plus.
5+ years of experience in a similarrole, preferably in an eCommerce/Payments company, is a strong plus. Candidateswith less than 5 years also encouraged to apply.
Good knowledge of the IFRS standard;knowledge of USGAAP is a plus.
2+ years of experience managing morethan 4 people.
Advanced degree in a relevant area(accounting, statistics) is a plus.
A combination of startup and corporateexperience is a plus.
Previous experience working withregulators is a big plus.

For more information, email me directly: ohad.samet@klarna.com

Why is the blog unattended?

2011-09-08T22:57:00.000-07:00

It's because I'm head down with the team at Klarna, working to build a really awesome user experience and payments product. I have a few posts cooking, but this one's going to be a rather slow roast...

Beyond NFC and coupons: is there real value in payments?

2011-07-20T11:06:00.000-07:00

If there's anything I can honestly say about the latest talks about payments, offers and connectivity technology (read: NFC) is that I am underwhelmed. I have voiced my opinion about NFC before, but the extent to which payments related discussions are focusing on what I find to be irrelevant is just mind boggling.

The issue most participants are missing is the intrinsic value in the payments business itself. When discussing NFC and offers, payments are often treated as a necessary evil - an almost commoditized way to move money between two accounts, based on existing rails (mostly credit card), where you optimize on cost (fees and losses). All that, to get to the real prize - users' personal data, to be leveraged for alternative revenue streams. This is the embodiment of the factory approach, and it is self perpetuating since inefficient user behavior management creates bad cost structures, and drives payments into becoming a loss leader. Is that what payments are about?

No. Consider PayPal: the company hit profitability, among other reasons, by offering instant bank payments even though the existing infrastructure (to this day) only clears after 3-5 days. Data was not used to further segment the population for better delivery of advertising content; it was data used to deliver quality decisions and decision supporting tools, and enabling capabilities that users would not have otherwise.

What are the added benefits of a payment option? The ability to move money quickly and for a reasonable price; the ability to drive commerce; responsible access to debt. Any solution that doesn't create more or cheaper commerce activity is not a change in payments - it's a new advertising platform. Extracting that value, however, requires more deep technology and data science/decision design capability than are usually invested in payments, which is probably (together with lack of domain knowledge) why only a handful of companies ever succeeded in bringing real benefits - and they grew into gorillas. Effective risk management and automated decisions can make the difference between making a payment and earning a paying customer and rejecting it; they also make the difference between approving a good customer and a fraudster or a kid using their parents' account. They also constitute the difference between your struggling gateway business and a PayPal or a Visa. Companies that invest the time and research get rewarded by a substantial revenue stream just from moving money around; companies who don't are forced to treat payments as customer acquisition cost.

The above is the reason why NFC-enabled, offers-driven "wallets" don't strike me as innovation in payments: they are not. Improved underwriting, new payment rails or enabling commerce in a new setting are, but those aren't included in the debate. This is how a huge chunk of business opportunity is being missed.

My Favorite Two Tips for New Risk Teams

2011-06-22T21:29:00.000-07:00

Every now and then I get to talk to companies either going into payments or having to deal with the effects of risk and fraud in payments. Usually that's a good sign - you need to be big enough to care, and that mostly means that you have good trajectory - but having to deal with risk and user behavior in payments without a manual (none exists) is difficult. To make matters worse, there aren't a lot of folks with this specific experience who are ready to hop on to a company looking to start a team from scratch.

Naturally every company is slightly different in the way its product utilizes payments. A marketplace for tangible items having to manage both merchant and consumer risk is different than a gaming platform with immediate delivery and high refund rates; business models also impact loss tolerance and use of various payment options. And so, providing one general advice constantly fails - well, other than "take it slow and iterate quickly", but you already knew that. There is, however, some advice I keep repeating at these very early stages.

Hire the right person. As I describe in The Factory Approach, your first hires are crucial for the way your risk and decision team will grow. I've written multiple times in the past about the importance of hiring people who can articulate complex patterns. Find someone who combines a knack for patterns and data, can understand technology, but is able to deliver results in an operational environment. You may be looking for two different people (although my experience shows that these people exist - only outside of standard engineering practices)... hire the right person, and a huge number of the childhood illnesses of your department (over-reacting to losses, solving problems with low quality man power) will be spared. oh, and if you read this and feel like you're the right person for the job, I'm hiring!
Instrument, instrument, instrument. No one has ever looked back at the first two years of his company running and said "I shouldn't have kept all that data". From the payments and risk perspective, this means a few things: decide on an entity-focused data structure and stick to it. When you add functionality, properly abstract rather than add flags and columns that are called "is_transaction_refunded_yes_no". Never delete rejected, refunded or cancelled orders. Properly document state changes. Instrument internal decisions and manual decision clicks. Finally, never build a complex ETL process to provide Risk folks with data; risk isn't business analytics - it is engineering with a sprinkle of manual review. Trust me, this will be one of your most precious assets even a few months down the road.

Are these enough for building a successful risk management team? No. But they are a good start and two things to keep in mind while you think about this complex task.

As always, I'm available for questions at @ohadsamet

Come Reinvent Payments with Us – Klarna is looking for Decision Analysts

2011-06-07T06:52:00.000-07:00

Trying to purchase something is still far from a perfect experience, especially online. Not only are you taken through a tedious sign-up process, you’re also expected to trust the merchant and pay them before you even get to look at the merchandise. No wonder that only 9% of total commerce is done online: it’s just not easy enough. Klarna is looking to solve all that.

Klarna was founded 6 years ago by three Swedish entrepreneurs and has been growing rapidly ever since, thanks to its offering. It lets customers pay only after getting their product, while guarding merchants from risk – making purchases simpler and safer for everyone while growing sales for merchants. This also drew one of the best (maybe THE best) VCs in the world – Sequoia – to invest in the company.

We are Klarna’s Risk Management and Decision team; we deploy state of the art methodologies and tools (forensics, pattern recognition, network analysis, advanced statistics and even Theory of Constraints) to deliver the decisions that make Klarna’s business model possible. We’re looking for analysts to join the team.

This is where you come in.

Decision analysts in Klarna are motivated, strong achievers who specialize in using our methodology and tools to prevent payments fraud, predict credit worthiness and stop abusive customers. They work individually and in a group to identify patterns in user behavior data and turn these patterns into accept and reject decisions, delivered both manually and automatically. This is an entry level position with excellent prospects for getting into data analysis, risk management and automated decisions. If these areas sound interesting, you need to apply.

If you are our dream candidate, you probably:

· Play to win. You know what we mean.

· Can absorb vast quantities of information in short periods of time.

· Have some proven ability to make quality decisions based on partial data and under time pressure.

· Know or at least have a tendency to look at masses of data and identify patterns in it.

· Are constantly encouraged by your friends to go on game shows because you always know the answers.

· Lead an active life with multiple activities – because you can always rest later.

Some formalities:

This is a full time position in either Sweden (Stockholm) or Israel (Tel Aviv), with preference for Stockholm. Be local, or dazzle us completely and be ready to relocate ASAP. That said, if you feel like this is your dream job and you’re in the US, do drop me a line.
Fluent English is a must. Additional languages are a plus (in Israel, Hebrew is highly desired).
No relevant experience required. We prefer diverse backgrounds (I hold a B.Sc. in Biology and Philosophy). That said, if you’re experienced and looking for cool new challenges – we have multiple advanced challenges.
Bachelors’ graduates preferable, but all (= high school students to PhDs) may apply.
Some proof of excellence and analytic skills is highly desired (GMAT or Psychometric exam over 700, SAT > 1400, top programs, top schools)
Some technical skills or background (again, doesn't have to be formal) will push you to the front of the line. Please don’t refer to proficiency with Office as “technical skills”.

Interested? Contact me @ ohad.samet@klarna.com / @ohadsamet

The Google-PayPal showdown

2011-05-26T21:25:00.000-07:00

In late January of this year Osama Bedier, PayPal’s VP of New Ventures has moved to Google, where he now serves as VP of Payments. Today Google announced the Google Wallet, an initiative to bind credit cards and offers to an NFC-enabled mobile phone. Soon after we’ve learned that PayPal filed a lawsuit against Google, Bedier and Stephanie Tilenius blaming them for misappropriating of trade secrets, breach of obligations and interference of contractual relations . Just as we thought that the week was going to wind down, we get some prime time PayPal and Google action.

First, let’s look at the Google announcement. Apart for repeating “innovation” a bit too much, what did we see? Google is partnering with a bank and a card company (MC is definitely going the partnership route, as opposed to Visa) to provide users with an account they can attach a credit card to, and pay with using a tap. For phones without NFC capabilities Google will offer an NFC sticker that you can connect a credit card to and put on your phone to create a wallet-like experience.

Sounds familiar? If it doesn’t, it’s probably because you don’t live in Palo Alto and this BlingNation experiment – powered by PayPal – failed before it reached you.

So what’s really new in the Google Wallet? The way I see it, nothing. Apart for a strong statement from Google that it is betting on NFC, there is not much new here. Google is going the PayPal route of sign-up-and-attach-a-card which I find challenging and to some extent futile and tying in offers to enable the online-offline connection that is expected to give eCommerce a boost. Are these real problems, unsolved by others, that grant a major investment in this market? I don’t think so: attaching a credit card to an app is basic functionality, and NFC is admittedly far from prevalent. Still, if you’re Google, creating an offers and payment scheme to drive adoption and use of Android phones while gaining some access to end-customer payments is not necessarily a bad idea; but it’s not “innovation in payments”. If you’re looking for signs either way, check out the pricing scheme that the wallet will offer merchants and conversion metrics: a really innovative solution will either solve the onboarding or payment economics issues, which will be reflected in one of the above. Based on the partnerships Google has come up with, I’m guessing none of these issues has been solved (side note: one of the reasons Square is innovative is because it has a unique signup incentive: catering to a previously underserved industry segment and solving a real pain).

Should PayPal feel threatened? Absolutely. Although it has a tremendously strong brand and network, PayPal has its own issues. Losing a products executive like Osama Bedier to a competitor, at such a sensitive time, and when this executive allegedly takes with him actual trade secrets – that’s a potentially big blow. The company is investing a lot of efforts in becoming a serious, bank-like financial services company while eyeing retail; since it doesn’t own any hardware platform or direct relationships with a large community of developers, its product roadmap and strategic partnerships are its main assets. Those are the two matters that Bedier has been heavily involved with. The lawsuit acknowledges that and provides a peak into how PayPal approached the mobile payments market (and to what extent it is aware of what’s happening in its employees’ laptops).

What does the future hold for mobile payments? Obviously some more vicious fights inside and outside the courtroom. However the lawsuit exposes how the big players are thinking about payments: a simple product driven by strategic partnerships and very basic economics. I beg to differ, and with me quite a few interesting small to medium startups (Klarna, where I serve as chief risk officer, is only one of them). I’ll take a look at a few of those in the next few months.

Dear clearXchange: really? Three banks partnering to allow the use of an email address or phone number is “an innovative game-changer in electronic payments”? The year 2000 NEVER occurred to your while writing this press release? I wonder.

Risk Management for Risky Times - a Deck

2011-05-18T18:26:00.000-07:00

I'm embedding the slides from a presentation I gave at Amazon lately. A great group of professional risk folks!

Risk management for risky times

View more presentations from Ohad Samet.

Klarna acquires Analyzd

2011-05-04T22:03:00.000-07:00

Today we've announced that Klarna has acquired Analyzd, our payment risk consulting firm. This is an exciting step for me, as I will be assuming the chief risk officer position for a company whom I view as a contender for a substantial piece of the international payments market.

Short term credit is, from my perspective, one of the two most interesting approaches to disrupt payments in the next few years and I look forward to developing new ways to grant credit responsibly and accurately and create an unprecedented payment experience for customers, and a super effective checkout for merchants.

Find the TC post here.

PayPal's Weaknesses, and Who Can Exploit Them

2011-04-12T21:14:00.000-07:00

I'm reposting my TC post. I'd rather have a less controversial title as I think the post itself is pretty balanced.

2011 is going to be a big year for payments, with more startups and mature companies getting funded in the space than almost ever before. It’s important to make the distinction between the headline chasers, the slow moving giants struggling for a piece of the pie and the companies that have a chance at real disruption. For my money Facebook and Square are both very interesting companies to follow in this space.

In my last post on TechCrunch I discussed Google and Apple and their efforts around payments, and explained why I don’t yet think they are serious players for the whole payments pie. The post ended with some ideas around what serious contenders could look like, and who are other potential large companies that could step into user-to-user payments. I’d like to expand on that, looking at how the companies above might take advantage of chinks in Paypal’s armor (disclosure: my consulting company, Analyzd, has done a project with Square in the past).

Paypal’s Weaknesses

Paypal (eBay’s growth engine) is demonstrating strong growth and evidently still enjoys network effects—in many territories its service sells itself to small and medium merchants. Moreover, much like with banks and other financial services companies, people like to complain (about fees, user experience and customer service) but will not easily migrate to another company just by virtue of marginal improvements. But Paypal is far from untouchable; it has a few flaws that make room for some fierce competition. What are they?

First and foremost, Paypal’s service has matured over the last ten years. Product and policy decisions that made a lot of sense in the era of “The Paypal Wars” became structural issues, accompanied by limitations gathered in an attempt to improve profitability and revenue. Concepts such as a full redirection to Paypal’s website to make a payment which is still widely required in its most popular small merchant products and the limitations it places on businesses it deems risky (such as rolling reserves, 10-20% of your volume being held for up to 120 days) create whole segments that are underserved and can be tempted by a new service.

Second, the company is heavily reliant on the existing card association and banking infrastructure. Despite having acquired Bill Me Later (offering credit on the spot to approved buyers), its payment volume is still noticeably a mix of card and direct bank payments (here’s an old yet still relevant explanation). This creates a boundary both on the level of fraud and credit losses it can sustain and (more importantly) on its pricing. Paypal is left struggling with getting more people to pay with a bank account (and, given Bill Me Later, more and more using credit products) or it’s forced to skim a few basis points on top of card fees. This is one main reason why small merchants start with Paypal, but then graduate out of the system and move to a full merchant account where they can work directly with card products and other, lower fee payment options.

Third, Paypal is very much U.S.-centered in both infrastructure and process. It has definitely gone global, with good presence in Europe and Asia, but its hold of the market is much less obvious in these territories. Other countries have significantly different regulatory challenges and sometimes completely different payment processes and preferences (Germany is a good example); a few ongoing issues (most recently in India) have demonstrated that being based in the U.S. is not always an advantage. Becoming a truly international organization, with a distributed work force adapting or (in some cases) rebuilding the product creatively to match the local market is a daunting challenge for many companies.

Finally, with size comes the innovator’s dilemma which hinders Paypal’s ability to bet on small and evolving markets, resulting in the company being late to the game. We need to take this one with a grain of salt, though—Paypal is investing in user experience and technology, and through sheer size can reclaim market share even when it is a late entry. However, a wide consumer base is not as large an advantage as it once was when new consumer (web or mobile) products gain immense amounts of traction within weeks and months and other innovative consumer companies with a shorter history are eyeing the space.

And so, competition for Paypal’s lead position can come from two types of players: the first and obvious one is a consumer brand that has a trusted relationship with a massive user base; the second is a company rooted in an underserved segment of the market, preferably out of the U.S., and does not build on the usual card-and-bank infrastructure (or worse, on carrier billing or some other secondary derivative).

Facebook’s Social Advantage

Facebook is a good example of the first type of player. Why them and not Google or Apple, which I’ve discussed in my previous post? All three have a wide user base, have experience with some sort of payments, and are faced by the same challenges. Why is Facebook different? First, Facebook signaled it wants to play, at least to some extent, with its new Facebook payments subsidiary.

Second, of all the large companies it not only has the largest, most diverse and global user base, it also has a rather clear identity strategy that extends beyond their website and is based on real information. This is a critical element in payments today. The ability to control identity isn’t the be-all and end-all of payments (spam, abuse and fake accounts on Facebook prove that) but if enforced properly it will provide a good enough basis for seller and consumer risk management.

Third, while Google and Apple have built their ecosystems and added payments to them to facilitate the type of commerce they required, nothing is a more natural extension of social interaction than adding payments to the mix. Payments and commerce are by their very nature social transactions. From the user perspective, Facebook moving into payments is an easy to comprehend progression, and the social graph can easily add relevant reputation to boost the feeling of trust.

Where is Facebook aiming to be and where can it fit? While currently it is clear that the company is aiming at social games—a high margin industry it understands and could use as a classroom to learn about payments—it can go way beyond that. As I noted above, Paypal has a merchant graduation issue that is clear from its fee structure; when you grow beyond a certain point, a merchant account is better than a Paypal account if only for the costs, even given the need to manage risk management yourself.

While Facebook may not be able to solve the cost problem that’s limiting Paypal, it can provide large merchants with a different incentive—a huge, diverse, captured audience—which translates into conversion heaven. With its growing experience in ad targeting and more users moving to Facebook messages, Facebook can create unique marketing opportunities for merchants that integrate Connect. Payments are the next logical step—all through one simple integration. Getting those merchants on board and using Facebook Credits as a universal form of payment will drive enough users to attach cards and bank accounts to their Facebook account. That could pose a huge threat to Paypal, and strongly limit its opportunity.

Square: Going For The Mobile Wallet

Square comes to mind as a good example of the second type of player, however its case requires some explaining. Square seems to be a consumer-mobile-focused payment system for offline payments using cards, kind of a well-designed poor man’s POS (point of sale system). But look deeper: what I find super interesting is not the payments small sellers and retailers are receiving through credit cards. This is a necessary evil. What’s interesting to me is what these users then do with this money they have in Square’s system—currently deposited to their bank accounts, but which can potentially stay with Square and be used as a low cost funding source.

It’s a little farfetched, but Square may be onto a very creative way to tap into payrolls—effectively becoming the one real mobile wallet—by meeting the money spent by consumers at the point of sale and providing better ways to spend it directly from your Square account. The result will be an ecosystem which you enter with a credit card payment, but then never use that card again.

If everyone has a mobile phone with a Square app, wide payment acceptance is just one tap (or bump) away, and with fees more befitting cash than cards. This direction can also explain why removing the fixed portion from their card fees makes sense—a loss leader used to pump huge amounts of cash from small retailers into their Square balances. This is the power of going after payroll. From the financial perspective, if Square keeps its current fee structure, it remains competitive with merchant accounts for anything under $15-20 (see Feefighters’ handy calculator here) and with Paypal on even larger average transaction sizes (anything under $35, even for Paypal’s most competitive fees).

While Square needs to drive down costs further to become more interesting for the larger retailers, it’s definitely compelling for exactly the population that might then spend money directly from its Square balance and build its wide user base, namely the small retailers and occasional sellers. To those people, Square is also offering a quick way to accept credit payments that may not have been paid otherwise and a superior user experience, both strong drivers for adoption that can be more important than fees in the short term.

Why PayPal should buy WePay

2011-04-07T14:51:00.000-07:00

Last week a big discussion broke out on HN about WePay's last prank. This isn't their first - they pulled one on PayPal in the latter's X conference last year, winning them TechCrunch fame and some resumes of disgruntled PayPal workers. This last prank, however, started a discussion about who WePay was, what their credibility is, and should we trust "these guys" with "our money". I don't think that's the question at all, since most of the participants in the discussion haven't and will not use WePay; WePay is not targeting them. What I think is the question is - when will PayPal step up and acquire WePay in a talent acquisition.

It's not a secret that PayPal is having a hard time to hold on to middle-level technical talent. Over the years, there have been multiple exoduses - most notable (in my time) to LinkedIn in 2008 and to FaceBook's Risk and Payments teams in 2009 (not to mention Google this year). I'm not talking about poaching - simply people changing companies since senior managers they believed in moved. Looking at open positions at PayPal it seems like some of them take many months to fill up, and some of them never meet the original requirements; and since hiring out of college to key positions is out of the question, PayPal is left in a growing problem.

WePay has taken on itself to build an ACH-based payment product that can compete with PayPal, but building a network of dedicated payers is a hard business. It's growing, but not exploding, and without a viral product or a strong distribution channel it's hard to see it growing exponentially to a point where it can really compete. You can say it's a product market fit thing but from my point of view, it just seems like WePay has entered a field where I think others (like Apple and Google) will have a hard time competing in, and without the heavy guns. But they have built a payment product from the ground up and created an experience that is at least at par with some of the better payment experiences that are out there. This is something they need to be recognized for. In addition, the acquirer gets a closely knit team that is connected with the younger crowd in the valley, has been around in hackathons and meetups, and can help invigorate a product organization. Plus, if that's PayPal, they get Aleksey Sanin (ex Lead Architect) back in the team.

So on one side we have a team that delivered on a complex product within a decent number of years and could be a player in the market if it wasn't so heavily dominated by stronger consumer brands. On the other hand we have a juggernaut that's struggling to get young talent in its hallways to rethink some of the more innovative parts of its product. A match made in heaven!

(Although I have briefly worked with Aleksey and met Bill in a meetup or two, I am not affiliated with either company in any way. This is my free advice and two cents ;) )

The payment market is in replay mode

2011-03-28T14:54:00.000-07:00

I sometimes stand dumbfounded at how history tends to repeat itself. Seems like no-one in the leading banks and card companies and their peers has had the time to read and process archives about the emergence of Paypal, and what happened to its competitors.

I am not a blind Paypal fan - the service has flaws and the payments market is ripe for disruption - but the recent announcement from AmEx just goes against reason (for some more material about other companies going after payments, see here).

Let's look at the case in hand: there's a gorilla in online payments, called Paypal. It has 90 million active users it acquired with hard work, hundreds of millions of dollars and riding eBay's success in the days when "viral marketing" was still called "email campaigns". To get its initial traction Paypal had to offer $10 per user referral, a brilliant and costly move, and to get users to add their low cost bank accounts to their Paypal accounts it needed, and still needs, to force all kinds of limitations and verification schemes on its users. Still, Paypal struggles with high card payments volume and, to this day, has not had a single mass-traction product which encouraged users to actually keep money in their accounts.

In come the above. They look at the online payments market, look at Paypal, see what it takes to grow a customer base and get them to attach a financial instrument to an account, and what do they do? They create an online account, which takes 3 pages to sign up to, and which then asks you to attach a card or bank account - and without any built in virality. I am completely at awe with the reasoning that has gotten serve.com up and running other than "let's copy Paypal and wish for the best". If someone sees something here that I am missing then please, enlighten me.

Knowing where you're going: roles in payments and how your company fits in

2011-03-14T07:30:00.000-07:00

Several months back I wrote about archetypes of players in the payments ecosystem. The post got some replies that objected to its proposed division of the ecosystem for various reasons; the most common one of all were those that cited regulatory and legal definitions as ones that determine who you are and what role you play. However diving into these details takes attention away from the most important parts, in my opinion - my post was aimed at categorizing business model and market approaches. Those, and not your PCI/DSS or money transmitter status, define your product needs, the brand you build and ultimately your market.

The confusion is apparent when talking to payments-related startups. As I like to say, moving money out of one's hands is a commodity and building a bi-directional network of sellers and buyers is a huge undertaking. And still, many startups that develop incremental improvements for the current process insist that they are going to compete with PayPal. If that's your way of showing commitment to a goal, maybe it's a reasonable tactic; but trying to "compete with PayPal" as a default in payments creates a distraction that may prevent you from realizing the real benefits of your business.

For example, do you think you can create the ultimate payment experience for a type of product (most popular are mobile and micro payments)? Realize that by virtue of simplifying the flow and integration you are not creating the foundations of a network - you are creating an engagement driver. Trying to sign sellers and buyers on to demonstrate superior conversion and ease of use, then being sold to a larger company (think Jambool) is a viable strategy - and a completely different one than creating you own payment network. Bling Nation is demostrating how hard, frustrating and capital-intensive is such an attempt, and I am not sure they are winning it.

Another one: do you have a new technology that allows an easy addition of NFC capabilities to existing POS systems? That's a neat solution to an adoption issue that many companies will be interested in; however, again, building a payment experience to try and capture a piece of the pie would be the wrong way for packaging your solution. You do not have to turn into a technology vendor, but deciding to build your own network is a diversion that will cost you your focus and a lot of money.

All of the above does not mean to say that starting a payment network is not something to be done, nor does it imply that you cannot use some other company's infrastructure if you want to be successful in payments. What you need to do is understand what role you can, want and should play in payments and use it to direct your product strategy. Diving head on into the business of building networks is an unnecessarily automated decision that can turn a potential money making machine into a very effective capital incineration one.

While trying to go after Square, VeriFone shows its lack of mojo

2011-03-09T13:52:00.000-08:00

"THIS JUST IN: YOUR SERVER AT A RESTAURANT CAN STEAL YOUR CC#, CCV and EXP!!!!!" @ethank

Public blows to competitors' brands are acceptable, especially if you're a long time contender who sees its lunch being taken away by a 2-year-old hyped newcomer. But the only thing VeriFone managed to do today is hurt its own brand; its focus on obscure security issues exemplifies how unversed it is in building a proper payments brand, the application it built raises ethical issues that their shareholders should be worried about and - last but not least - it managed to do it all without style.

And style, anyone at Square will tell you, is key for building a brand in payments.

The only thing VeriFone might be able to do is raise some concerns with card associations. However, since Visa has openly endorsed the Square model, this too seems like a dead end. It's not that Square cannot face trust issues, and I have covered that in the past - but nothing is really incremental to existing setups.

I suggest VeriFone focuses its efforts on building a truly compelling payment solution and compete for the attention of customers. That, and getting some tigerblood won't hurt either.

Apple, Google and the future of the payments market

2011-03-07T08:30:00.001-08:00

A post I wrote about domination of the payments market and the largest players in it is live on TechCrunch (here).

Happy reading!

Fraud prevention for small merchants - an interview

2011-02-07T11:54:00.000-08:00

Last week I gave an interview at http://www.ecommerceangles.com, a blog dedicated to small merchants. I really like this market and I also think Mike is doing an amazing job maintaining this blog and creating quality content (and since his readership is growing fast, I believe this potential is not overlooked by merchants!).

Will be happy to hear your opinions about my answers to Mike's questions, here.

PayPal Digital Goods Risk Management Talk is Live

2010-12-14T11:20:00.000-08:00

I gave a risk management talk with a few other risk experts in PayPal's Innovate convention last October. The video is now live and can be found here.

There is also a risk best practices guide I put together with Mike Liberty from PayPal's risk management team, and can be found here [Careful - PDF!]. Mike is, among other things, in charge of risk management for digital goods and is doing an impressive job.

Merchant fraud: a Nasty Little Secret

2010-10-30T15:54:00.001-07:00

Over the years we’ve been accustomed to talk about risk from buyers. The paradigm was simple: established and new businesses go to ecommerce to go global, expand reach and sell more conveniently to multiple buyers. Since this is a card not present transaction, the retailers are liable for risks of chargebacks and other types of complaints, and they need to protect themselves from fraudulent buyers, flakes and defaults. The barrier to becoming a merchant was pretty high almost everywhere – getting a merchant account required interaction with a bank and documents that at least looked real. The strain in this process meant that becoming a merchant was not a scalable operation for fraudsters who were looking to make a quick gain; buying multiple stolen credit cards and running them through retail websites was much easier. Sure, there were fraudulent sellers on eBay but that was a rather contains phenomenon. This is not the case anymore.

With the appearance – or should I say reappearance – of marketplace models, merchant/vendor fraud is quickly becoming a very profitable operating model for fraudsters. Companies that enable commerce around tangible goods (Etsy, PayPal, Square), services (AirBnB) or digital goods (Apple and many others) attract many new businesses that wouldn’t have existed otherwise since they wouldn’t have crossed the barrier to getting a merchant account, for various reasons. While mostly the reason is prohibitive cost (if you’re an iPhone app developer, it’s not cost effective to start a company and build your own capability to acquire payments), to some extent it is also because they strike on and sometimes much below the lower bound of credit score and history needed to establish a merchant account. And while these marketplaces and ISOs are doing an amazing job on enabling new commerce activity, they are also very exposed: being an intermediary, they are exposed to disputes and chargebacks, and must support a dispute process that can be very costly – not to mention brand problems if their merchants are not sporting good business practices. This, and not consumer fraud and risk, is the growing issue of current ecommerce – and it’s a growing one.

So how do you control the risk from merchants and vendors? Here are three initial thoughts to get you started:

1. Identity: you don’t want to push potential merchants away, but basic identity verification and authentication should be imposed so that they can get through the door. Don’t wait until it’s too late – real merchants should be proud of their brand identity and be able to prove it exists, as well as show themselves as individuals. This doesn’t necessarily mean doing a credit pull; it does mean making sure that their address exists, that their name is real, credit card working and domain is hosting a website that looks like more than a template.

2. Velocity: one of the most concerning aspects of the ability to easily establish a merchant/vendor relationship with marketplaces is that returning fraudsters have a ball. Opening an account, making a few sells then not delivering then repeating this action in a new account is very common. Identifying significant links between accounts and acting on them to prevent a group of fraudsters from scaling is thus one of the most important aspects of merchant fraud prevention.

3. Holds and graduation: while I’m not a big supporter of the escrow/delayed disbursement model, because of the limitation it places on legitimate businesses’ cash flow, it’s obvious that in many cases (especially in cases of delayed fulfillment) you need to be protected. The best advice in this case is to prevent from using holds and delayed disbursements as a blanket policy for all new merchants. Limitations should be correlated with risk level – based on transaction velocity, history, authentication level, industry and more. Tying limitations to a defined “graduation” process that in turn provides added benefit for the merchant is my personal favorite since it brings added value that compensates for the burden of coping with the limitation.

Merchant fraud is a complex issue but a few simple steps can go a long way for managing it correctly. The most important thing is thinking these things out before you start course-correcting in the midst of a fraud breakout case – that’s when the worst decisions are being made and your legitimate merchant population will suffer greatly.

Interested in merchant fraud? Looking to get more help in thought and implementation? Schedule an assessment with us through this page today!

Smart risk management: why the "factory" approach could bring you down

2010-10-20T00:23:00.000-07:00

If you deal with payments in any shape or form, you know you’re going to end up with a “risk management” team. A lot of times it creeps up on you: volume picks up and so you know you need someone to look at orders. If you’re running a small shop it’s most probably going to be you, but a lot of companies just hire one or two folks. These people use whatever tool you have to look at transactions – most times a customer service tool – and make up their technique as they go. With time, and sometimes with chargebacks coming in, you realize that your few analysts can’t review all transactions, so you turn to set up a few rules to make queue and transaction hold decisions. Since your analysts are not technology people you resort to hard coding some logic based on a product manager’s refinement of the analysts’ thoughts, again based on a few (or many) cases they’ve already seen. Not a long while passes, and you realize that the analysts are caught in a cat and mouse game where they try to create a rule to stop the latest attack that found its way to the chargeback report, and put a lot of strain on the engineers who maintain the rule-set. Even after coding some simple rule writing interface the situation isn’t better since the abundance of rules creates unpredictable results, especially if you allowed the rules to actually make automated decisions and place restrictions on transactions and accounts.

It’s at this point that you realize you need a statistician to run regressions, so you bring someone in. Hopefully, you have enough of a data set for them to create a decent regression model, and you can just get anyone off the proverbial street since regression is a very common tool. The statistician comes on board and creates a model that has industry standard false positives, let’s say 80%. Your review volume grows with transaction volume and you have to hire even more analysts and customer service folks to deal with complaints by legitimate customers – makes sense, since placing restrictions with 80% false positives will get you a lot of incoming calls. Then you discover that the regression model’s effectiveness degrades pretty quickly since they’re trying to predict what transaction will get a chargeback, but there are multiple reasons for getting a chargeback, making it harder to predict correctly. You then also discover that to create an updated regression model you need to wait for most of the chargebacks to come in so you’d have a good enough set of problematic transactions, meaning that you have at least 3 months’ lead time before a new process can be kicked off. That’s, of course, given that you have engineers on board to code the model.

Next thing you do is buy fraud prevention tools to add to your modeling power; you start creating black lists of IPs and Emails to mark problematic transactions. This improves things a bit but leads to additional false positives since people share resources. You consider buying a platform to manage rule and model deployment but decide that cost is prohibitive and generally, it looks like risk management is taking over your dev resources. So you decide to hire more analysts to do manual reviews, and a product manager to decide on the rule and model roadmap, and a risk operations manager for the growing group of analysts, and a head of risk. The rules and models you already have in place are blocking so many transactions you start to wonder if they’re not slowing down your growth instead of helping you protect your business. It looks like risk is managing you.

There’s something wrong with this model. Sure, some of what I’m describing makes sense for a company that’s just starting out, but getting caught in the factory approach to risk management is a huge burden in later stages, one that can be prevented by realizing that risk management is just one of a series of classification and inference questions a company needs to deal with, and that those require a different way of upfront investment in building a team.

I had two very interesting conversations about this very subject last week with two very inspiring people, but there’s one thing I remember a colleague telling me a few months back when they took a new job. The person insisted on being responsible not only for the new company’s risk management efforts, but also generally for their data and business intelligence. That was based on the same understanding: with the abundance of data created by organizations’ activity, all attempts to organize that data and make sense of it should be bound together. It doesn’t matter whether you’re qualifying leads, improving conversion or reducing fraud – you’re dealing with users and their actions, and how automated decisions impact them. It is the practice of making sense of data, and it transcends using data to control the experience of bad users. Once you realize that, you start demanding more of your analysts: that they be technical, know how to generalize on trends beyond targeted rules, become sources of truth. You understand that off-the-shelf regression cannot be just carried between domains without adjustment. You build a system that can correct itself. And with that, you create a team that can win risk, and do much more than that: develop data sources, identify trends in huge data sets, and reach actionable insights that transform the way you work with your users, both fraudulent and legitimate.

What’s missing? I think there first needs to be a critical mass of people dealing with data in a way that sees beyond “intuition” but doesn’t get lost with over complicating inference using huge data sets. It takes time for these people to develop skill and want to continue solving difficult problems; my analysis group had less than 20 people in it and a good part of them have had enough of payments risk and classification for the rest of their career. I’m not even mentioning starting a company. But when you start a risk or data team, make sure you seed it well, or you’ll find that the bad start costs you a lot more money and effort than you have planned.

Data Myths: The Misconception of Intuitive Decisions

2010-09-29T22:03:00.000-07:00

A lot of the discussions I hear about data and analytics revolve around what and how to measure, and many interesting startups deal with creating new data sources. We deal with clicks, interactions, graphs, heat maps and surveys. We look at networks, assess nodes and links, and analyze service providers and browser information. We create masses of (often useful) information – but what do we do to organize and make sense out of it? While measuring and tracking is important, excess data can drive people to either give up on using it completely, or turn to use complex, sometimes very unfriendly analysis tools that require a lot of effort and ramp up time.

The most common claim by those who give up on using data is that talent or experience replaces data with “intuition”, and the rest of us should succumb to the wisdom of those who have good intuition. Indeed, it is mind boggling to work with highly talented people that seem like they can make correct decisions in a split second, without really being able to articulate their decision (“I just know!”). But what is this intuition? Actually, it is far from something supernatural. As discussed in research, intuition is a result of micro-learning that one might not be able to articulate, since it differs from standard and identifiable learning setups (read more in Matthew Lieberman’s paper here. Careful, PDF for download!). We learn from example but often unconsciously, and those result in intuition that seems to transcend logic.

Furthermore, since intuitive decisions are usually taken under stress, they often have a positive effect in preventing decision biases that arise when you rationalize or over-analyze your decision. I really like the Cook County Hospital example from Blink since it’s a great case of how a succinct procedure, applied by experts, removes the potential bad effects of excess data and over-thinking. And lastly, like in everything else, there are people who are better at this learning than others; they “see the matrix”, so to speak, and understand patterns better than the rest of us. But intuition is hard to quantify, and finding people who can both understand patterns and articulate them in a way that makes sense is very, very hard even for experienced modelers. Getting the “I just know” mantra is much more prevalent than finding an expert you can use, and the result is that such real intuition is often either lost or applied only by a few that are well capable, if they are lucky enough to get into influential roles.

How do you find the right people do approach data “intuitively”, but at the same time be able to articulate what they understand? I suggest you start with your customer service reps. Generally speaking, if you want to learn about customer behavior you talk to the people who talk to them on a daily basis (and make sure that all of your people do) – obviously – but day to day interaction with users causes reps to develop keen insight, intuition, as to what this customer will do next. Granted, not all of them get it and certainly not all of them can translate that into actionable patterns – but some do. And those that do are your key to making sense of data quicker and in an actionable way. Translating this knowledge into automated, actionable insights, however, is a completely different issue.

Why don’t you become a payments provide – Part 2 – Niches and Networks

2010-09-21T13:19:00.001-07:00

Previously on “Why don’t you become” (here): people put their money in wallets (be those banks, or just stashes). Methods then pierce a hole in these wallets and create a widespread network that allows money to be transferred easily (cash in the stash case but we also have credit, electronic checks, credit cards and mobile phones. I don’t mean carrier billing – but rather those that replace the card using a chip and NFC or similar technology). Networks then put buyers and sellers together and manage the relationship with and between them; engagement drivers build on top of methods and add an improved interface for better conversion.

Of course there’s mobility between types and it’s also clear that people who are doing X are sometimes actually trying to get to Y; Zong is my usual favorite example with their attempt at moving from being an engagement driver (mobile payments for games at a very high rate due to carrier fees) to Zong+, a direct relationship with the customer and their funding instrument of choice. But why haven’t more companies gone that route? Some companies might be waiting for a certain stage (Boku might be waiting for wider acceptance, as I learned from P.), but most don’t because it’s really that hard to create an actual, viable payments business.

Risk management is a huge issue that can make or break a company, but for the benefit of this post I won’t delve into it – there’s enough about Risk in other posts. The two other things I stated in this post are simplicity and new volume. You identify an unmet need and you answer it with an innovative, easy to use solution – you find a sustainable niche that is your core strength while you expand your business. It’s clear why payments for games, offers and carrier-billing-based payments are having troubles becoming more than engagement drivers (I like offers, but do not see these companies evolving into the next PayPal): their existence is a function of a niche that’s shrinking as the industry that defined it matures, and their business models, unless changed, are only sustainable within that niche. When limited like that, your ability to actually own a relationship with a user base is greatly diminished because your business model is only relevant in that niche. As an example, a 30% take rate in exchange for full fraud protection will only fly when your customers have a 95% margin; and as user acquisition and retention costs rise and people in games learn how to do analytics, the math stops working. So you can end up being bought in Google’s shopping spree, which is NOT a mere feat but will not make you the next PayPal; and performing the way customers in other segments expect you to is difficult. This is, obviously, why I’m so excited about Square now that I’ve learned more about it: a new underserved market segment that adopts an easy way to conduct business is a great user base to build on further.

But there are two other issues that PayPal had to deal with when it grew, that could fail other companies: compliance – the reason that PayPal (and not only PayPal) has to be a bank in Europe and something I won’t discuss in this post – is one; the other is the lack of networks to expand on.

A sustainable niche to start with and a business mode l that can expand are important, but having the infrastructure for expanding payment services is crucial. Early in its time PayPal realized that in order to maintain growing margins it needs to get people to add and use their bank accounts. The struggle to get that to happen is described in the otherwise difficult to read “The PayPal Wars” and doesn’t even cover 10% of it. So PayPal ends up with a highly useful way of using the stone-aged batch ACH processes to drive bank payments – but that’s not a network nor is it intended to be one – it is a unique capability that PayPal built for itself. Actually, the only two available network infrastructures are cash and credit card. Sure, controlled by a centralized entity and require killer fees, but commoditized, widely acceptable and easy to use. So if you want to pierce another hole in the wallet you have to do it yourself instead of working with a network; the one company that was close to creating a lower-cost credit network (Bill Me Later) was rightfully snagged by PayPal, and there’s no general solution for mobile payments – mobile payment companies are integrating with operators one by one. So to make worthwhile margins you either need to wait for a method (see why I like the idea so much?) or build something yourself. And that’s a whole new pain.

So – a viable niche to start from and real expansion capabilities is what you need to have to really play it big. That part of why I think the Klarna story is interesting; but that’s a topic for another post.

The Snowflake Complex: behavioral modeling and you

2010-09-13T11:43:00.000-07:00

“You are not special. You are not a beautiful or unique snowflake. You're the same decaying organic matter as everything else.”

Fight Club, 1999

Whenever a highly improbable event occurs, I’m immediately inclined to find that one missing detail that may explain it as part of a pattern; maybe a rare permutation of indicators and events but a pattern still. It’s not due to a firm belief in determinism, but rather a fascination with the observation that human experience is diverse while at the same time we all go through the same (culture- and geography-dictated) crossroads in life; these crossroads also provide us with the common grounds on which communities are formed. Examples to such patterns are manifold but let’s just call out two: Joseph Campbell’s The Hero’s Journey is the canonical textbook of myths, while Malcolm Gladwell’s Outliers is a recent, nicely written example.

Recently I had this conversation all over again while describing my new project to a few folks. Every time I talk about modeling human behavior, I get asked how I can generalize on human beings – we’re such unique creatures, and the spectrum of our reactions is immensely broad. True and untrue; while we’re all unique individuals (well, you are. I’m not), we’re limited by two degrees of constraints that make it easier to understand who we are and why we do what we do.

One is our immediate and general social environment forcing us into behavioral patterns – forget the fact that people end up succumbing to the way they were brought up, let’s talk about the present – the only difficulty here is deciding on the right frame to compare to when trying to make a prediction. Sure, you’re very smart, and you dropped out of college to join a startup. Quite a unique move in your small town, maybe, but can’t say you’d stand out in a crowd in San Francisco. Being part of a startup that was successfully sold, then relocating to the US is something that happens to – I’d say – 1 in every 10,000 people in specific areas; put otherwise, there are thousands of people with a similar experience running around.

The other constraint is much more mundane – when you try to model behavior on the web, people are just limited by the interface. Trying to create complex interaction models or make arbitrary decisions usually fails because there’s no button for that (if you ever played Sierra quests, you know what “I can’t do that” means). Even when examining seemingly more complex MMOs like World of Warcraft, you see how simple the actual interaction model is.

We want to be a unique snowflake. I hope we are. But those who want to track and understand human behavior shouldn’t let the snowflake complex hinder their efforts. Ask the guys at Hunch.

Why don't you become a payment provider? A disambiguation.

2010-09-01T00:28:00.000-07:00

Every once in a while there comes a question about why doesn't company X become a payment provider, or what would it take for them to become one. Lately, I have seen this come up in Quora regarding Skype. Parts of what I want to say about this matter were brought in this Quora question but there are a few other issues and a couple other basic assumptions to sort out.

I'm a big proponent for competition in payments; rates are too high, systems are archaic and self-imposed limitations by incumbents are just crazy sometimes. Even Paypal can use the competition to shake up some of its ways of doing business as the 8000 pound gorilla. But before you dive right in, you have to sort for yourself where in the food chain are you going to compete. I covered this a little bit in my previous posts about mobile payments, but I see 4 links in the payments chain you need to mind: engagement drivers, networks, methods, and wallets. Of course you can play in all of them, and many companies do so in more than one, but it's important to understand them since they have different implications to your product. Once we understand those, we can really look at why providing value in payments is not as easy as it sounds; we can also understand where most people choose to compete and where other opportunities might be waiting.

"Engagement drivers" is the model for many companies in the gaming market. You're competing in driving engagement when all you do from the payments perspective is resell someone else's ability to provide a method of payments (and therefore, build on top of the second group's systems). Note - not some other company's ability to acquire payments, as the companies whose services you'll use are not banks or V and MC. As I noted in my post, I see the mobile payment providers of the world in this category, and to a large extent offer wall providers as well. Players in this category don't own the customer service liability with the customer but at the same time don't own the relationship either; their product is a promise for improved conversion and hassle free UX, and at times they act as "aggregators", presenting end users with multiple payment methods. Quite a few companies have been pushed to this part of the chain or chose to go here because Methods incumbents are too strong and the barriers to playing there are high, while the gaming industry was and still is very supportive of pricey added services as long as you can drive engagement.

Networks is where most of the big players are playing or intend on playing; this is where Paypal, Facebook credits, Google checkout, mobile operators, the future Apple product etc are in the food chain. Players in this area have a direct relationship with the buyer and the seller, and discover the joy of customer service for payments. They emerge because they either identified a new merchant and customer relation that was needed and not catered for (examples: Paypal rules in online payments and P2P/U2U, Facebook is solving virtual currency fatigue and small WePay is looking at group payments). At this level customers already have stored value accounts that are sensitive to fraud as well as may default on some type of credit you've given them. This is the true battlefield of payments to many people - and many people, in my honest opinion, are missing the point - but when question askers think about payments this is what they have in mind. And for a good reason - owning this type of a relationship, as well as identity details, is important value add that can and should be leveraged by current payment companies.

Payment Methods and Wallet is where I find things to be extremely interesting - try to draw a graph of Visa, Mastercard, Amex and banking through the world and you can realize why - how small and fragmented is the online payments world compared to this opportunity, and what opportunity lurks there. But first I must make a point about differentiating methods and wallets, since some companies might claim to be both. Here's a simple test: when your customers get their paycheck, where do they put their money? If it's in your system you're the wallet. If it's not, you're not.

I am very interested in Methods since they are the rails that enable payments, while getting a piece of the pie in a (relatively) lower risk environment. Methods connect wallets with networks and they do this, ideally, in a seamless integration. Yes, they're in the back unless they have great brand strategy, and that's a challenge for any player to solve, but the reward is huge. It's a high-volume-low-margin market, but a profitable one, and is one that is ready for competition, as long as you can bring more value than just another credit card. I can say I know at least two companies that are working in this area and will provide what I perceive as immense value, and I'm following them closely.

Lastly, Wallets are where you put your money when you get it. For regulatory and other reasons mostly this place is a bank, that then uses various other services to allow you to spend your money. While quite a few companies developed as means for helping you spend or creatively save your money (Mint would be one example), not many are trying to provide an actual wallet. While there are many barriers here as well, this is a unique type of relationship with a customer, one that has much more upside once established but a rough way until it is established.

If you're thinking about payments, you're probably thinking about one of the first two in terms of fighting for market share in a crowded space while disregarding the third. Now that we have them defined, we can look at the perils of trying to establish yourself as any.

In a future post: what are the challenges of becoming an engagement driver and a network

How not to sell your product, or: is there really a "Silver Bullet" for Mobile Payments security?

2010-06-07T03:49:00.000-07:00

Engineers tend to frown at marketing and BD, but creating leads or closing a deal is never easy. No matter where you are you want to be able to clearly articulate what is the customer’s pain point that you are solving. And you want your solution to be as straight forward as possible, too. If you resort to detailed tables and text you’re bound to lose most of your potential customers along the way. One thing I like about mobile payment companies’ pitch is that it’s pretty straight forward; both Boku and Zong articulate very clearly that yes, they have higher fees, but overall their much higher conversion rates increase revenue. Simple and straightforward; I like that. Other mobile payments vendors follow suit with similar pitches.

Why some Mobile Payments vendors are missing the point

Some of these vendors are veteran companies rebranding for the digital goods space and as such talk the “new” mobile payments talk but do not walk the walk. You can’t, for example, claim you’re providing a seamless experience when you require a three page signup process on first payment; your product must support your value proposition. Still, I have encountered companies that claim exactly that – and fail to understand why a cumbersome sign up process is an issue. I can imagine how some of these products evolved: starting in technologically limiting environments, with little to no data sources available and nothing but premium SMS billing. Faced with these difficulties, the ability to create any sign up flow or get an integration agreement with an operator looked like a huge achievement. And it was. But as depressing as it is to see your market changing, empowering payments in a card-not-present environment is today almost a commodity and operator integration is a limited, narrowing edge. He who wants to survive adjusts, or continues to try to sell payments triggered via, let’s say, IVR call to a landline. I’m sure there’s a need for first-generation payments somewhere on the globe; in most developed markets these look displaced.

Commodities and risk management

I find this obvious since commoditization also creates pitch and product distortions in my own back yard, risk and fraud management. How did that happen? 5 years ago it was harder to compete with internal risk departments. With the eCommerce boom, however, came the proliferation of fraud as fraudsters (and the average Joes of the world) realized how easy it was. With this came a demand for risk management tools and methods. Many companies emerged in response, and each had to evolve quickly to gain market share and capitalize on an almost vacant market. Since the business was so nascent (and, I would argue, still is far from full potential), little technology innovation was required to reach stellar improvements in any point in the funnel; and since all of these companies provided indicators to help support the retailer’s decision (rather than the decision itself), the sales tactic was geared toward convincing the customer to add your score to the variety of scores they were already using. And it worked: merchants are using on average between 4 to 5 different decision supporting tools and indicators. But the cost was commoditization and an ever degrading technological edge. This has already started to come into effect and change the way risk and fraud are discussed.

Scaring them used to work

Sometimes finding a pain point is complicated since the customer is either unaware of a problem or aware of it but does not think it merits attention. When pitched FraudSciences’ product, even though we offered an insured decision to merchants to expand their business to new markets, often times the initial response was negative. Getting merchants to understand “why now” is always a challenge, and with the growth we see in Digital and Virtual Goods publishers sometimes don’t even have the time to consider (as I noted in the past, zero cost of goods produced is both a blessing and a curse). But it seemed as though for some of the companies the approach changed into forcing customers to realize they have a problem, even when they don’t necessarily have one. This is the “scare pitch”; I recently spent some time with a content publisher that told me about a similar conversation with another payments provider. A good part of the talk was aimed at explaining why fraud is so dangerous while fact of the matter is that currently, content providers aren’t immediate targets (since content is not as easily monetized as other goods). Why try to scare customers into buying your service when they have no actual need? Because most tools and services provide negligible incremental value and this is the only way to get customers to add another one to the pile – like any premium-hungry insurance company, scare them with hell and make sure they sign the policy. The alternative is, of course, enabling an experience that unlocks more revenue rather than catches all the “bad guys”. And that’s exactly where the product is lacking.

Is there really a new silver bullet?

Since the pioneers of risk management in eCommerce were mostly web-security geeks, a fraudulent transaction was (and still is) viewed as a transaction made from a “bad machine” (rather than “by a bad user”, a very important distinction). If we could only map all the bad boxes in the world, says this logic, we can stop fraud. This is what “machine fingerprinting” is about. Most leading companies hence focused on black-list type systems geared at collecting as much anonymous information as possible to be able to identify machines without necessarily identifying its owners. The story repeated itself with IPs, cookies, browser profile and now the latest addition – mobile device ID. As with its predecessors in the role of silver bullet or even better than some of them, mobile device ID is not easily spoof-able, is relatively easy to retrieve and is (supposedly) unique. Problem solved, right? Not so. With so many phones manufactured, stolen and exchanged in a year, it’s easy to see that simply keeping a list of “bad devices” won’t cut it – same as with other devices and boxes, if you base you classification on a “device bad history”, you fail every time you see a new device; and you fail every time good and bad users share a device since one bad user “contaminates” the device for all others. A hacked phone is, like a hacked machine with a proxy set up in it, simply a relay. The real “badness” of a device should always be viewed as probabilistic, in the current context of the actions made on it, and compared to other details we may have on the user allegedly using it. That is why a system without Personal Identifier Information is nothing more than a mildly sophisticated black-list.

This is not a subtle point but it might be lost if all we're looking to gain is that small edge. In dealing with mobile devices I find that creating a pattern to recognize still encounters major issues: geolocation reliability, network topology and new patterns of user usage are just three considerations that make mobile payments more than just an extension of desktop purchases. Focusing on adding device IDs to a device fingerprint, without creating a viable solution to initial encounters or devices being transferred between users is similar to looking at a problem space through a keyhole. It just won't cut it.

Why this is important

Turning eCommerce into virtual commerce and the mobile phone into a wallet will require a high level of trust between participants, since virtual communities and f2f proximity payments are new ideas and new experiences. Enabling that exchange is one of the best outcomes of effective risk management and user identity and intent assertions, but the current trend isn’t necessarily heading at that direction. I believe it should, but that would require profound pitch, product and point of view change.

Facebook showing Traces of Crowd Sourcing in Risk Management (?)

2010-05-18T23:42:00.000-07:00

Picture by Matthew Filed/Creative Commons

If you're following the blog, you know I'm a big advocate of using the "wisdom of the masses" (well... at least their accumulated computational ability) to crowd-source complex tasks that cannot be easily automated. The way I see it, it's not that users merely "don't mind", they actually expect that to happen. This is the reason I'm pro offer walls (well, at least some of them) and like the concept of “jobs” or “tasks” incorporated into these walls. There's a lot to be done in the area of engaging users around various complex decisions, risk management being one of them (see other ideas on gwap). Now, I don't think that we cracked the code of making financials and risk interesting – whether it’s because financials are less “sexy” or because or more elusive reasons - but I do enjoy seeing interesting attempts.

That's why I liked the feature I discovered in a TC post:

Yeah, I know, you’re wondering what I am so excited about. Well, for me it goes back to the dynamics that help establish and nurture communities. Online communities are here to stay, from Habbo hotel to SL to social networks. Communities like Facebook are growing by mere network effect; every day, people are pouring into the platform to interact, share, play. And at the same time, you can’t help but hear the murmur: Facebook did this, Facebook did that, I don’t like the new layout, I hate the privacy policy. This might means that we have (potentially) passed the docile stage of throwing sheep at other users, to the involvement period. What’s that? Basically, creating a real, lasting online community requires more than a news feed and a constant unedited stream of brain farts (dad, I actually like yours. Really). It requires users’ engagement, their involvement in regulating their environment, in setting its rules and in actively helping to make it better. It requires some kind of ownership, a sense of responsibility. This is what creates a healthy community that can be actually leveraged as more than a collection of unrelated, though somewhat connected, individuals. And that’s the reason why I like the potential of this nascent form of crowd-sourcing risk management: from my point of view, it’s a fair attempt at starting to enable users to assume that kind of responsibility. It’s a call to action where Facebook’s Risk team, effectively the police in a network that’s around 1.5X the size of US population, is asking you to join the neighborhood guard. If it’s really your neighborhood, won’t you act to keep it peaceful?

That’s why I like it. Or, at least, that’s the potential I’m loading on one poor notification feature… The other reason is, of course, the poetic justice of using the same type of resources fraudsters are using to overcome standard risk controls to actually deter fraud. Gotta love that.

What is your take on crowd sourcing risk-related process in your system?

In case you’ve never seen it, catch this remarkable piece of the performing arts.

Lyrics are here.

And, of course: what goes around comes around.

Blizzard, secondary markets and the gaming industry

2010-04-24T12:09:00.000-07:00

Phew... after two months of work, I can take a step back and go back to blogging.

Who won the "Pirate bay" trial?

The simplistic answer is obvious: though currently in appeal (scheduled to open September of this year) the site's operators were convicted on April 17th, 2009 in accessory to crime against copyright law, and were sentenced to a year in jail and over $3.5M for fines and other damages. I would call this a pretty decisive decision.

So the publishers win, right? I don't think so.

The trial itself is a cornerstone in the fight against piracy, but focusing on that misses the point. Don't get me wrong, I'm not pro any illegal activity, however some illegal activities stem from a need that's not met by what the industry has to offer; something people are willing to pay for. It's not that people didn't want to pay for music and movies - they just didn't want to pay for them in the way they were bundled by the publishers. And from this perspective, the publishers lost. They lost their old business model to the vast end-user-driven movement that spun piracy: iTunes (paying for single songs), Netflix (subscription based streaming), Spotify (free music discovery) and Hulu (ad based streaming) are examples to models that evolved since publishers had to change. Who won the pirate bay trial? Irrelevant in the long term. The important thing is that users get more of what they want.

The same rule applies to secondary markets in online games.

I spoke to a few publishers over the last few months, and especially at GDC. I asked a simple question - why don't you support p2p trade and secondary markets? The answers varied, but most of them responded just like a music publisher in the pre-iTunes era: it just doesn't fit their business model.

Most games provide their players with progression - along skill levels, story lines, levels, goods. When stripping them off fancy mechanics, in essence Farmville and WoW are similar in the sense that you have "stuff" you accumulate (be those points, ranks or cows) and you have a series of actions you can do you get them. In some of the cases, you also go through an internal narrative that adds another layer of "stuff" to achieve, this time story progression. Players get rewarded by the game, and invest in challenges that the game provides them with - and so gameplay, long hours of engagement and investment of time and money against game-initiated calls for action are what drive profitability. Secondary markets undermine this dynamic - players are supposed to buy content, currency and items from the publisher only, and buying them from other players ruins gameplay and works against the game's planning.

Sounds familiar, doesn't it?

The way I see it secondary markets represent something the player community needs and wants, and a necessary change to the way games are played. Allowing players to create value themselves and trade it with other players will only increase engagement with the game, not decrease it - provided that there is really an option for open ended play. Of course it creates additional challenges - farming, scams, fraud in p2p trade - but most of those are current issues for most online games and worlds, and instead of seeing its value churned by piracy and chasing down pirates, the gaming industry needs to make a decision to take this activity into the games. With the digitization of commerce, there's no reason why actual entrepreneurs cannot work in the virtual space as much as they would in the real world, and virtual worlds can be direct beneficiaries from sophisticated ecosystems. You only need to look at the numbers from Blizzard's latest launch of the "pets" on WoW to understand that reselling, and later turning these now-commodities into high value collectibles, is just around the corner - and gaming companies cannot allow themselves to not participate in one way or another.

It does seem, however, that gaming companies have identified this need and are working to accommodate it in future publications. Going back to the opening of this post, this is another place where "piracy" showed the industry where it needs to go; choosing to fight such a clear message from users doesn't really make sense. I, for one, am looking forward to in-game, open marketplaces booming.

Looking for candidates: Paypal New Ventures Risk

2010-03-08T23:50:00.000-08:00

Over the past months I’ve been telling you about my take on risk management, automated decisions, digital goods and various other areas. I am now starting to look for candidates for my team to deal with these exact areas within Paypal – so if you’re one or think you know one, please let me know. Find the formal JD in the eBay site with req number 38550BR. But read on before that - the description in this post is much more important).

The team is Paypal's New Ventures Risk team, in charge of risk management for Paypal's newest, most innovative ventures, leading Paypal's growth in new markets and with new technologies. The role is for a leader of the seller risk aspect of new ventures, dealing with sellers and developers using our most innovative products. Note: though the position is titled "manager", this is not a people management position.

What I’m looking for is results driven, quick thinking do-it-alls who want to be involved with new products, markets and risk challenges within Paypal. You should have the passion for consuming a lot of data and information, be able to learn quickly and identify and define trends in concise terms. You should be analytical and with a quantitative approach but not a data cruncher without any understanding of the big picture – we are playing at all fronts. Know or be able to learn how to drive processes through other people and organizations; working in ambiguous situations and coping with change is a must, as well as an ever changing operating rhythm. This is not your classic 9 to 5 and I’m not your classic 9 to 5 manager.

Experience is not a must (=graduates are also encouraged to apply), definitely not previous experience in risk management. However, please be an avid internet user, preferably a gamer in your past or present. Some security experience or tech savvy is a big plus – don’t get intimidated by developers, architects and tech talk. Impress me by having interesting hobbies out of work that you maintain although you are an aggressive achiever, and by having vast general knowledge (as in: you shout answers at “who wants to be a millionaire” while watching it on TV).

Read the blog. Process. Understand. Talk to me.

Dealing with International Fraud - a Few Basics

2010-03-01T22:39:00.000-08:00

When we started looking for customers in the first payments startup I worked for, low hanging fruit were obvious. All you had to do to find them was look for a merchant's international shipping policy - or lack thereof - and continue from there. The value proposition we offered, where we would make final accept/decline decisions and insure them, was just good enough to be true and be worth a lot of money for those who wanted to expand internationally. Still, it wasn't easy to convince these guys to expand, I'll tell you that - for every one who was willing to check us out, at least ten were pretty happy selling internally in the US. Who thought of the international market at that time? Looking back at it, this was around the dawn of managed fraud and risk services, and though we spearheaded the offering for the more dangerous segments we most definitely weren't the only ones.

Now, however, of all the questions I am asked, the ones I hear the most - and with the most urgency in them - are the ones regarding international purchases. Unlike a few years ago, when merchants let themselves brutally limit international buyers and focused on domestic markets, it's clear today that global expansion is a key for sustained success. Every beginning publisher wants to talk localization. And they should: this is way more general than digital goods and content. While US eCommerce is forecasted to grow to 8% of all retail purchases in 2012, according to Gartner, European b2c sales are forecasted to outgrow US sales, and grow 20% in 2010, according to eMarketer. This is an amazing opportunity – and it means that a lot of real goods need to be shipped around the world. However, when you get to actually approving these transactions, often you find that you just don't get the tools you're used to outside of the biggest eCommerce markets and some don't even exist outside of the US.

So how do you deal with those tricky international purchases?

• Remember what international fraudsters aren’t – they’re not the people they are stealing from. Sounds very basic, but it will serve you well – most fraudsters are young, computer savvy males from 3rd world countries trying to use Western world cards and bank accounts. Note obvious mismatches in details: if details given for the customer (phone number, card bin country, address) just don’t match, come from distant parts of a country or look invented, beware.

• Purchasing history from other merchants, through a 3rd party vendor, serves you mostly when you delay shipment (either because it’s standard practice or you’re suspicious). For all other cases, you need to have velocity checks and an ability to identify returning fraudsters alternating details. There are some good machine-ID companies out there, but you also have to complement with rules that identify purchasing behavior that is different than what you are used to in your industry and shop.

• Contacting users makes sense – but only when you understand what contacting them tells you. Calling a VoIP phone does no good, same as emailing someone whose email domain ranges from the ridiculous @legit.com to the less obvious @army.com; some seemingly fine domains host sites that are nothing but a blank page, so checking occasionally makes sense.

• IP intelligence can teach you a lot – you wouldn’t be surprised to hear that there are more fraudsters and more exploited, Trojan infested computers in big cities with high speed internet. It’s always good to know more about your user’s connection, especially if they are risky – if someone is initiating a payment to your site from within Microsoft’s Azure cloud, you may be up for some trouble.

• Find alternative data sources. No other country has such extensive public data sources of its citizens as the US, but free and paid data bases exist outside of the US too. A good address and name resource like 192.com helps you know more about your customer, and social networks span world wide. Too bad fraudsters can use this too…

• And, last but not least – know that there are legitimate people out there acting very ordinarily, but in a way that might strike you initially as dangerous. Where people relocate between states in the US, in the EU they do so between countries. Belgium and France share a language, and exactly as an Austrian might have a German bank account, so can someone from the Turkish minority. Time to polish your skills in geography, and read some Wikipedia pages!

Applying the above should take you a few additional steps in your way to open up your site to international commerce. And one additional thing to remember: deploying a great set of filters in place is close to useless without having a team reiterate on it and improve it as user behavior changes - the alternative is reactive risk management, slowly closing down itself using black lists and limitations until you resort back to the good ol’ US domestic shipping. Don’t let that happen to you, the international opportunity is too big to miss on.

New York under zero: some thoughts on the Engage! Expo

2010-02-22T23:27:00.000-08:00

"If there are any Mattel engineers in the audience, the astronaut Barby's space suit is not crash proof" (loose paraphrasing on Will Wright's keynote)

Yep, the keynote was entertaining and Engage brought a lot of vendors to snowy New York's Javits center. The two day event, though a bit low on developers, had a few interesting sessions and some interesting chances to share opinions. So what did I pick up from these two full days?

Payments and mobile

This Engage was heavy on payments companies, and by payments I mean mostly - if not exclusively - mobile payments focusing on SMS billing through carriers (obviously Paypal was there - a few of my colleagues and me - and additional sponsors). While the value of mobile payments for a streamlined, high conversion purchasing experience is clear (on the verge of overstated), the abundance of these companies over such a small space only served to emphasize how not-that-different these companies are from one another. Better coverage, low fraud and a promise for lower fees in 2011 were the value propositions.

Now, while I think mobile payments are clearly an avenue the industry must pursue, it was clear to me that until operators make a big leap of faith to embrace mobile payments, this field will not move much unless the companies themselves move to a Zong+ like, account based system that allows users to add a financial instrument and for the mobile payments company to charge it directly. And, as you are soon to find out, account based systems are a whole new world of pain - while with direct billing you charge a prepaid or underwritten balance an operator is liable for, accounts are a much more complicated structure. Plainly put, you start writing big fat checks directly to fraudsters' pockets. Looking at chargebacks in hindsight, as at least two of the participants suggested, just doesn't cut it. So mobile payments are looking for the next big breakthrough, and if fees don't drop soon (and they probably won't), I'm expecting some M&A work as competition heats up.

Offers and tasks

I'm a long time advocate of offers. Yes, offers have their "dark side", when misused, however they have a huge potential for creating incremental volume - something I personally love. When at the conference I heard that Offerpal are integrating tasks from Amazon's Mechanical Turk, and have been hearing assertions that competitors are going to follow suit (also heard it on stage from IMVU.com's CEO). Why is this good? I think that using social gaming to crowdsource simple but human intensive tasks is good for user education - do something good instead of just signing up for Netflix (nothing bad about Netflix, though); plus, it's good for the potential work providers - ideally, research institutes, advanced OCR services and others. In short, tasks are the new "green". Two caveats in this optimistic view, though: the first is that there is a serious chance of shortage of tasks, at least until this market picks up; the second is that abusing this model is still doable, maybe even easier than standard offers - if I were a fraudster, I'd immediately outsource my CAPTCHA operation to Amazon. Oops! Better read previous posts and do some risk analytics, guys, or you'll find you're breeding an ecosystem of thieves.

Zero cost of goods

I had this feeling in the past, but the conference reassured me: the "zero cost of goods produced" concept is both a blessing and a curse. Why a blessing? Because developers, bathing in the sensational bliss of high margins, were keen on trying new things - new business models, new payment options (30% take for mobile payments? come on) and various experiments in user interaction (offers, vanity items and many other really cool stuff). Why a curse? Because the notion has outgrown its proper boundaries, actually harming some of the developers. Assuming that if you just auto-refund your zero-cost virtual good, the problem of chargebacks goes away is a mistake, and not checking operational costs related to this "zero cost" work will make your bottom line look pretty bad eventually. Additionally, zero cost of goods got many developers focused on solely growing their user base and ARPU - both important but, as a few speakers noted, shifted attention from a few other very important stuff. Like fraud, like going international, but also like pricing - when the third pretty senior person suggested to developers that going all-in on a freemium model just isn't a good idea, I started to understand that the problem transcends risk management and controls; it's starting to detach companies from sound business judgment. So this is probably time to reconsider - it's all a part of growing up as an industry.

P.S. One last thing

I was delighted to meet a few young and talented entrepreneurs working exactly on the things I find exciting - namely p2p trade and new, great ways to engage users. It's fun to see how ideas evolve, and I'm looking forward to hearing more about them and others like them. Well done, guys!

Fraud detection and User Interaction: why are Millennials slower?

2010-02-14T15:01:00.000-08:00

A scientist was conducting an experiment with a fly. He pulled off one of its legs and set it down to see if it could fly. Conclusion: a fly without one leg can still fly. He pared off a second leg and set it down, saying "Fly!" Conclusion: a fly without two legs can still fly. He removed all the legs and set the fly on the palm of his hand, shouting "Fly!" Conclusion: a fly without legs can still fly, briefly, before crashing to the floor. He pulled off all the fly's wings and set the fly on the palm of his hand, yelling "Fly!" Nothing. "Fly!" Nothing. Conclusion: a fly without wings is deaf.

This was an old, lousy and a bit vicious joke even when I was a kid. It does, however, effectively demonstrate a long lasting truth: it is not the collected data, but rather how we interpret it, that renders its effectiveness in decision making. Errors range from confusing cause and effect (is it that customers who experienced fraud are more active, on average, or that active customers are, in average, more prone to experience fraud?) to gross segmentation causing severe false positives; a lot of these cases are triggered by analysts sticking to high level, big numbers rather than complementing their analysis with case-by-case review and customer engagement. Business intelligence is a very important practice, and we must use our tools wisely to reach the best possible conclusions to guide our decisions.

One interesting case of interpretation I found was regarding Javelin's 2010 Identity Fraud Survey Report. Here's an excerpt from the link:

"18 to 24 Year Olds are Slowest to Detect Fraud – Millennials (consumers aged 18 to 24 years old) take nearly twice as many days to detect fraud, compared to other age groups, and thus are fraud victims for longer periods of time. Millennials were found to be the less likely to monitor accounts regularly and the least likely group to take advantage of monitoring programs offered by financial institutions. However, Millennials were the most likely group to take action such as switching primary banks or switching forms of payment."

Why is that? Well, looking for interesting opinions I came across this blog post. It suggests that Millennials are optimistic about the economy and feel invincible, being young, not imagining that fraud could happen to them. Interesting, but I don't buy into this kind of explanation, for two reasons: one, is that it's over simplistic in its description of Millennials' psych, but the second is that it puts a cap on our ability to engage with a group of users about their financials. It's just too important to let go: being able to engage with your user community to deter fraud will be a growing need for payment services in 2010 and beyond, and I claim that they expect this to happen. It just doesn't resonate with me that social networks and games can get you engaged but your bank or eWallet, the place where all your money is, can't. It's just a question of the right engagement model. What is the difference between those that work and those that fail? As a user myself, I don't feel like I have compelling interfaces that help me monitor my financials - and I log in to my online banking interface on a daily basis. There's just too much information, too many buttons and graphs to make sense. To add insult to injury, many monitoring programs (such as the lately advertized Chase debit card program) require users and parents to set their own monitoring rules. This reminds me of another area, online predator monitoring, which poses the same challenge to parents - you set the rules to monitor suspicious words in your child's IM. Seriously? We force the laymen to do our job for us? Can we really not provide a compelling, interactive, machine learning interface that provides an appealing user experience? I think we can. Especially if the alternative is accusing Millennials of being too optimistic.

Looping back to the beginning of the post, I'm just hypothesizing (or pulling the fly's leg, if you'd like). It's now a question of actually engaging with users and examining behavior to validate basic assumptions; something that we must do to make sure we understand the data we are getting. But this is my own hunch on Javelin's results. What do you think?

If you liked this post, please subscribe to my blog!

The Next Big Thing (and what is it takes to be that thing)

2010-02-07T14:40:00.000-08:00

When something happens for the first time - it's avantgarde.
If you see it twice - it's original.
On the third time - it's plagiarism.
On the fourth - it's pastiche.
But when it happens for the fifth time - it's a genre...
(Anonymous)

In the never ending discussion on innovation vs. execution (see Sara Lacy's great post here) I tend to be an avid supporter of the execution point of view; I've yet to see a great idea execute on itself, but I have seen pretty dull ideas becoming hits because of laser focused hard work. And, of course, it is my personal tendency for building and running strong organizations rather than engaging only in ideation. The reality of the business, as well, shows us companies that succeeded with strong execution on the ideas of earlier, less successful and agile companies (see the article for some examples). This is why I really like the dynamics of a new genre of products and services - if you follow closely you can track the evangelists, the copiers, the big and small players all mixed together, fighting for their place.

The dynamic is pretty straight forward - after a need is established by the avantgarde, in come the strong execution oriented players; proliferation kicks in, and many companies rise to offer similar services and products, each with its own twist. This stage ends with convergence - first with aggregation services, and then with the big winners emerging from the crowd of competing companies. Finally, when these winners become too big or fail to innovate, new avantgarde kicks in, discovering new niche segments that the giants were overlooking.

Social networks are, generally speaking, beyond the genre stage. Facebook and Linkedin emerged as winners, and though there are aggregation solutions out there I personally don't see any need to mix my personal and professional business networks. In fact, Twitter has signaled a new niche (together with Yammer, its LinkedIn-like twin), taking the Facebook status line to the extreme - but the cambrian explosion of networks has passed. It might be best reflected in the coverage and attention Ning - the DIY social network platform - is getting (or not getting) these days compared to 2008.

Online games are in an earlier stage; although there are a few major players in every part of the ecosystem (hardware, portals, platforms, publishers etc.), the barriers are still low and any garage geek can develop the next game. Until now, major game publishers have overcome this by cloning, executing quickly and gaining more and more traction; but as the market becomes more sophisticated and gamers' expectations rise, we will see changes. Acquisition of smaller studios by larger ones to get hold of new IP, traditional game companies entering the space and introduction of known franchises (I vote for Star Trek!) will all come into play, signaling the the battle for control is far from over. But there's another interesting story here - and that's payments in the virtual space.

New ways to pay and be paid have caught the eye of entrepreneurs and VCs alike. Investment money is running like crazy, funding the next-next innovative, zero-click-super-social payment service. Kwedit gets $3 million for letting people pay if they feel like it, Square is making news by enabling coffee shop sales via iPhone. We have hit the spot where there are just too many payment options, and platforms try to answer the need for convergence. Now, I have the utmost repsect for new inventions, but as I started this post, you also need to know how to execute on them (Square is going to discover that, with Verifone's generous help). Remember the three pointers for a successful payments service? Easy, Enabling, Trustworthy. Getting those nailed doesn't take mere ideation, but good old fashioned execution on boring stuff like compliance, reconciliation and relationship management with card associations. And merchants are not early adopters like most gamers - getting them to expand to yet another payment service, in a highly fragmented market, is hard. Merchants are looking for a broad and established user base. Succeeding in this is much harder, and therefore constitutes a bigger barrier, than in other industries.

I can only give only two general advice: one, is do not underestimate compliance and regulation; they will either limit your market (SMBs don't usually work with non-compliant payment services) and you may be facing huge fines even before you start profiting. And two - make anything possible to establish yourself as reliable - it's a merchant's biggest nightmare to have their payment service vanish one day, or to see their customers' data accessed by fraudsters. Guard you system, adapt your best grown-up face, and think about availability because being cool is great, but will only last that much. For success, you need to understand the basics of executing on a successful payment experience, to complement the big technological and business ideas.

Watching the payments industry over the coming two years is going to be extremely interesting, much more volatile than we were used to. Hopefully, some of these incredible minds will adjust to the demanding type of execution the industry requires, and will make it on the other side of the convergence.

PS
Two quick ones: due to a new role I'll be taking on in Paypal, the content and nature of my posts my shift a little. I apologize in advance to those who expected the deep dive on mobile payments threat analysis. On a similar thread, I will be at the Engage! expo next week - buzz me if you'd like to chat.

Drawing internal buy in for improved Risk management

2010-01-24T21:21:00.000-08:00

After my latest posts about risk management (identity management basics and getting the best out of your data) I was asked a great question I think about every day: it's great to have a methodology and a strategy, but how do you get other people in the organization (whether inside or outside of the risk management group) to agree and work with you?

Well, trying to both shape and implement a new terminology is as hard as any other change management, and is very similar to any type of internal marketing: the right catch phrases, proper branding and the right timing and location will do wonders. None of those will work if what you're "selling" is a bad product - an inconsistent, over-complicated or over-simplified method that people cannot use will never be as easy to implement as will a coherent system that makes sense and can be fairly easily comprehended - and used.

Nevertheless, even given a good system this is no mere feat. What are the keys to success? In my experience, there are three:

Ownership: what this means is that you take responsibility over the area you are looking to improve. Too many times I have seen a person or a team trying to change a process or a notion while assuming the consultant position; in most cases, they will fail, because the key for making a change is rolling up your sleeves and making something happen. "If you build it, they will come", and "They" here are the aggressive achievers in your organization, the ones that recognize something that works and are not afraid to try and learn it. Stop saying "I told you so" and start doing!
Transparency: no siloed organization make a change outside of its own boundaries. Only inclusion of other teams, clear communication and eternal repetition of your messages, coupled with deliverables, can make any type of substantial difference. Don't take the traditional risk management approach - don't scare people with the horrors that might happen if they invest in a project; instead, say: "this is what might happen, this is why, and this is how I intend to solve it. Want to help?".
Gradual Enablement: think of new ways to say "yes". If your system is truly innovative it will allow you to take risks others can't because you can understand and manage them better. Still - don't rush into it, because small successes are key for maintaining momentum; use pilots and rapid prototyping to prove that something can be done, and expand responsibly. This way you can prove you can stop more fraud while not hurting users - and get the charter to expand.

Is this the magic bullet? No, but these keys will put you on the road to success, because they earn you the trust of partners while delivering the results you need to fuel your system. And, if we all adopt this point of view, risk will start being a driver of innovation of payment companies - definitely a time I would love to see coming.

No more secrets: managing risk when access control breaks

2010-01-19T06:40:00.000-08:00

This post is a first in a series I will be exchanging with Allison Miller, one of my esteemed colleagues in Paypal's Risk organization, in her reinstated blog.

“Man may be defined as the animal that can say "I," that can be aware of himself as a separate entity”. (Erich Fromm)

“Identity” is a widely debated term, in various areas; Philosophy, psychology and social sciences discuss various aspects of the individual’s and a society’s identity and its representation in media, art and academic thought – from the Buddhist extremity of no-self to the capitalist self-definition based on what you buy, the variety of ancient and modern thought around definitions and applications of identity is vast. Loyal to the spirit of individualism in the Western world, the development of the New Age movement over the last decade led to the calling to each of us to find our own “true identity” through introspection; supported by modern psychology, the journey of identity constantly drives for defining, consolidating and presenting our personalities through titles that illuminate various aspects of our day to day behavior as part of a healthy, consistent and coherent identity that is who we are.

The Web is no different. With the rising popularity of social networks, real time communications, blogging and free emails, our daily communication and personal information can now be found on the web. The path to definition, presentation and consolidation of identities was short: Google lets you create your own Google profile and ReputationDefender helps you defend it; social network aggregators like 8hands help you consolidate all your social activities and openID helps you consolidate your authentication; and a plethora of “web 2.0” marketing firms will help you brand yourself in a way suitable for GenY, GenZ or whatever Gen is running around out there at the time. Not only that – as advanced technology and identity representation on the web have evolved, online services push us to become more “public” – share more information with “Everyone”, tweet our thoughts to a massive crowd of followers and broadcast our preferences, beliefs and orientation whenever we see fit. Obviously this drive has an apparent financial value: the more information we share, the easier it is to segment who we are, what we want, our behavior in purchasing and other activities – most of them if not all of them conducted online. Knowing one’s identity, enough to put them in a specific category, grew to become highly valuable not only in marketing but also in risk management and other areas using business intelligence to make informed decisions; the more relevant data you have, the more you are able to predict the behaviors you want to encourage or discourage, depending on your line of business and preferences.

Identities, applied

The practice of Identity management is a vital part of Risk management: not only does it provide the essential trust in payment systems, when the users (both buyer and seller) are properly “known”, vetted and engaged, but it is also key for being able to expand your business without losing your assets to fraud or default. Identity management, as Allison will probably discuss in her post, is what happens in Risk management beyond and after access control. It is not enough to determine infosec best practices for password strength; we need to be able to deal with bad, invented, stolen or just compromised identities and accounts. Developing the ability to manage identities requires working through three big challenges: authentication (proving that a user is really who he claims to be), fuzzy identities (the challenge of probabilistic consolidation of identity pieces) and the initial encounter (when you don’t know anything about the user). The last two deserve a post of their own; today I’ll focus on the first.

And so, people provide information out of good will, even connecting the dots of their online identities for you using aggregation services or unified credentials like openID. You get all the information you need, and even get educated users who really want to invite their friends to your service and provide you with more information about who they and their friends are. Perfect! Or is it? Reading Dr. Rohit Khosla’s great article about the “privacy theatre” makes it pretty obvious that it is not. The “privacy theatre”, the way I read it, is describing the fact that social networks and services are providing privacy controls for users, creating the false notion that user information is protected per their own privacy definitions - where in reality, not only does the network itself seek to reopen its APIs and expose more and more user information, but it is also careless in simply not protecting that information from hacking. The bottom line is mass compromise of credentials - RockYou’s example is just one of them; the Heartland breach indictment earlier this year is another; through 2009 the ITRC reported 492 cases of data breaches, from hospitals to government offices. But it is more than just breaches that churn on the value of credentials: user information theft and compromise is now a lot easier with the abundance of information broadcasted out there, usage of emails as the username (Paypal is also a part of this misdoing) and users’ tendency to share credentials with pretty much anyone (resulting from our education effort) serve those ill-willed as much as they served the needs of legitimate social networks. It’s clear that credentials cannot serve as your “identity” anymore, to the extent that they may be useless in most cases.

Hence, the question of authentication doesn’t revolve around the amount of data your have; rather, it revolves around the question – can you use the data to authenticate that the user currently accessing your site is who he claims to be? If credentials are broadly compromised, and personal information that is usually used for KBA (knowledge based authentication) can be screen scraped from your profile page, authentication becomes a much harder task. In some real world brick and mortar cases, this question is pretty straight forward – it’s considered very unlikely for a fraudster to have the same face as their fraud victim (given that the data source itself, i.e. the ID, is not forged). On the web we are dealing with electronic entities claiming for ownership over actual financial instruments - a whole new ball park.

When there are almost no secrets left
How do you deal with such a grim scenario? How do you differentiate between compromised and non-compromised credentials when the user provides them to you? You just don’t. You treat all credentials as compromised and carry on. Risk management is different in essence from other types of business practices because you are dealing with a team that is set to undermine your every move (assuming that there is an “international organization of fraudsters” is always good practice) – we know that because every time the industry demands a new “secret” from legitimate users, fraudsters start phishing for it: be it CVV2, Mother Maiden Name, SSN or others. Why would ANY old or new secret we give the user be any different? Credentials and most KBA cannot reliably serve as “something that the user knows” for N-factor authentication (also see Bruce Schneier’s 2005 article). So what DO we do? We do four things:

a. Riskiness estimations based on ownership factors (something the user has): developing the ability to evaluate the riskiness of logins and sessions based on our knowledge of the user’s machine or behavior, rather than issuing a token (security key or protected device) or cross referencing with cross merchant bad lists. Identity should not be what is asserted, but what is detected. This will also allow a different, data-driven definition of fraudsters – one that can actually be tracked through your system.

b. Consistency estimations based on inherence factors (something the user is): developing the ability to evaluate the riskiness of actions and behaviors based on our knowledge of the user’s previous actions and preferences. This is when behavioral analytics shift gear – and when properly applied, allow modeling of user behaviors and comparison between users that is then used to detect deviations.

c. Specially designed authentication challenges. Wait – didn’t I just say that there are no more secrets? Well, some secrets are better kept than others – specifically, those that fraudsters really have a hard time to get or cannot anticipate the system will ask for. Selecting the right bit of information (or the right secret) to properly divide the population between fraudsters and legitimate users (one that only legitimate users can provide) is a huge part of the analytic work. Choosing the one that works in context and won’t drop completion rate is even more challenging.

d. Actively engaging users in maintaining and monitoring their own identities in your system raises awareness but also crowdsources some of your risk management exactly when it is needed – and might even counteract some of the worse education users are getting online.

Being able to properly use ownership and inherence while challenging the right secrets is the best practice when all credentials are compromised – NOT issuing more and more secrets. Choosing the right secrets and evaluating properly are the core competencies of domain experts in our field, and cannot be replaced by discussing the importance of CVV2 and complying with PCI (though, while regulation demands it, those are also important). In a world without secrets (well, almost without secrets), we cannot allow ourselves to stay behind the curve by sticking to old school authentication practices.

A call for resumes (in the bay area)

2010-01-13T09:32:00.000-08:00

Over the past months I’ve been telling you about my take on risk management, automated decisions, digital goods and various other areas. I am now starting to look for candidates for my team to deal with these exact areas within Paypal – so if you’re one or think you know one, please let me know. This is not a formal job description, just a call for resumes so that I know you’re out there once I can hire you.

What I’m looking for is results driven, quick thinking do-it-alls who want to be involved with new products, markets and risk challenges within Paypal. You should have the passion for consuming a lot of data and information, be able to learn quickly and identify and define trends in concise terms. You should be analytical but not a data cruncher without any understanding of the big picture – we are playing at all fronts. Know or be able to learn how to drive processes through other people and organizations; working in ambiguous situations and coping with change is a must, as well as an ever changing operating rhythm. This is not your classic 9 to 5 and I’m not your classic 9 to 5 manager.

Experience is not a must (=graduates are also encouraged to apply), definitely not previous experience in risk management. However, please be an avid internet user, preferably a gamer in your past or present. Some security experience or tech savvy is a big plus – don’t get intimidated by developers, architects and tech talk. Impress me by having interesting hobbies out of work that you maintain although you are an aggressive achiever, and by having vast general knowledge (as in: you shout answers at “who wants to be a millionaire” while watching it on TV).

Read the blog. Process. Understand. Talk to me.

Email me at osamet67@gmail.com for more details and a nice chat :)

Too much information: you may just have all the data you need

2010-01-07T21:49:00.000-08:00

"This was not a failure to collect intelligence, it was a failure to integrate and understand the intelligence that we already had." NYTimes quoting President Obama after his meeting with national security advisers about a terror plot to bring down a commercial jetliner on Christmas Day. (Jan 6th 2010)

Going to the movies with friends from the intelligence community is never a cheerful experience. Spending two hours in a conspiracy movie with people who sometimes while seeing a (seemingly) absurdly powerful data collection device say “ah, I know this system”, will make you a firm believer in conspiracy theories or at least a more paranoid individual. But even the most tech savvy and well informed of those people talk like Pres. Obama in that quote above – it’s not lack of data, it’s our inability to process it that limits us. Maybe project ECHELON really stores all of our communication – but what super computer and what sophisticated algorithms can process and identify all of the world’s pictures, plethora of dialects in written natural languages and voice calls? You know what? If you know the answer, I’m not sure I want to know.

Estimations of intelligence units’ capabilities aside, your average merchant or payment service is much more limited (and, to be fair, faced with a less complicated, or should I say critical problem). Between your transactions, industry black lists, account history, mailing lists with bad actor data and various tools offered in the open market, there’s a good chance of losing the ability to reconcile without a dedicated, expert team of analysts and developers that understand automation. But being able to automate isn’t the only challenge with data. Trying to know “everything”, you’re bound to trip over some problems.

Common pitfalls in data source acquisition
First, you have to get the data. Many raw data sources out there on the web are pretty hard to acquire; some are not priced correctly for scale, some require data sharing as a prerequisite (growing their database, but giving away your customers’ data), and some just won’t pass legal because they were attained in shady ways. Many times, because of the above, it becomes extremely difficult to justify the purchase of a new data sources. It takes very complex analysis to show how a data source can move your revenue dial and that its ROI is worth the risk. All in all, data source bizdev is a potential nightmare unless you are air tight on what you need, when you need it and what’s it worth for you.

After you get the data, you need to store it somewhere, and storage space and security are yet another challenge. There’s a limit to the volume of data you can save on your servers, and scaling such a system is no simple or cheap business. “So what”, you say, “I’ll put it all in the cloud” (very hip these days to put stuff in the cloud). Wait – isn’t that exactly the type of reckless use of Personally Identifiable Information (PII) that gets you data breaches? To deal with sensitive data in the payments space we have compliance and information security standards. Are you going to be PCI compliant, for example? A good question that must be answered. Right now the answer is no: clouds are public, shared systems that are hard to secure properly against fraudsters and hackers; if you want your cloud based system to be compliant, you need to give up your PII by receiving payments through a cloud-based payments system – which basically means losing data (having someone else collect your customers’ payment info), not gaining it. Once the field settles, in a couple of years, cloud computing for vast payment data volumes will start to be a possible route.

Finally, once you’ve acquired and stored or can access your data, you have to use it. The challenges here range from data base architecture to modeling methodology; if you don’t build the correct architecture and have a proper DS and modeling methodology, new data integration will be a nightmare. Almost no single data source has 100% coverage across all countries, has homogenous data quality, is 100% available (given that you don’t store it on your system) and adheres to a tight SLA, all at the same time. So on top of what we noted you also need to have models that can cope with partial, sometimes corrupt data and still make the right decision – far from easy.

So what do I do?
I know what you’re thinking. “I don’t need all of this”, you say, “I bought risk scores and tools from various vendors with proven track experience in risk management. I’m all set”. Let me tell you why I’m not fond of this as a general approach: giving scores as a result instead of raw data obfuscates vital components, and severely reduce your ability to understand why a decision was made or why was a specific score given. When you don’t know the underlying reason, your ability to effectively combine scores or simulate any changes made to them and its effect on your system and bottom line is zero. You’re left with a few business rules and a false feeling of control that may result in serious losses or simply lost business.

So what should you do? If you’re a small business without a risk management function, you’re stranded. I suggest that you settle for the few scores and tools that take on at least part of the liability – professionals should be able to put their money where their mouth is (and there are quite a few professionals out there). But being in this situation is not what I’d advise for anyone looking to really grow their business – you need to keep your eye on the ball in risk and fraud. Develop the capability to understand what’s happening in your system, what caused losses and why (easier said than done). If you at least have that, even by mere intuition of being in the business and seeing a lot of fraud, you can start putting a price tag on new scores you’re being offered (I, of course, support hiring and training of domain experts). But what you’re really looking for is creating a data source acquisition methodology.

You need to understand what a new data source does for you. Do not get confused by terminology and flashy names; a common confusion, for example, is between products that verify a person’s identity (i.e. make sure that the name, address etc. belong to a real person in the real world) and authenticate it (i.e. prove that the current user is indeed who they claim to be) – those are not the same. Another common mistake is signing pricy SaaS contracts (say – for phone number type) when similar capabilities can be found and acquired by a bit of Google research. Don’t be tempted by big promises – always make sure you properly simulate the performance on your own system, and fully understand the impact you’d expect to get.

Making sense out of all of this requires expertise, but is definitely worth the price. This is not to say, by the way, that there are no effective tools, scores and services out there. On the contrary – there are sometimes too many, and it’s the job of the risk manager in the organization (a lot of times the owners themselves) to make sure they are using the best ones for their needs. It’s no simple task.

How do you engage in data source acquisition? Do you think that there’s no such thing as too much data? Comment away!

A man on a plane

2009-12-27T21:39:00.000-08:00

Following the latest news of the attempt to blow up a Delta flight, and the reintroduction of debates about terror and security worldwide, I want to share some random thoughts this incident brought about.

The weakest link

A reliable source is one that provides you data and information you can use with little to no validation; a source you can trust as part of the group of sources you use to evaluate the riskiness of a specific situation. Be it a credit report from Experian, a Whitepages entry from Whitepages.com or a customer calling in to report, you need to know the possibility of your resource being compromised and the information you receive being mistaken or, much worse, maliciously injected by fraudsters. This is the basic malfunction that drives SQL injection attacks, if you don't sanitize DB entries you're most probably in for a big bad surprise. The weakest link – in this case, it seems to be Nigerian aviation security controls – has failed the whole chain. It may be improper screening, low budget security tools or just procedures not permeating through the system, but it let someone with malicious intent onboard and only luck failed him. The fact that Netherlands security just passed the stick on and let all passengers continue shows that the hand-over between security personnel in different airports might need some additional reinforcement, because terror is constantly looking for ways to inject itself in. There should be additional focus around determining the reliability of various airports as a reliable source of validated passengers and acting accordingly.

Lists don’t work

So his name was on a list. So what? Here’s what lists do: they make legitimate people’s lives harder (ever tried boarding a plane in domestic US with an Arab name or with a Middle Eastern passport? Enjoy the ride…) but much worse than that, they transform risk measures into binary checks (on the list? Stop. Not on the list? Carry on), a classic case of “searching under the streetlight”. So he WAS on the list but not under “really bad” but only under “naughty”? Come on. I have preached against black lists in the past (Hebrew only) and this is another case where, clearly, some old fashioned flight track analysis crossed with previous alerts could have made the trick. The data was there – it’s all a matter of interpretation.

Hindsight’s 20:20

I take off my shoes in remembrance of the shoe bomber; I don’t carry liquids in remembrance of the 2006 bomb-as-a-soft-drink plot; and I get sniffed by an automated sniffer every once in a while in a random US terminal. As far as I’m concerned, I should probably stop flying soon and leave air travel to terrorists and security, in an everlasting cat and mouse game. The most important thing about attacks that materialize (even if they fail) is learning from them. If all we get is another restriction, we are missing the point here. Every false positive and false negative (in any automated or manual decision making process) needs to serve as feedback to the system to improve on – in its ability to make better decisions, not in the restrictions it applies on the general population. Hopefully, the conclusions will not end up only bringing another top-dollar cutting-edge new machine to sniff people at airports, but will aid in making flying safer and easier for legitimate travelers while shutting it down for terror.

42% of users have a good reason to fear

2009-12-14T19:03:00.000-08:00

Working in the risk management business, I often get these layman questions about ePayment security. They are close relatives of questions IT people are being asked about hardware purchasing; when people finally find that item they wanted to find or a bargain they can’t resist, they want to make sure they don’t get scammed. Who’s better for that than your friendly neighborhood risk management specialist? I’ve given my part to eCommerce, you should know, and if retailers felt a $3000 shift in their revenues this year – this one’s on me, guys. No need for commission this time.

Seriously, though – why are thousands and maybe hundred-thousands of interactions related to purchasing on the web really important? As I mentioned in my previous post about Square’s trust issue, good payment services instill trust (among other things); and for an industry based on users exposing themselves and their financials, trust – created, in my case, by getting a recommendation from an authority – is one of the main challenges for emerging companies.

Whether you’re a game developer concerned mostly about MAU and retention, a software vendor managing distribution channels, a jewelry retailer or a virtual world – you are managing people’s trust, because eventually you want them to reach out to their pockets and actually buy something. That’s a big step, and as the latest research published this week by Playspan suggests, the gaming industry isn’t doing a good job at that – 42% of the people who would otherwise, I would assume, have bought some type of virtual goods – did not do so, because of trust issues.

How do you create and manage trust? Unlike what some developers might think, you don’t just outsource that to your payments company. Why? Because building trust is beyond having an easy user interface and seamless billing. When examining the platform they are operating on or paying through, users are looking to see that their data is secured and that their account is not going to vanish overnight, locking away their unused credit; when looking at the ecosystem they are a part of, users are looking for certainty that they are safe – from account take-over, from being scammed by other users and from simply being abused. The key for that lies beyond traditional “risk management” – it lies in identity and reputation management.

“Good people leave footprints” is one of the first catch phrases I ever heard about risk management. Being able to collect and manage relevant identity data, understand how it relates to real people, then use it to build their “reputation” inside your system is ability you must have – and the footprints good people leave (a Facebook page is an obvious example) help you do that. If you’re doing good job marketing you’ve probably started doing it already, unless you had already outsourced your distribution, offers wall and risk management. You cannot afford to not have identity data at the user level, because it means that you know nothing about your users. Is that new purchasing behavior new to this account, pointing at possible account take over? Is this new user, trying to resell game credits, legitimate or bad? Is the new surge of users from the middle east legitimate, or is an ad network cross-promoting links to another network’s affiliates (don’t tell me you don’t know what that means…)? Sorry, can’t tell? Let me tell you how – in a few (complicated) steps.

- Segmentation: Start learning how users are split on your site. Where do they come from? How do they interact with the system? Are they paying or not? Are they engaged? This part is so basic that I’d be surprised if there’s even one publisher not segmenting users.

- Identity building: identify people in your system. Note: people can be spread across more than one player account or your can have two or more people using one account. That’s the beauty of identity management – you start seeing all the irregular uses of your system. Are you going to let users use more than one account in your system? This is how collusive behavior starts. Are you going to let more than one user use a single account? This is how account take over is propagated. On the other hand, limit them too much and you’ll kill your business… so watch out.

- External sources: reach out wisely to web “authorities” that control user data. Use what they give you to learn about the users’ past and present, because determining their credibility before entering your system is key for reducing your surprise when they start behaving exactly like they always do – whether they’re legitimate or fraud.

If you follow the simple three steps above, you’re on the right track to building a network of trust in your system, one that will solve some of the users’ dilemma whether to spend money in your game. Showing your users that you know them not only increases user engagement but also fights the anonymity that drives a good chunk of the initial motivation to scam; when their reputation is on the line, users tend to commit less obvious fraud. It may sound simple or simplistic, yet it’s not – properly building and maintaining identity profiles is a tedious, hard to automate work. But it’s worth every bit of trust you can give your users, because once you’ve acquired them, trust is one of the main issues.

XFDSCYVHT2QD

Payments start from Square one

2009-12-06T13:09:00.000-08:00

In the 1998 movie “half baked”, the main characters sell weed to various buyers to get their friend out of jail. Not the most sophisticated movie, if I may say so, but decently funny. While they’re selling, you hear a voice over by the main character Thurgood Jenkins (Dave Chapelle) telling about the type of people you meet. One of them is the “enhancement smoker”, the one that thinks every deed is better done “on weed”. It boils down to quotes like:

Enhancement Smoker: "Did you ever see Scent of a Woman?"
Scarface: "Yup."
Enhancement Smoker: "You ever seen Scent of a Woman... on weed? That's the way to see it. It's just wacked." (yeah, I know)

Let me tell you something: people in the valley are enhancement “smokers” too. Only they’re not using weed (or they might. I’m not judging). They’re hooked on the iPhone (and the “app economy”). Hey man, did you ever play console games? Ever did that… on the iPhone? Ever acquire a payment on from a credit card? Ever done that… on the iPhone? Seriously, guys, smart phones are cool, but international market adoption is still slower than one would imagine looking at the hype around the iPhone. Not that it won’t succeed – it will, but it will definitely take more time, and personally, if I had to bet on apps vs. mobile web, I would bet on the latter (late addition: see Giff Constable's post about the app store, especially the first few paragraphs). See my (future) mobile #3 post on technology and risk for more thoughts.

What Square is, and what it isn’t

Don’t get me wrong: the new Square gadget on the iPhone is cool. How cool? Way cool, not only because it’s a smart idea but also because they managed to pull it off in such short time. Kudos. It’s going to allow people who always planned to charge cards to start doing so – seemingly very comfortably and quickly; in developed countries, where credit card and smart phone penetration is high, Square has the potential to become a smashing hit. But among all the crazy positive coverage and superlatives it is getting, I’d like to keep a few things in proportion.

The whole iPhone issue is first. I find it hard to be too enthusiastic about something that gets traction by being bound to a specific hardware platform, with all due respect to the number of the founder’s friends who own it. As Om Malik rightly points out, and I’ve noted in a previous post about mobile, porting isn’t an easy task. So breaking out of the look-I’m-cool-with-the-iPhone pattern and becoming widely compatible is one thing Square is going to need to respond to quickly – a doable task, that I think they are now looking into. But there’s more.

Why do payment services disrupt and succeed? Three reasons, in my humble opinion. One: they have a compellingly easier mechanism for doing something that was previously hard. Big check on that for Square (just solve that porting issue). Two: they create payment volume that wouldn’t have happened otherwise. Three: they instill trust between buyer and seller. New payment volume has a big question mark on it, and trust seems to be severely lacking, at least as of now; let’s look at the two, and understand what the two main issues are that Square needs to look at to be really successful.

The question of new volume and value

Judging by its own press coverage and tweets, Square is looking at the small business and occasional seller population. Here, you can create new volume in two ways: either convince occasional sellers (someone having a yard sale, for example) who use cash to move to cards, or let new sellers who wouldn’t get a standard merchant account acquire credit cards through your service.

Are they already acquiring payments from cards?

For the group that already has a merchant account and the acquiring relationship, Square is in competition with other POS terminal providers. Nice attempt, might actually work because iPhones are cheaper, not any new volume per se. Now, the “no fees no contracts” notion hints that Square doesn’t provide a merchant account or aggregation services, but I don’t know what does "attaching your Square device to a bank account" mean. If they don’t, plainly put, their business is limited. If they do, then great, we’re actually looking at a chance to create new volume.

There is, naturally, a big inherent risk here for Square, when they accept new merchants - letting someone use your system to acquire credit cards and holding you liable (because the acquiring relationship is on your name) is much more difficult and risky than you can imagine. In fact, it is easier to steal when you're a seller than when you're a buyer, by just defaulting on obligation – not sending products or not delivering services. I guess this is why their current on-boarding process takes a few days.

Will the ones with no merchant account start using Square?

So there are two groups to look at. The first includes sellers that want to add cards to their payment options, need a merchant account to sell but aren’t able to get one, and aren’t using an existing online service (like Paypal or others). Is this group big enough, and represents enough transaction volume? It might be. The second group is comprised of real occasional sellers. Are they ready to move to cards? Do they have an incentive to do so? Forget the IRS issues; aren’t you actually complicating their lives? And, is there enough business there? Hopefully for Square, there is, in both groups – and they can get them on board. Their value proposition for the first group is obvious (again, given that they provide the acquiring channel); for the second, it is much more vague. If there isn’t enough business there, what’s coming from them is merely a new, low cost terminal – one that I wouldn’t title “disruptive”, because it won’t create any previously non-existing payment volume, just have a substitution effect on payments that could have happened on a (arguably) more expensive platform.

What’s the issue with trust?

One of the main benefits of both offline and online marketplaces’ settings is that both sellers and buyers feel they can trust each other, because of the mediating presence of an organizing body. The same, in a sense, happens in a brick and mortar setting – the existence of a store implies that the owner has invested and is here to stay. This also related to the risk of getting new merchants on board – part of the trust issue is that buyers need to believe that sellers will deliver: send the product, sell them tomatoes they won’t get food poisoning from, etc. Using a portable card reader on a mobile phone does neither – it actually creates a setting that inherently feels unsafe, both for the seller and for the buyer. As a few people noted, even having to actually pass the terminal (=iPhone) between buyer and seller feels unsafe.

The above issue is true even before mentioning common risks: the ability to skim cards using a hacked iPhone and the unsecured cellular medium which allows for your details to be captured rather easily. And don’t even get me started about the ability to associate a picture with your credit card number. What kind of risk management is done on that option? I hope it’s sufficient, or else anyone can pretend to be any card owner, breaking the basic ability to verify face-to-card in card present settings (sure, sellers can still ask for an ID, but they whole idea is that they won’t). So basically, the way I see it, right now Square doesn’t give you that warm fuzzy feeling of trust you get when you buy at an established seller, the feeling that’s imperative for getting more transactions happening (again, more on wireless/mobile technology and risk in my next post on mobile payments). This might be a matter of market education, but I don’t see anyone who’s not a really early adopter using Square right now and feeling comfortable about it.

Bottom line – there’s a potential here, go get it!

Bottom line, I think it’s a great attempt, and if successful, will introduce a whole new level of cool to payment processing (we welcome all the cool we can get. We have none). I’ll definitely try this on my Blackberry whenever possible. But a disruptive new payment method? The PayPal of the physical world? Not just yet. There are trust and technology issues to be solved, and new real value to be created, and a few key issues to be ironed out and communicated about (all, as I have discussed above, potentially solvable and doable). People’s money is not to be taken lightly. Once these are dealt with, we should see a real new market thanks to Square (and obviously, the option to disrupt the POS and wireless POS market is always there). Until then, it will remain on a very limited playing ground.

XFDSCYVHT2QD

In defense of offers

2009-12-04T09:47:00.000-08:00

Question: Who’s the bad guy in the house? (All together) OFFER WALLS! (Once again) OFFER WALLS! (Didn’t hear ya) OFFER WALLS!

Ok, ok, enough with the chanting. Bashing offers is so popular these days it’s almost a new sport. Can’t blame most of the commentators, it’s tempting, and the whole “scamville” charade just made it even more fun. And why not? Offers can be easily portrayed as devil’s spawn, the portal to mischievous premium billing without your consent, money laundering, call it what you may. It’s so easy to terrify non-technical people that you’re almost inclined to join; and if one can benefit a bit from it (no paid service to rid your computer of scam offers yet? Don’t worry, it’s just around the corner), then why not. So looks like we’re covered. Or are we?

I’d like to argue in defense of offers. Not the ones that add unauthorized charges and not the ones that don’t bring any value either. What I’m talking about is the actual mechanism of offers in casual games and MMOs. The best thing about offers, in my opinion, is the creation of a new type of an incentive. Right, it’s not that sophisticated or innovative in essence – just a new type of “thing” users want. But the economics are different: first, the ability to create new items at nearly zero cost keeps demand high; second, game dynamics and the concept of leveling up cause users to be less sensitive to inflation (since I leveled up, it only makes sense that my +1 sword is worth less – now I can pursue the +5 sword!); and third, dual currency systems allow control over the flow of new assets into the system (you can’t necessarily buy your way into everything, unless the developer lets you). Above all, and I am repeating myself here, virtual goods have no inherent moral value: they are not bad by themselves. Only uses of them are.

Why is this distinction important? It’s important because it helps us remember that offers can be used to create goodness (or, in a less idealistic phrasing, value). The demand for offer-based rewards can be steered towards participation in ESP games (tapping into the wisdom of the masses), researches for the greater good, even raise participation in organ donor organizations (by raising awareness, not by tricking people to sign). Too much? Maybe. I think that the whole idea of mini-tasks is amazing, and veers far from tricking users into paying additional money. In the meantime, we’ll settle for your standard capitalist value creation: Offerpal’s latest teaming up with retailers is a good sign of main stream retailers adopting the new type of rewards. In defense of offers, this is one more step toward making this mechanism a highly legitimate and efficient one.

Mobile payments part 2 - a tale of princes, laws and treasures

2009-11-30T13:26:00.000-08:00

In the previous post we've looked at mobile payments in a glance, why there's a huge chance today and what are the biggest challenges. In this post I will start diving deeper into them, and suggest a few ideas.

There's a group of very talented guys I know, who used to work at this IT Company in Israel that was a part of the mobile industry. They basically made some peripherals, a few applications and other mobile related products. One of these products was a relay to transfer contacts from one cell phone to another, in case the owner wanted to upgrade or downgrade (yes, there are people who do not have smart phones and Outlook sync). When, at some point, they started their own company to manufacture and sell a similar relay, they found a very interesting (well, in a sense) thing: a huge chunk of their dev and QA time was not spent on improving the product; instead, it was spent on porting - making sure that the software matched all cell phones out there.

This is the time when industry experts read and think: "what else is new?" (And also: “we don’t have this problem now with the iPhone!” Yes, you do. But that’s for the next post).

This is not at all new; what I’m trying to relay is that the world of mobile is a heterogeneous, fragmented, diversified world. And even if one day 3-4 smart phones rule the world (not anytime soon), the market will still be fragmented between operators. Currently, for any mobile service providers, the operators are one of the main concerns. They are the landlords and princes of the mobile world, they set the rules and regulation and they charge killer fees. How do payment companies circumvent that? How should they?

If you want to bill users through their mobile device, with the existing implementations, you have no way around operators. All major companies that I know of have operator relations, and they expand either by signing directly with operators in new countries or with local partners that already have signed agreements. Mobile payments companies proud themselves on their reach - numbers of countries, and percentage of coverage in each country. Right now, it seems that Boku is gaining more momentum with new carrier relations; it’s a good question, however, where will this battle be won. The EU has low credit card and high mobile phone penetration, making it ideal for mobile payments; it is also starting to have better and better technical implementations for payment services. On the other hand, it is a highly regulated continent with harsh rules and regulations that make the mobile service provider’s life quite difficult. Asia is a great opportunity, with a crowd very accustomed to buying virtual goods and using mobile phones; however, it is dominantly a prepaid segment, where user identity control is very difficult, and again – very challenging regulation. Finally, the US is a market where mobile service companies cannot decide themselves whether they’ll focus on creating an iPhone app or settle for using the rather underdeveloped SMS billing capabilities the networks can currently offer. But to even get in the game, you need to be able to have signed agreements with the operators, the landlords: a challenge in itself.

Let’s look at regulation for a minute. Zong, a company with years of experience in mobile integrations, rightfully proud itself in a highly skilled regulatory team that “complies with all operator regulations”. Why is that? Reading the MMA's policies reveals an intricate, sometimes vague definition of what's right and what's wrong in mobile offerings (and yes, offer walls have gone under this radar for very long). Same goes for Phone Pay Plus's regulations in the EU; providing apparent, easy and frequent opt-out options, demanding explicit user content for every new offer and additional rules and regulations makes sense - they force all offers with no real value off the system - but also create a huge challenge for legitimate services to keep user stickiness and not get shut down. Regulation doesn’t stop there: in India, for example, one of the most common claims I heard is that the ever-changing regulatory definitions are the main barrier to the mobile banking industry from exploding. While you play on the landlord’s ground, though, you have to abide by their rules.

Lastly, the fees (the real treasure). Operators eat up to 50% off mobile payments, and there's NO beating this either - until good enough alternatives start emerging in various markets, operators will have no incentive to lower their share of the cake. True, mobile payments probably have better conversion, but seeing your margin cut so brutally by fees will drive publishers and merchants off the payment platforms unless they have very lucrative offers, or manage to renegotiate fees.

So – if you’re a mobile payments company, how do you solve this predicament? Basically – you don’t. You work around it. How?

First – you stop referring to mobile payments as a product, and start treating it as a feature. Instead of selling the ability to bill the user’s mobile phone bill (basically turning the mobile payments companies into resellers of the operator’s services), sell the ability to pay using a mobile phone, regardless of where the actual money is. This way, mobile payments are a user acquisition channel rather than a complex product – and you get to keep the best parts of it.

Second, make your service lucrative by offering merchants a customer base that’s used to using their mobile phone for everything. As I’ve noted in the previous post, the customers in the digital goods/social gaming segments is perfect for getting traction for alternative, fast payment methods. In addition, because of the effective offers system, user acquisition dynamics might even be a bit easier than average. This is also where high conversion beats high fees, at least long enough to reach a critical mass of game publishers – the ones with high margins and a desperate need for high ARPU. But this paragraph is old news for mobile payments companies – they all power social games and virtual worlds.

The third part is the most complicated one. If, after the first two conditions, mobile payment companies connect digital goods publishers with a tech savvy customer base, the question left is how you power the system – how do you make payments happen? Powering via operators is old news. We’ve looked at it – it doesn’t work well. Left at that, companies can basically choose two business models; in the first, their forte is user acquisition and experience – and their payment can be powered by a 3rd party. PayPal’s X platform, for example, is basically tailor made for this type of business models – and with a lower take rate than operators (like it? I like it. I call this the “wake up and smell the front office” option). In the second, though, companies need to become a real payment service – an enabler of tricky payments through technology and risk management. In the next and final post we’ll look at some technological and risk management issues that underlie this kind of decision (or, in other words, why it’s plain hard).

Again, I would like to tank Yuval Samet for aiding with this post.

P.S. Why aren't you mentioning Paypal?

Well, can't ignore the 500 pound gorilla (and my esteemed employer). It’s obvious that if and when PayPal decides to take on mobile, all it will need is a pleasing mobile user experience – everything else is already there. That’s why it’s pretty interesting to actually look at what the new players need to overcome.

Why you should love (and fear) mobile payments [part 1]

2009-11-21T06:28:00.000-08:00

A month and a half ago I discussed the mobile payments opportunity in India, a country where the mobile phone is often the consumer's sole financial entity (no banks, credit cards or anything else but cash). Boku's press release is a good opportunity to take a closer look at the US mobile payments market (see a previous post), and tell you why I think that it has great potential, but should also look out for a few obvious challenges.

You're all busy people, so I'll save you the time reading through my first paragraph and give you the bottom line: mobile payments are here, are growing, and have the potential to kill all other payment services. BUT it won't happen the way you'd imagine, and there are many pitfalls along the way, yet there are many chances for success.

Phew! Now that I got this off my chest, I can start explaining.

Now is a better time than ever for mobile payments

Mobile payments are a huge opportunity. No, they're not going to replace your wallet anytime soon, but they can just as well pose a threat to any payment service that's out there. Why? Well, up until now mobile payments were a niche - mostly because there was no fertile ground for users to move from credit card to mobile. Standard eCommerce payments are the norm, most users are used to either punching in a card number and buying or using their Paypal account, and there was no crowd that will adopt an alternate method; that's before the challenging technical aspects in device security (more on that later).

So, what changed? In comes social gaming and virtual goods. Why? Because this crowd is more tech savvy, more appreciative of a streamlined-in-game purchasing experienced, more engaged, more used to his mobile device and above all - big enough to reach a tipping point. What's the outlook for mobile payments, then? With a delightful user experience and a broad enough user base, they are in the right position to start letting users sign up and add a financial instruments (right now - a credit card) to their account (ring a bell? It's called Zong+); they also have the perfect incentive system by the form of in-game virtual goods. Will that make them the payment option of the future? Is that so easy? Not necessarily. But I'm a bit ahead of myself.

What are the challenges for mobile payments?

Operators: integration, regulation and fees
Devices: technology and security
Payments: interchange fees and fraud

Each of these is a challenge not to be underestimated. Over the following few posts, we'll take a closer look at them and see why there's a potential to overcome all of them and become a major player in mobile payments, both for startups and for Paypal.

The A-Team: building the best risk management teams

2009-11-14T09:00:00.000-08:00

WWII basically ended unemployment in the US. Increased wartime production and the drafting of millions of men had created so many new opportunities, that the effect of the great depression was finally countered. It was a time when millions of women would join the work force. They filled traditionally "female" jobs but also opened up many previously "male" jobs, from operating heavy machinery to traveling sales people. In a sense, it was a revolution stemming from necessity, which is often the case even when the necessity doesn't arise because of a world war; someone's next promotion might occur with the same dynamic.

It was in this atmosphere that Katharine Cook Briggs and her daughter, Isabel Briggs Myers, started working on a personality type test that would help new female workers find the right job for them, where they could be more effective. More than 60 years later, MBTI is a commonly used test to assess personality types and help people of various preferences understand each other's perspective of ideas, data, decision making and planning, among others.

Types in Risk Management, and the ultimate team

Risk and business analytics are data intensive processes, which means that you would most likely find or recruit Risk people who have huge respect to data, facts and detailed analysis. Your usual risk person will analyze, dissect and understand the nitty gritty details of every problem they are faced with, and will probably be very talented at explaining these aspects when coming to a conclusion. And they will probably also stick to it once they reach it, because when you have such great respect for data, you also respect whatever result you got to while employing formal logic and deduction. I have the utmost respect to that, and the utmost respect to the practice that brings forth many highly talented analysts and executives in the industry, namely advanced degrees in statistics and math.

When facing the ever changing world of fraud and risk and faced with building strong successful teams, I'd like to suggest a few thoughts on what's the best mix. A risk management organization should definitely include the data driven, highly analytical people. The perils of real world risks, and their ever changing nature, call for additional abilities: diverse hypotheses on fraudster behavior, creative thought on new methods and tools, a strong ability to adjust and finally, being able to roll all of this into a long lasting strategy that makes sense.

Smart hiring, smart management

Creating diversity in a team of professionals is hard. Too much of the desired analytical types will get you groupthink, sometimes lethal to your business. In a past post I suggested a new way of looking at skill vs. experience, which can get you the diversity you need as long as you can support hiring with a good training plan to provide everyone with the basic language of the business. Hire wisely, but be ready for the tension this will bring to the team. Remember that a science major and a humanities major will often have different views of relationships, motivations and actions. This is what you're looking for, but you have to create a frame of thought that is flexible enough to accommodate this tension.

If your risk management process is a close-ended execution-driven development cycle, you might lose a lot of the innovation that can stem from people who are open ended and come sometimes steer off course. This means that, embedded in your method, there must be a system to discuss and solve risk issues that has room for both facts and concepts. When done the right way, this type of interaction starts from pure academic interest, the passion for creating a new language to describe phenomena, and only then goes back to discussing metrics. The process is somewhat similar to the principles of grounded theory, a methodology one of my esteemed colleagues brought to my attention.

What I described above also means that your solution development process needs to be a lot more iterative than seen in many conventional risk departments. If you get to a stage when immediate feedback changes your "scoring" and flows on a weekly basis, you can probably outrun most big payments services. One of the biggest problems I've discussed in the past is being able to know what happened in your system, but feeding it back to a group that's ready to understand and act upon these new findings is an operational rhythm essentially different than your basic waterfall.

Leading this means more than traditional experience

Now, the big question is - what is the type of person to put all of this together? It must be someone who can take all these bits and pieces and be able to relate to them individually, and as part of a process. Maybe someone who finds fascination both in big ideas and in minute details. But the most important aspect in this person's talent is the ability to roll everything into a concrete long term plan. It is so easy for a group of risk professionals to get lost in the details; everyday a new attack, a new change, a new implementation. When taken too far, you lose the ability to look beyond the day to day challenge. Having a top-down view means that projects are done not only to get to this quarter's results but also in the context of a grand scheme of things, one that leads to noticeable improvement in 2-3 years. It means the ability to build an organization that build with or ahead of the curve, not only makes reactive decisions.

Promoting someone from within the current organization has the risk of putting a highly detail oriented person in a place where detail orientation might fail you; nominating a pure visionary has a good chance of failing by overlooking the minute details that make up risk management. As the payments and risk management industry grows larger, as the need for top talent in risk management grows bigger, it's important to find the right combination of top-down and bottom-up in a leader that can create a successful organization, that can really help make sure that your bottom line is not eaten up by chargebacks and returns.

What are your thoughts on the right mix? How do you hire people to your teams?

Where is my mind? Way out, in the water

2009-11-09T09:26:00.000-08:00

(As I'm writing this, EA has announced it has bought PlayFish. All the more reason for a call to the industry to stop panicking and start taking responsibility for its own faith with big fish coming to play. But read on...)

One of the many highly useful skills I learned in Officers' course was artillery aiming. There was a lot more fun stuff I could imagine doing in any given afternoon, but there's definitely nothing like it. And when you just don't have an option (and believe me, in officers' course you don't have an option), you just give it your best shot. Pun intended.

So there I was, trying to get 155 mm cannon to hit a barrel. I don't know if you know how these things go, but artillery aiming is some simple arithmetic and a lot of art. You aim the cannon one way, then course correct the other, then again - in shrinking intervals, until you hit the target (or 50m away from it, which is considered good enough). It must have taken me 5 or 6 attempts to hit the goddamn thing - the gun crew was not a group of happy campers, nor was I. But all in all, it was a good drill, and I passed the test, and got my rank of deputy lieutenant, and mom was happy.

What the heck has this got to do with risk management and digital goods, you ask? Let me tell you exactly.

For quite some time now social games developers have been shooting way, way long. Like one esteemed group participant noted, their business model was "we'll get a lot of users, and revenue will come eventually". Can't blame them, who knew how to monetize at first? No one. They all started from in-game advertising just like big FaceBook, or by working with freemium. When offer based monetization came along, together with real currency purchase options, developers were thrilled. ARPU rocketed, revenue started flowing, and having a user base really started to mean something. You could say that if money came through the door, no one care how that happened. So the ads were shady; so there was some uninformed opting in of users to premium services; so every now and then you would lose a month's revenue because of chargebacks and churn. It was such in its beginning that people just wanted to make any money. Some, by the way, still want to do exactly that.

Suddenly, driven by a provocative blogger and a not-so-media-savvy CEO, the pendulum started to swing. And artillery-aiming-fest began for risk management and regulation in social media. BOOM! MySpace refreshes the TOS. BANG! FaceBook closes down FishVille. WHAM! Zynga shuts down offers. I'm all for calming things down, and maybe closing down offers does that. At least for a while. But shooting too short also has a risk for hitting yourself with a missed shell, and we don't want that, do we? So, after being asked a few times for my take, here are my two ideas on what's the "barrel" to be hit in this round of artillery aiming:

• Take responsibility. The one part I liked in Zynga's is "we are removing all CPA offers across zynga games until we can control their inclusion and presentation ourselves." This is a powerful statement about taking responsibility over your system. If the leader starts doing it, everyone will. Now, taking responsibility over what's displayed in your page is a lot more difficult than you'd imagine - there are ad placement, user segmentation, conversion optimization and, of course, risk management considerations to be made. As I've noted in the past, controlling fraud in ads is doable, but requires expertise that's way beyond black lists and blunt instruments. For that matter, here's a tip: when I read this excerpt from DoubleDing president, I cringe: "There was NO IP BLOCKING of any sort, beyond the normal country and fraud blocking." Come on, guys! Bad IPs are like the tooth fairy, we're way beyond that. There are no bad IPs, just bad users and bad uses. Any company that relies on IP-based blacklists and block-lists is not technically and methodologically prepared to take responsibility on its offers.

• Create new value through U2U trade. As I noted before, offer walls are different than ads because they truly have a chance of introducing new value for users. The interaction encapsulates an incentive, virtual currency, that was not there beforehand. And this value will stay there even after scams are ridden off the system, and it will increase user engagement and conversion. But when offers are under attack, there’s no better time than to explore the (seemingly) risky world of U2U. Let you users price their efforts, and be their liaison. Game economy will last, since these are way more controlled than real world economies, and because players are less sensitive for value loss. Trade will not only thrive in game but also cross-game - people collecting all Paris Hilton Chihuahuas. Stuck currency, lost forever in abandoned accounts, will be released as they are resold to new players. All of that at the cost of proper risk management? Give me a break. Game environment is one of the most controlled environments ever, allowing real time tracking of user behavior. Why aren't you going after U2U trade? No good reason but the fear of trying. And, if you don’t, you know what will happen next – illegal farmers will do this for you, earning millions in the black market (ask Blizzard. They’ve had to deal with this for a while now). And it’s, like, ding dong, this is Michael Arrington for TC, why do you have scammers ruining gameplay and reselling your stuff? And it’s back to witch hunting once again. It’s all about taking hold of your ground once again, this time proactively.

So there are two ways out of this mess, both pass in managing user behavior and interaction properly, and good old-fashioned analytics with some understanding of cutting edge risk methodology. Piece of cake, don't you think?

Well, maybe not a piece of cake. But copy this, and I promise you, you have the next bonanza.

Past posts on this topic:

Deconstructing Zynga: In-game fraud and what can we do with it
Jacob doesn't mind: Why users expect you to engage
Reconstructing Zynga: Answers to the Industry's thoughts

Offer walls and marketplaces: the real alternative to "scamville"

2009-11-06T06:11:00.000-08:00

Let me just say one thing up front: well done, Mr. Arrington! From the first clash with Offerpal (former, it seems) CEO Anu Shukla, through this post and others, there's been quite a stir around offer walls and the big question of the legitimacy of their offers (some news sites in Israel literally copied the post's words. But that's another type of scam). Beyond the provocation, there are a few actual issues here, that I think are left out since "scamville" and CEOs being replaced are much more sexy.

Here's the thing: if the social gaming industry is a viable industry (which I think it is) it should, at one point, start to mature as one. Maturing doesn't mean moving slower or becoming less appealing to users, on the contrary, there's still huge potential and a momentum so strong can't just be stopped by a few posts. But what it does mean is that you start getting attention for your mishaps and you need to start addressing this attention in a tone that is way, WAY milder and more responsible than just saying "this is sh*t and bullshi*t" (look here for some current thoughts of industry leaders and how I'd respond to them).

Now, monetization has always been an issue. Money draws attention from both fraudsters and regulation, and new monetization mechanisms will draw more attention. Offer based monetization brings in some of the old, battle-scarred players of the online market, namely ad networks and affiliate network – but in a slightly new disguise. To anyone working in the industry long enough this is far from a surprise: for a long time, maybe right at inception, offers were based not on value to the customer but on the ability to move them to premium services without prior notification. This is not a viable business model, and it causes interesting effects like territory hopping (ad networks exploiting a territory until regulation kicks in, then moves to another) and cross-leading (affiliate networks using each other’s affiliates to create false leads for clients and boost the networks’ alleged lead generation abilities).

How do you fight these off? I don’t think that’s the main issue, and that’s what Arrington did well to uncover. First of all, if you adhere to regulation (the Mobile Marketing Association’s, for example) you’ll end up almost without this type of scams (and without a business model, but we’ll get there). I also think that knowing who are the bad players in the ads market, then not working with them, is easier than expected. If you’re a developer, go through your offers wall periodically, and contact your offers wall provider about ads you don’t want to see on your wall. If you’re Offerpal, SuperRewards or SupersonicAds and figure that you have an issue with scams, monitor more than just your incoming customer support tickets (the whole issue is about what’s NOT reported because people don’t notice it) – vet your advertisers up front (and I dare say – double vet your ad networks and affiliate networks) and control the velocity and conversion of your users comparatively between offers. I’d think that one indication of scam offers will be a low effort-high reward model since they presupposed higher revenue per user then an average offer; I’d also think that cross-leading is evident by looking at velocity of lead creation by segments (new vs. existing users, certain geographies). Use profiling and find the right data source – both practices discussed on this blog in the past. These can be done automatically, but require a first phase of manual review to understand what users actually do and build a group of domain experts that will enable proper planning of such a system in a way that's not as restrctive as you might think - killing legitimate traffic is really easy. If you don’t do that, it’s a race to kill your business – either regulation will limit your actions or you’ll lose all your money to churn and chargebacks, something that even developers are feeling today since almost no one will protect their virtual currency payments.

Are we done yet? Not quite. As I noted, I think that the main issue here is not fighting off scams but rather what is the viable monetization solution. Advertising has a bad reputation, but it seems like most developers are at a stage where they simply value ANY monetization, no matter its reputation. These days will pass soon (and they would have, even without TechCrunch’s direct attack) – offer walls will be more regulated, and while offer based monetization does provide more conversion, it cannot be the main or only driver for growth. The main driver, as always, will be user to user trade. Because this is where the free market reigns, and where prices can really soar not because you regulate them, but because there’s real demand. Controlling this kind of economy is a lot more complex, but not allowing it to happen will make “scamville” more and more of an issue. How do you allow user to user trade without drowning in fraud? That’s another, completely different issue. I’ll discuss it in a future post.

What do you think? Is offer-based monetization a real, viable model – and what will take to keep it going even after it’s highly regulated? Let me know!

I’d like to thank Yuval Samet for helping with the industry’s angle and live reporting for VGS!

Amazon PayPhrase is a nice, risky step (plus some PayPal platform)

2009-10-30T04:25:00.000-07:00

Today, TechCrunch posted about Amazon PayPhrase going live. It appears that Amazon customers were notified of this feature, allowing them to set a phrase they can later use on 3rd party sites to check out quickly - just type in your payphrase and PIN and you're out. The TC post mentions a similarity to PayPal's student accounts, I am not sure I agree, but that's not the case. The interesting question (one also raised in the post) is - what new risks does a new feature introduce into the system?

There's a lot to be said about modeling the possible risks in a new payment feature, and I find it to be some science, some art. You have to weigh not only what users and fraudsters are doing now, but also what opportunities will they have once you introduce a feature, and understand how to design controls that mitigate the major issues without hurting functionality. That's why there's some art in it.

The main point the TC post was hinting to was the ease of user credentials being compromised. True, users forget and give away credentials without a lot of thought, and any service relying on users, as a crowd, to not get phished, is going to fail. This is why payment companies invest a lot in customer education (which I like, yet do not really support because of its passive nature) and customer engagement (which I really love) in risk management. It's been noted in the comments, and pretty straight forward in Amazon's page, that you cannot change anything in the account using payphrase, therefore cannot change a shipping address of change payment instruments, thus lowering the appeal of phishing payphrases. Not going to reduce the number of account take over cases, though, but will not boost it, either. What's more interesting is the fact that the combination of ultra-quick checkout and opening up flexible payment APIs are about to introduce a family of risks into the system; in this case, I'm thinking about payment-click-fraud.

I'm not sure how all payment companies that plan to open up to 3rd party developers prepare for the overwhelming new types of risks. I know there's a lot of thought put into that in PayPal, and am looking forward to the interesting discussions around risks in the upcoming convention. No doubt, it's a whole new world out there. So what can go wrong? Click fraud is a good example. As you can see in the link, this is an offense carried out on a platform, but not against the platform but rather towards its users. When an advertiser posts an ad, an automated ad-clicking bot can be used to inflate their advertizing bill tremendously, faking "real user" clicks without creating real value. Same goes for anyone who integrates payphrase or any other ultra-quick checkout: if a ring of fraudsters (or a shady competitor) decides to target you, they can just click away, have you ship multiple items and then deal with the chargebacks. They don't need the items; they just want you out of business. Without proper controls (monitoring, for example, user identity and velocity), new and small developers can find themselves scrambling to manage attacks even as soon as days after they integrate.

Does this mean that quick checkouts and 3rd party integrations are bad ideas? No, on the contrary. They just need to be managed correctly. Since I view risk management as a business enabling function, I think it's out role to help make this bold attempt (first by PayPal, later probably by others as well) successful. I also think that developer awareness is super important, and believe that engagement by all parties is a key component in making this new playground, where big payment companies will soon joust, a great success and a growth engine for eCommerce.

What do you think are the risks of an open developer platform?

The EU is less united than expected

2009-10-24T09:33:00.000-07:00

This mystery research, widely advertised today by the EU union's research department, puts cross border shopping declines inside Europe at 60%. I once wrote a post about 3rd world shoppers unable to shop, but this situation is a much graver one. Unfortunately, the pros' call to invest in better, more intelligent risk management to open up to international purchases goes unnoticed, while merchant insist on making lives harder for legitimate buyers.

Hopefully SEPA will help solve at least part of the issues dealt with here, at least giving a head start for merchants and buyers on their mutual trust issue.

Reconstructing Zynga: the industry's opinion on fraud in social games

2009-10-22T10:02:00.000-07:00

My previous post about fraud in Social Games raised a few objections and spun a few sub-discussions. That's great, because it shows people are interested, and there's a LOT to be discussed in this field. I wanted to circle back to some of the main points that were raised in this discussion.

There's nothing new about fraud. Really. Ever since people walked this planet, I would assume, there has been fraud - more and more as time advances and human kind introduces additional currencies that replace tangible goods. It's beyond the limited availability of tangible goods; being able to control supply and demand through a symbol (call it cash, checks, virtual currency or repackaged subprime mortgages) is the basis for modern economy. But is the fact that fraud isn't new merely a reason for underestimating it? Definitely not; if it were, then why is the Spanish Prisoner scam, better known in its current days' reincarnation as the Nigerian Scam, still rampant on the web?

I'll tell you why: because where's money there's fraud. And when only a handful are being chased and prosecuted - hell, why not try it myself? Being an old story doesn't mean fraud isn't a problem, it only means it's here to stay, and engaging with it is a major obstacle on your way to scaling your ecosystem.

So what have I heard in terms of concrete objections? Two main themes:

There's not much fraud in social games nowadays, and not many fraud losses. If we start scanning and challenging our customers we'll scare the legitimate ones off, and it's just not worth the risk; so we basically prefer limiting risky actions in our games.
If we open up to secondary markets we will hurt the primary market - reduce the game's retention and incentivize users to leave the platform.

First, to the fraud point. Lately there has been an MRC Platinum session in San Jose, CA. One of the sessions there was called "the true cost of fraud", trying to give an overview of what it actually means to incur fraud, including fines, processing costs and others. But there's another cost for fraud, the hidden cost - the one where you don't open up to business because you're too restrictive. If you don't experience fraud, you're probably too limiting in what you let your users do, because fraudsters exploit the most profitable avenues. If you keep two types of currencies (one internal, one purchase for money or by completing offerings), do not allow interchanging them and ban transfers between users, you block a good chunk of potential revenue. In another discussion one of the participants rightfully noted that the fraud budget you set aside should be part of your marketing budget - when you let users do more, you acquire more of them. When you let users pass currency between two of your games, for example, you immediately create an incentive for an existing user to bootstrap their game in a completely different revenue channel. Not opening up because of fraud, then claiming there's low fraud on entry, is a blind spot in your strategy.

Now, going gang-ho on user verification and interaction without proper planning will indeed drive everyone off your experience. But who said user interaction needs to be a 5-page nightmare? Users expect to be engaged nowadays. Yes, you need to be an expert to allow a "one-click" experience and a highly intelligent layered friction mechanism to verify the dangerous part of your population - but hey, I'm not selling you the secret sauce, just telling you what kind of dishes it improves. All I can say is that I've seen it happen and I know it's possible.

Second, as for secondary markets: SMs create additional revenue streams. Having SMs external to the developer's platform is indeed a cesspool but compliance, accepted user behavior policy and money laundering are true considerations of a maturing industry. For social gaming and virtual currency to really become "the thing", these need to be tackled sooner or later. Will it kill the in-game purchasing experience? I claim that it won't, because going to a secondary market will be like going to the flee market to find a good deal (or maybe some very special items only very talented players can find). It's not streamlined into the game, and this context shift alone will reduce the risk of players pausing their game to go off to a secondary market to get additional chips. Yes, it will require smarter pricing and better management of supply and demand, but I don't know any single game developer that just throws a game at their users and expects revenue to start streaming - this things are highly planned, why not plan for even higher revenue by supporting a secondary market?

Opening up to more markets and users is very much possible. It requires careful planning and head on tackling of the industry's issues, but as always, it's highly beneficial for those who get it right.

And now for something completely (?) different

2009-10-18T02:43:00.000-07:00

I'm diverting from Risk per se the deal with another decision-automation question I'm wondering about.
High-tech fluctuates. It boomed on the verge of the new millennium, and did so (albeit differently) before the latest downturn. And when booming, help is required. High-tech companies don't usually post a "help wanted" sign on their office wall (though some in Israel did), and getting to a good position requires some work beyond coming from a good school. In the days of the "bubble", just knowing a few people would secure you a position somewhere in the space, but nowadays it takes a lot more than that - employers demand good grades, subject matter expertise and experience - all of which are no mere feat for new graduates.

Enough about job seekers, though. What about the poor hiring manager? I wrote a bit in the past about what we're looking for and how we balance experience with skills, but haven't discussed how HARD it is to find candidates. People, the right people, don't just come waltzing through your door when you need them. It requires some preparation, a lot of "scouting" and a good pipeline of interviewers ready to embark on a blitz. And since we don't just know everyone, it requires an HR agency. This is where things become even more interesting, and raise one big, interesting, repeated question.
Why, in the year 2009, are HR agencies still highly human intensive operations?
I see it everywhere. Dozens of companies, in a highly commoditized space, competing on three factors: price (what percentage of the candidate's salary will they receive upon hiring), speed and mass (of sent CVs) - two factors enforced on them since the only way to beat the competition is to get to the hiring company before them. This means literally hundreds of workers arriving to work as early as possible (before everyone else wakes up), scanning through hundreds of CVs (in Israel, all HR agencies even feed from the same source - runner.co.il), sending them in an almost unconcious process to every position with even a slight keyword match between the job description and the CV (god forbid any real professional scanning).
Sounds familiar? Yeah, in some lingos this is called SPAM. And this is exactly how this feels.
The other extreme, by the way, is specialized companies hanging their unique value proposition on the team's (usually the CEO's) ability to attract high talent candidates for high ranking positions. In these cases you don't get spam - you just pay ultra high retention fees to get someone from the CEO's close network of former and current executives. It's like a carousel, but one where everyone grabs the brass ring.
So companies pay top dollar for something their staff could do themselves, but instead they outsource. But because of the incentive structure, they fail in outsourcing the mass waste of time, since someone inside the company still needs to sort through all the CVs that keep pouring in.
Here's an alternative: hire a few real resume experts, or train them - if you have the skill and experience needed. Learn how to classify and categorize (how do you know that this is the right person for the job at this company?). Automate - you'll get your feedback from your clients, when they call on people for an interview. Then, when you start to gain credibility, package your new ability with a better incentive program. Change the measurement - maybe higher 1st interviews per number of CVs? - and make a bundle agreement to give yourself exclusivity for some of these positions, and buy more time to get better at matching candidates to a company. Reiterate.
Sounds simple, but it isn't. Forget the development of this operation; one of the main obstacles is, simply put, hiring risk. The chances of someone mis-reporting or just outright lying about what they did or why they left a company. I hear hiring agencies started to hire ex-law enforcement people to improve this aspect of their processes. Maybe we're about to see a new area of Risk Management. But my point in that this is doable, though not extremely easy, and I'm not sure why this wasn't ever done. Let me know what you think!

Jacob doesn't mind

2009-10-06T08:36:00.000-07:00

Let's say there's a guy names Jacob. This guy, he's 23 years old, has somewhat of a steady job, largely sales and maintenance for a nice apartment complex in southern California. He uses PayPal, a lot more than he would like. He also has a Facebook account and a MySpace page; he follows friends on Twitter (and sometimes updates his own status messages there). He has an iPhone 3G; he's on top of things. If he was ever hit by fraud, he would probably tell his friends about it.

You know what? The industry is missing on many of Jacob's friends. Not because they don't have credit cards or because they don't shop online - it's because we haven't changed with them. Why? Because Jacob doesn't mind - he doesn't mind his information being out there on the web (as long as it's kept with a privacy policy). He doesn't mind some interaction with risk controls because web 2.0 and post 9/11 safety education taught many users that it's ok to be asked questions by those with authority. And in the land of risk management online, we are the authority. And we are limiting our business. Jacob and his friends don’t mind working with us to make their lives better – we simply won’t let them.

Proper interaction upon signup and in preliminary stages, and requesting relevant information in a layered friction model (meaning that the riskier you are, we ask for more information and introduce more challenges) makes for the bulk of needed verification prior to a transaction. True, it's a good question whether you're asking for the right type of details; no one benefits from a 5-page signup process that says "this is the last page, we promise!" somewhere along the way. You have to have a decent interface. But making a religion out of not asking for details or challenging the user, then scrambling to pile controls and limitations in the background takes away users' control over their account, and this will drive people away - little to mention those that you would be able to verify and just won't accept. Having all this information on the web and becoming more and more technological sends us a clear message – “we want to be involved and take responsibility over our online identity”. To get to the next level, we have to take the challenge ourselves.

How do you do that? A professional I know compares this to an airport's security system. Have you ever flown El-Al? Have you noticed the fact that there are a few "bands" of security people, each with a specific function planned to interact with the passenger, layed out in a pipeline that you can either pass or fail? If you have, then you have the first principle of proper interaction along the risk management pipeline. Note how face to face interaction is highly important - not only because it allows for more close up profiling, but also because it engages the passenger with the process. The 1st line interrogators actually debrief the person they are talking to: have you been asked to pass an item by someone you don't know? do you understand why I'm asking? This goes way beyond passive checks like AVS, DOB and SSN - this is a call for proactive actions by the user. It's a highly intelligent approach, not fail safe on its own, but unprecendented in its ability to tap into the user's mind as an additional layer of risk management. And it's working.

Bottom line, then: engage with your users. Let them know what you're worried about and how can they mend it, as early as possible. If you do it right, you'll earn highly engaged customers and open up to many more you've rejected or have been rejected by in the past. It's worth a try, as long as you do it right.

Deconstructing Zynga: what's up in Social Gaming fraud

2009-09-27T03:00:00.000-07:00

Talking to friends in a party I had to hold myself from becoming too smuggy-smug-smug. Yep, the lot of "I'm too good for Mafia Wars" geeks fell prey to the eggplant-growing rhythm of Farmville. Eggplants. My friends. I don’t even like eggplants, but still felt responsible in a way, though they’re only a drop in Zynga’s estimated 15M+ daily users (the numbers keep growing...). But things were only getting better for me that day.

“You know”, said one of the guys, “this social gaming stuff is really worth a lot of money. I know someone who made $100K off this thing”.

KACHING!!! Immediately he had my full attention. You don’t just MAKE $100K playing social games by the book, even if you break a finger playing Texas Hold’em. I had to know.

So, obviously, the guy was committing fraud. Using a bunch of scripts that worked on his command (also called a “bot net”), he opened numerous poker accounts on Facebook and collected the free chips you get when you do so (sometimes referred to as Chip farming, and something I wrote about in the past). Then, he needed to aggregate all these chips to one account and sell them. The way he did it was amazingly simple: he played poker games where he was controlling both players, and intentionally lost all his chips to – basically – himself. Then, after finding a buyer for the chips and getting the money, he would pass the chips to that player using the same method.

Ok then, what have we learned? First of all, where there’s money there’s fraud. It’s comforting for people in the business, maybe less so for people who’d want to believe in the goodness of mankind; but, then again, we’re not having an ethical discussion. The psychological angle is interesting, though – this normative (judging by my friend’s testimony) person is committing big scale fraud, uninterrupted neither by conscience nor by law enforcement, and the only effect he sees is a slap on the hand in the shape of an occasional banned account, immediately replaced by another bot. It’s so simple, it’s genius. Not that I at any way support fraud, but you have to commend a good operation once you hear about one.

The second highly interesting thing is the speed in which secondary markets evolve. I can’t imagine this guy advertizing his stolen chips in his Facebook status message – he had to go somewhere where people knew chips trade was on. This isn’t such big news for long lasting games in the MMORPG arena like World of Warcraft - trade has been going on for years and the MMO Gold exchange was active even in our NPX days, back in 2005. On a side note, what I personally don’t understand is why gaming companies do not endorse secondary markets; definitely not for “game fairness”, since paying for items in the game is part of their own business model. If you have a solid argument, let me know.

The most interesting issue for me, however, is the simplicity and ease of the actual fraud case. In trying to learn about Zynga’s risk management capabilities, I came across a short quote of Zynga’s CEO, saying that they had to develop everything in-house. Looking at the market (even in PayPal, I have to admit) I understand why: when you get recommendations like “Use SSL and remember you’re accountable”, it’s hard not to get depressed. But what is that “everything” they developed in house? Zynga has many fraud challenges, and chip farming is only one of them. Legitimate accounts taken over to drain their chips (a challenge they share with Facebook), stolen credit cards used to buy in game items and even click fraud (though the latter might be the least of their problems) are others. My uneducated guess is that Zynga is at the beginning of their risk management career, currently using a basic rules engine to limit risky purchase profiles, some IP black lists, a very basic velocity control system and a lot of manual review. Next step is industry standard statistical models, not such a bad idea compared to nothing but, as I’ve noted on quite a few blog posts in the past, far from ideal when dealing with low information instant delivery transactions. The ease of a fraud case as I’ve heard about it proves that there’s still a long way to go. Lucky for Zynga, they work on Facebook. Harnessing the power of user data available in this network allows top notch user verification; the only question is using the right practice.

What are best practices for controlling fraud in Digital Goods commerce? I strongly suggest a closed door system requiring layered user verification, a signup page that doesn’t make a cult out of not requiring user info, and a thought out user interaction mechanism, all governed by highly trained analysts. This won’t solve the problem, but will definitely lay the foundations for a risk management system that can evolve into something that really works. Based on the stories and some simple analysis, it’s clear that Zynga and other social gaming companies desperately need real life barriers that will not kill their business. It’s possible; you just have to do it right.

What I learned about India [Part 1]

2009-09-24T03:59:00.001-07:00

Preparing for a ceremony in Rishikesh

"Did you see they have 'Hello to the King' here?"
"What's 'Hello to the King'?"
"It's basically a 'Hello to the Queen', only with a Bhagsu cake"
"What's a Bhagsu cake?"
"It's basically a Banoffie pie, only without the bananas"
"I give up"

(Two Israeli backpackers, Dharamsala)

I'm not such a big traveler, but it seems to me that there is no single country you can capture in a blog post after less than a month of travel. That wouldn't be fair, but nonetheless, I have to say something other than "WOW". India is amazing, colorful, and extravagantly diverse; it is also noisy, dirty at times and completely frustrating when western perceptions of time and place collide with the Indian way of getting things done. But hey, you don't go on a backpacking trip to get five star treatments, do you?
India, at least the parts I visited, still seems very conservative. Sometimes it's obvious (you wouldn't believe how much of a standard Jason Biggs flick is censored in some Indian channels); sometimes it's subtle, though, like the highly sophisticated techie, sitting next to me in Barista coffee in Connaught place, holding an E71 but reading the caste-sorted "groom wanted" ads in the Hindustan times. It's there, and coming from a somewhat religious, symbolic country I appreciate the contradictions this creates. But the thing that amazed me the most is the fact that anything on the crust of this culture, ever so slow in its rituals and conventions, is by definition ever changing, at lightning fast pace. I'm not only talking about the highly western desserts those backpackers from my prelude discuss; what I'm actually thinking about is technology – and specifically, mobile phones.
They're everywhere. And not only are they everywhere (I had a 3G signal in the hills of Parvati valley! This actually beats some major US cities), it seems that they're actually used not as a luxury but indeed as THE major gadget. The taxi driver uses it instead of a radio; the young man on the bus to Kasol watched his favorite videos; and the old man, carrying a huge pack of firewood outside of Tosh, walks barefoot but talks on his mobile. And there's another part to it: I've explained in the past why using your mobile to pay isn't another steps towards the "stash", since the operators bill to a credit card or a bank account, not manage the user's money directly. But the case is different in India; many people do now have any financial entities in a financial institution, and a large chunk of the mobile market is prepaid. This means that other than cash, the mobile phone is the type of "currency" these people carry. Developing a mobile-phone-based, easy to use P2P payment solution is a must, the next step in payment evolution and something that will boost India's economy. This goes way beyond being able to send more ringtones and premium online content – this actually means gaining control over people's financial entities. If you can pay with a mobile phone, why not let it be your bank?

So why doesn't this happen? For various reasons (that can be overcome, but are still obstacles). One of them is the fact that a prepaid model prevents proper identification. This limits the ability to manage identities from afar, without any details from the user. It can be overcome (from installing a client, though models of incremental identification requirements when initiating payments, to rigorous vetting processes), but creates a major challenge. Another major problem is the fact that old phones have little processing power, and cannot sustain any type of payments application; if you don't install any type of software, you have a high unsecure medium, that can be easily breached and allow access to user credentials. These are the two major technical and risk related issues, and I'll discuss near-field communications and mobile authentication in future posts. The two other obstacles I learned about when I was in India are very interesting as well: one is consumer adoption, in a world of cash payments and little to no money; and the other, for which I would love to get comments from readers, is the fact that the Indian VC industry is smaller than needed, and geared towards American standards for business models and success. This is a very interesting reasons I would like to investigate, and will share my findings as soon as possible.

Bottom line, if you're looking for your next startup, maybe P2P mobile payments in India is your best guess. What's better than driving progress and technology into rural areas, while reaching amazing business success? And you get to taste "Hello to the King" as well. Next one's on me.

Taking some time off

2009-08-30T07:32:00.000-07:00

As I'm going on vacation, the blog will be inactive for a few weeks now.

See you on the other side of India!

There's a kind of hush

2009-08-24T07:40:00.000-07:00

Yes, it's gaining momentum. TechCrunch posted today of an acquisition in the field of micropayments for gaming. We're at the verge of an explosion - the mass proliferation of startups and technology companies trying to get a share of this growing industry. They're goig to face a lot of challenges (beyond fraud - even managing a payments or dispute resoluion operation is costly), but I'm personally interested, obviously, in the rise of marketplaces.

Yes, buying virtual credit using a stolen credit card gets you... virtual credit. That you can later find a way to sell, that's true, but marketplaces are such an ever-green environment for fraudsters to operate, since they let you exit funds so much easier. And these guys, no doubt, are going to be a lot more creative and tech-savvy - in a non-tangible, rapid environement.

Why is this a problem? Because most risk controls today rely of the item being shipped (to a real address, that matces the billing address of the card, and also matches at the bank). They also rely on the ability to delay shipment when yuo suspect someting. Don't buy tales about sophisticated "dynamic risk scores", I tell you, it's all AVS and some additional blacklists. And at this point exactly, in these quick, electronic transactions with no account history, statistical models and standard risk controls are failing. Let the arms race begin.

Heartland my love

2009-08-20T03:07:00.000-07:00

So the security-related part of the web is stirring over the Heartland breach going to court, and having fun mocking Heartland for falling for the oldest trick in the SQL-injections book. Since Israel's IDF's chief of staff was also a victim of his credit card being stolen, newspapers in Israel feasted over this "hot news" item, to the extent that one blog even names Albert Gonzales (the "brain" behind the attack. I wonder who Pinky is) "The Al Capone of Cyber Thieves".

Geez.

A flurry of blog posts and articles followed, telling us that checking your credit report is important (really?) and pulling some chargeback stories from the attic. One even went as far as interviewing the manager of operations for one of Israel's issuers. Don't get me wrong, while I'm against trying to scare people, public education makes sense (though many time is useless, as I have claimed in the past [Hebrew]). But the part I'm much more interested in is not the fact that a breach happened, those happen all the time although some retailers just hide their negligence. What I’m interested in is the publication of such an indictment, and its effect of the psychological aspect of committing internet fraud.

You see, analysts profile people. We know who the average fraudster is: a young, tech-savvy male with a knack for gadgets and digital goods, who thinks he could get away with it pretty easily. The “getting away with it” part is the important one; be that the average fraudster or a desperate housewife looking to earn a few dollars defrauding buyers on eBay, the mental state needed to commit a felony on the web is much less delinquent in nature. Because the web is not “the real world”. Because doing it over the computer pushes it away from me. It’s not me; actually, it’s my avatar. And pressing charges in the real world against people who wronged in the virtual world makes it as real as it gets. This, in turn, makes people a lot more aware of what they’re doing when they’re stealing – and the heuristic of a self-aware fraudster are different than those of one that isn’t. A fraudster who isn’t afraid of getting caught looks a lot more like your average Joe, and this is something we want to prevent. This is not only because risk analytics become easier (and legit people’s lives become better, since we need less “tricky” controls), but because indicting fraudsters is the right thing to do. Security and trust are, I believe, the key foundations of a thriving online community, and I’d like to help keep it as such.

O Master, where art thou?

2009-08-15T08:18:00.000-07:00

As an Israeli, discovering Corporate America was a shock. Not that I never heard of the term; still, for someone who just joined "the industry" (as the hi-tech sector is usually referred to in Israel) a few years back, discovering that this kind of thing exists (and has many types of interesting positions, some are far from the usual computer-science-only cult of Israeli hi-tech) was mind boggling. I'm not sure how eBay strikes locals in California but in Israeli terms it's a pretty big international corporate - and now I'm relocating straight to HQ, to live in the belly of the beast with my wife and dog. What an adventure.

Everything else aside (EVERYTHING else - family left back home, lingual and environmental barriers, new work culture), my biggest worry is my martial arts training. Seriously. It took me years (literally - almost a decade) to settle in a place I felt comfortable with - with the right mix of sparring, technique, experience and plenty of other stuff - and finding another to land in is going to be pretty challenging. I've looked around, there are many interesting opportunities (it's America, right? Lots of flashy stuff), but who knows what it's going to be like.

I know, it’s a cliché, but martial arts taught me a lot of what I use in business and life in general. From keeping my cool when I need to, through learning from the experience of people who were there before me (always look for mentors. They can teach you so much), to striking precisely and as hard as I can when I must. It also taught me that there’s politics everywhere, no matter if the take is a Director role or a seminar with 30 security guards in a small town. And I learned what it means to be passionate about something, long before deadlines and live-to-site dates even meant anything. And I learned what it means to over train, heal from injuries, get back on the mat, and continue training for years.

So, if you know a place, or think that your friend knows a place, that’s around San Jose (or Palo Alto, or Mountain View, or the area) – and you feel like I should check it out – I’d really appreciate a tip. Especially if it’s a well-balanced, not too stuck up school where I can spar with people who can tell the difference between training and full fledged wars. I’m gathering tips, and will be around on November.

Fraud Fighting 2.0

2009-08-11T05:33:00.000-07:00

“Wow, I've been a victim of fraud for 10 days and didn't even know it until now. Holy crap.” (A random Twitter user reporting)

During FraudSciences’ fraud operations days I was never keen on letting analysts and agents call people who were defrauded. Old school credit card users, who have had their details stolen, were never too happy hearing about it from someone they didn’t know, calling from another country and sounding like the fraudster himself - with a thick accent and all of their personal data at hand. It didn’t help that the company was called FraudSciences either, but that’s a completely different story. As time went on it became clear that most users we encountered preferred that fraud be dealt with out of their sight. They didn’t want to know about, or be involved in, any process regarding their identity being stolen. Sure, we’ve had the occasional angry customer calling back to understand whether we know the person’s name, who they were and their whereabouts to get even (and even had one person explaining that she always suspected her next-cube neighbor at the office), but generally speaking – no involvement. And we were completely fine continuing to work, undisturbed.

Then came the social explosion. It was there all along, but suddenly everyone, not only Silicon Valley early adopters, were involved in some “social” thingie. And communication flourished, and status lines abundance came, and now people are all over what’s happening to them, to their financials, to every aspect of their lives. And they want control, and they want to talk about it. They want to TWEET about it. They want to update their status in FaceBook and get sympathy for their ID being stolen. And they need their information NOW.

Great then, why not, let them get SMS updates about their account status. But it goes beyond that.

It does so because financial institutes finally started grasping the value in having users connected to the system all the time. Much like ESP games, which I have referred to in the past, why not use the masses’ computational powers for fraud alert? For trend recognition? This goes way beyond installing VPN clients, using security keys or calling CS when someone used your card. When a company like Visa builds an Android app that allows you to monitor your account, it creates a massive real time ability to fight fraudulent activity. With PayPal’s developer platform open for business, and with features rolled live all the time, developers have the knowledge of a good chunk of eCommerce at the tip of their keyboard. When this opens to two-way communications and enable connections to social networks (and I’m sure it will, soon enough), we will have the community brain helping the professionals in their war against internet crime and fraud. And as much as I value this domain, you can’t turn away this kind of ability for claims of secrecy and of ignorance being bliss for the masses; they want to know, they want to get involved, and they are here to stay.

PayPal Israel is looking for Analysts!

2009-08-04T04:09:00.001-07:00

Disclaimer: This blog is not intiated nor endorsed by Paypal.com. I am writing it not as an employee of the company and my opinions are strictly my own. I am, however, posting a publicly available job opening since I find it to be a very interesting position, to be our single source of truth.

Read more about the domain and the type of people.

PayPal Israel is looking for Risk Analysts

Responsibilities:

Analysts in PayPal are highly motivated team players, working within the Live Analytics group, specializing in understanding, creating and applying advanced proprietary fraud prevention models. The group members work in a variety of fraud related fields while using state of the art tools and methods (profiling, forensics, network analysis, machine learning and more). The ideal candidates have a passion for solving fraud "riddles" and strong analytic skills allowing them to analyze various kinds of data and information and come up with new understandings. The role encompasses acquisition and application of vast knowledge areas over a short period of time and requires a strong sense of personal responsibility. The position is shift based, in a hectic live environment, held in regular working hours. Role development includes increasing contact with cross-organization research groups, project and product management roles and various other positions inside the greater global risk organization inside PayPal.

Requirements:

- BA graduate or a final year student
- Full time position
- 1-2 years work experience
- Proven analytical skills - scoring more than 700 in the psychometric test or an equivalent is a must
- Quick-thinker, fast learner, wide general knowledge
- Team worker, responsible and trustworthy
- Strong deliverability within strict time frames
- Computer skills: experience with programming /scripting language, Excel, SQL - a plus
- General familiarity with Internet technologies and protocols - a plus
- Excellent English. Other languages - a plus

This summer is about digital goods

2009-07-29T06:51:00.000-07:00

"Bogdan Ghirda is paid £70 a month to do what most bosses would fire him for. From the moment he arrives at work he plays computer games on the internet."
(From the 2005 Observer article, "Virtual sweatshop")

Gold farmers didn't invent digital goods, though they've been around for quite a long time. People are not only buying MMO money - the market has expanded. What started as a black secondary market for harvested goods soon became a profitable channel for gaming companies that make their money - surprise surprise - based on the interface of your all-favorite social networks. Yes, while Facebook is struggling for monetization, companies like Zynga make hundreds of millions of dollars by running social games that are multi player, asynchronous, and let you buy any type of addition, from "special powers" for your vampires to "new clothing" for your soccer team.

You gotta love this culture. Honestly, it's amazing to see the thought, time and money invested in these games. There are numerous trends in this area, attracting more and more talented people who feel the buzz and want to take their share. And as they advance in creativity, these games move to main stream social network users but continue to evolve in the complexity they provide and the story they allow you to tell.

With them, obviously, come the fraudsters. In an industry so used to checking physical shipping destinations (via AVS) and managing proofs of shipment as a tool for dispute resolution between sellers and buyers, how do you deal with instantly delivered, non tangible goods where quality is sometimes purely in the eye of the beholder? In addition, fraudsters looking to steal digital goods are usually a mixture of sophisticated internet users and kids using their parents' money, sometimes referred to as "friendly fraud". So, if you're in the Risk business, mobile payments or into social networking in general, expect a pretty hot summer in everything digital, with fierce behind-the-scenes competition and major losses to fraud. I am looking forward to seeing which will be the winner in this field - is Paypal stirring something up with the new API, are small players like Boku.com going to lead or is Facebook going to make its debut in payments supporting the tidal wave of social gaming on its site? The coming months will tell...

Who do I get on board? The skill vs. experience dilemma

2009-07-25T03:50:00.000-07:00

One interesting tension I noticed in complex Risk management organizations is apparent in job descriptions: the big difference in relying on experience vs. skills. Makes sense - when building a team, in most cases you're looking for the seasoned professional that can hit the ground running and scale to meet expectations in no time, while leaving time to hire inexperienced, cheap recruits further down the road.

I'm not underestimating experience and this is not another plea to let these talented young people run the business. However, there are some caveats to focusing on experience only:

Experienced people bring their past, for better or for worse. Yes, they are experienced, but they are also very dependant on what worked for them in the past, whether it matches your new org or it doesn't. You get less flexibility when you hire for experience only. So, when you do, look for someone with the right experience and, sometimes, acknowledge that there is no-one with the right experience, because your business is that unique -and you need to promote someone from inside the org with a fresh view.
Experienced people bring their ego and know-how to the table. Put a few of these in the same room, and what do you get? Endless discussion, much less agreement. When you're hiring for experience, make sure you hire a group that's not too heterogeneous.
Experienced people tend to hire people from the same school o thought. How do you refrain from groupthink? Well, understand this and you've got a cornerstone for top performing teams. You need to make sure your experts are sometimes out of their comfort zones, because if they're not, you'll get a replication of their old work place.
Finally, experienced people underestimate formal training in the work place. Why? Because they've seen it all. Not having a decent training program (very common practice in the hi-tech industry) gets you to the point where each person speaks their own language, and a tower of Babylon in far from the ideal way for properly managing risk.

If you have a unique blend of risks in your org, if you have a new language to develop, if you need a fresh look at things, do not underestimate hiring young, inexperienced yet talented people, and trusting them with aspects of your operation. Do not, however, forget that by doing so you must commit to proper training, documentation and feedback – or else you’ll get all the childhood sicknesses you can ever imagine. Balancing your org to be a flexible Risk Management unit is a tough job.

Ain't doing it right

2009-07-20T12:33:00.000-07:00

"How many legs does a dog have if you call the tail a leg? Four; calling a tail a leg doesn't make it a leg." (ascribed to Abraham Lincoln)

In our business, to make a good decision, it is essential to know what really happned. So we discussed finding the single source of truth, but have not discussed ways for keeping it truthful. Oddly enough, the concept of immediate, detailed feedback is not as common as one would expect.

In your community of domain experts, the concept of "truth" should not only be determined but also enforced by members of the community. Note: not by a moderator; the members must know what the "truth" is (in procedures, in decisions and in deriving conclusions) but also be ready and empowered to call out their and others' mistakes. Because direct feedback is what enforces people to improve in the specific of their work. You do not only need people who can tell a tail from a leg - you need to give the one who detects it the means to show their finding to the general community.

This is not a matter of virtue, it's a matter of getting your business runnig the way it should. What happens if you under develop this area in your organization? Well, first you get only hindsight feedback, allowing you to know what's happening in delays of months and months (how much time does it take 90% of chargebacks to come in? exactly), but you also get feedback in aggregate levels (saying, for example, how many of person X's decisions were reversed) - meaning that you can't really find the trend and fix it.

I can't tell you it's fun - commenting, moderating or acting on the results of such feedback cycles - but one thing's for sure, it's way more effective than pretending your Risk experts live in DisneyLand. Giving and receiving proper feedback improves every bit of the cycle - and makes your business better at one of its core competencies.

So your mobile phone is your new wallet?

2009-06-16T13:36:00.000-07:00

Congratulations to Boku.com, going live today with the (old, yet renewed?) promise to turn your mobile into your new credit card. Looking at the site an judging by what I know, I wonder what's the biggest challenge lurking at their door: is it merely traction? Is it going beyond micropayments, while managing merchant vetting and credit risks with the mobile provider? I think it's a combination. But that's not my question here. My question is - are mobile phones the next "thing" in payments?

Payment services are fighting to increase share of wallet, and remove as many boundaries as possible between the merchant and the customers' money. Obviously, the mobile phone is always there, available to use, it's really a gadget, you know, it's not really as serious as a credit card. We all know credit cards are dangerous to use on the web. But taking a closer look reveals that a mobile phone isn't a step closer to the customer's money, it's actually the same distance. You don't own the "stash", only another funnel for getting some of it.

This, by the way, doesn't mean that mobile payments isn't a good idea or that it's going to fail (it might, though, but not because it's not the biggest funnel), and I wish Boku and friends all the luck; but fact of the matter is that your phone is pretty much the same as your bank account, debit card, credit or any other payment method - it's a key to the treasure chest. Get a hold of the chest (in other words - become the bank) - and you've REALLY got an advantage. Until then, I'll continue buying my Mafia dollars the same way, be my proxy what it may.

Too much data, too little information

2009-06-12T04:41:00.000-07:00

So, you have this big 1000 user system, with its flows and checkpoints and flags and pointers. If you've grown it well you have a dashboard showing you login numbers, counts of transactions, dollars moving around. You control it all from your NOC, pressing the little red buttons whenever necessary, moving dials and reading graphs. But the thing is, that seeing the bits and pieces of online life on your screen doesn't necessarily, and sometimes doesn't at all, help understand what's going on.

What IS going on in your system? What are users doing, and will that translate into the bottom
line? What can the numbers tell you?

Well, we've been through a few ideas. Experts knowledge ties symptomatic indicators with identities and with what they intend to do, so that you can at least start making sense. Collecting the data is one aspect, and using it to understand is a whole new area. When we reach tips and tricks on how to develop your own methodology, some of this might start ringing a bell. But this post is about one system that shouldn’t be adopted as your main tool if you’re the risk management expert – it’s about advising you to not count on hindsight based on business results.

No, no, don’t get me wrong – business results are important, one of the most important aspects of the business (and some will argue – the single most important – but that is another discussion). But using the bottom line (or even a highly detailed version of it, including a drill down of, for example, every auth rejection code) to indicate what the risks are in the system or worse yet – to indicate what needs to be fixed – is a call for bad judgment. Consider my favorite example, a hospital. If you needed to weigh two hospitals one against another, would you use the percentage of deceased patients as an indicator? Would it matter that one has an oncology department and the other doesn’t? Would it matter that one is in Mozambique and the other is in Mexico? Of course it would, since when all else is equal (in staff, training and tools – like your company compared to other retailers), fraud-on-entry (the hospitals’ location and the indigenous diseases you’d expect) and fraud MOs (the types of diseases that are actually seen and treated or not treated) have a big impact on the bottom line. Trying to use the numbers post risk controls, chargeback, CHB dispute and collections to understand what could have happened is trying to pin down a moving target – and the wrong one at that. Worse of all would be trying to design future systems based on the current snapshot, since you do not have any indication of what users do – just how much money it costs you, and user behavior is much more volatile than your incoming chargeback count.

When you come to understand what’s going on, business results are highly important. But letting them steer all of your team from looking at user behaviors will put you exactly where you don’t want to be – patching up holes in your system using a highly delayed hindsight mode. To be successful, combining data analysis and behavioral research is a must.

Differential diagnosis, people!

2009-05-05T07:16:00.000-07:00

House - "Haven't done the MUGA."
Wilson - "Then how do you know she needs a heart transplant?"
House - "Got my aura read today. Said someone close to me had a broken heart."
(Season 1)

Yes, I admit it, I'm an avid "House, MD" fan. The fun part about this show is that a lot of people find meaning that's beyond the plain action to relate to - much different, I assume, than what the writers meant. Some watch it for plain medical aspect, like a good mystery story; some treat House as their fictitious mentor; some like the twists of the tale. I sometimes watch it like a tale of business intelligence and a general case of decision making with partial information.

Here's how it usually goes: in comes a case. It either looks suspicious upfront or bad indicators come up immediately at the beginning (by the way, did you notice that in most of the first half of season 1, it was seizures?). Then they go through "Differential diagnosis" and run various tests; additional symptoms are discovered, and usually the truth is discovered by connecting details that hid from the doctors (because "everybody lies") or simply because they didn't connect the dots.

Yeah, real life medicine isn't that simple, and sometimes even knowing what happened is too complicated to be nailed down case by case. Obviously catharsis doesn't come, like clockwork, every 35 minutes - just in time for the drama. But it's pretty similar, isn't it? In comes buyer A, and presents the details of person B. Not much to say about buyer A - their IP connection (anonymized?), their email (opened yesterday?), purchase details, maybe shipping address. Nothing much on person B either - name, address, credit card number. Would you let the purchase go through? Differential diagnosis, people! What test can we run to verify this person, or establish fraudulent behavior? What does it mean if they can verify the email, answer a call to their mobile phone, tell you that the issuing bank is Citi? What additional indicators are we missing? Because that's what the "game" is - in comes a case - what do you do? No one is dying, but your balance sheet is going to look pretty bad.

The trick about decision making in this case is understanding what the next step is. Our goal, whether asking the customer for additional details or looking for an additional data source (what's next - Family history review? MRI? CT scan?), is to reach a conclusion in as little steps as possible, meaning that we need to be able to choose the steps that contain as much information as possible. BI experts sometimes tend to get as much data as possible, sometimes at enormous costs (these external vendors don't come cheap). House's department costs the hospital millions of dollars a year, but that's human lives. We need to be cost effective.

One major way to work with this is automated decision making systems - expert system - which help experts reach decisions by dealing with the quantity of data by using statistical models for classification. Advanced systems, when correctly fed with symptoms (or fraud indicators), can even suggest tests to rule out corner cases. Constructing such a system is the end station of the long road that starts with the single source of truth - in House's case, the doctor. In fact, expert systems in the field of medicine usually outscore doctors in identifying illnesses based on differential diagnosis - it only makes sense, when you hear House's staff shooting diagnoses based on remarkable memory and years of experience. Which brings out the question - why doesn't House use one? It would immensely scale his ability to save lives.

But then again, how much fun will that be?

Who are these guys?

2009-04-27T06:33:00.000-07:00

The investigators were baffled. After 3 hours of investigation, they still haven't made any progress in understanding who should they be looking for as the prime suspect for the assault case. The problem? No, not a mismatching DNA sample. Not a picture that's not on the immediate suspects list. Not even scarcity of able people willing to crate a drawing based on the description from the victim. The problem, suprizingly, was that the victim would not let out any revealing detail about their assailant: gender? against the sexual harrassment act. Skin color? Dude, we're against any type of discrimination. Religion? get out of here. Lucky for the investigators, the guy (oops) was of average height. At least that went through.

Imaginary? Indeed. Possible? Of course. I once spent 15 minutes listening to a friend of a friend describing a very similar case, until I was able to understand what the person's profile was. Because in social interactions PC sometimes deters us from using specific observations. Makes sense. In the world of Risk management, however, such a starting point can be the blow of death to your ability to understand what exactly is attacking your system, and stop it.

Profiling is the name of the game, and some of us are not playing it, and are wrong at doing so. Because fraudsters lie every time they need to. They lie about their identity, they hide their connection, they use other people's details and they will come back to demand the service you are not giving them and might end up convincing you. But what's their motivation? Is a WFH scammer the same as a 419 fraudster or a WOW gold trader, or for that matter - a cusotmer that maliciously reports not receiving an item they have in fact received? Of course not. They have different starting points, different sets of tools and conceptions, they might even be from completely different regions of the world (quick hint: they are). And that renders behavioral attributes that either are not reflected in your analysis (beacuse the fraudster's age and favorite social network do not reflect in the account time-on-file or time before a Chargeback comes in).

When not profiling, you are bound to looking at losses as they appear, and then reverse engineer them using business dimensions to try and understand what going on. You might discover that your UK market for new intangible item transactions is high on chrageback rates. Is this a bad finding? Absolutely not, data driven analysis HAS to be the first step of any research - because segmenting the world is the first step toward prioritizing work and creating a souns results-related risk policy. But whan you don't ask yourself "why is this happening" and "who are these users causing losses" and even "what's their story?", you are missing on three big things:

the ability to further segment the world based on how bad user behaviors look in your system, and differentiate malicious intent from system errors (classification errors and others) and mistakes (the human factor - flakes, friendly fraud and others)
the ability to identify the good guys, and provide them with better treatement, even when they resemble bad guys in business segmentation
the chance of foresight - understanding where the bad guys might go next

Behavior based analytics isn't the sole answer to all BI problems. On the contrary - without a proper data driven segmentation, experts' intuition is both invalidated (and though usually is useful, is risky when it's the only thing you're using for long term planning) and will take a lot more time to create (since prioritizing where to look first is the proper use of your Oracles). But it is the single most important frame of thought your risk management team is probably not using - and whether this is happening because of PC, lack of domain expertise of just disinterest, you cannot let it pass you by.

Stop! Are you a fraudster?

2009-04-20T06:24:00.000-07:00

A few days ago, Slashdot reported this blog post which neatly explains why CAPTCHAs are doomed. The post is very interesting; first, because the analysis in the post hits some good points such as why developing explicit, single factor screening mechanism in a global economy just doesn't make sense (and why a good ESP game is much cheaper than the next generation of OCR). Second, because it raises (maybe unknowingly) the most important point - that screening mechanisms and risk controls often turn away a lot more good business than they stop the bad guys. But third, and most importantly, is that it falls into the same pit by suggesting a few alternatives that are just as bad.

Let's admit it - we're not dealing just with a bunch of script kiddies with a knack for defacing popular sites. We're dealing with serious "bad guys" with a lucrative opportunity to use our systems, with a big shiny dollar sign at the end. And we want to stop them from doing so. Our only problem is that when we do so, we tend to make the legit buyers' lives much harder, because fraudsters are always more prepared and have more incentive to complete a purchase than the average buyer.

If you go back to square one, you'll discover that when coming to design a payment system one has to choose between an open and closed door approach. This might seem simple, but closed (only allow buyers you trust to make a purchase) vs. open (allow all to buy, then detect the bads while they buy) approaches not only define your risk aversiveness in general but also dictate your risk management strategy. True, the long term goal in each is to get to a nearly-perfect system and hedge the risk (more on hedging - thank you Tal - in a future post), but how do you get there?

All in all, we're looking to prevent scalable negative actions; reach a point where every frauster can only hit you once and you're in a completely new ballpark. For most merchants, the problem is the fact that fraudsters return to known exploits, and for most fraudsters the problem is finding and reusing without bouncing off rules and limitations. CAPTCHAs and Captcha-like mechanisms reduce the ability to quickly open many accounts ("horizontal scalability") while soft limits and caps limit the ability to create large losses through a single account ("vertical scalability"). By combining the two, one would expect, we make the fraudsters' livesharder, raise the "cost of fraud" and reduce risk. Somewhat right, somewhat wrong.

In themselves risk controls are not bad ideas, but to make good use of them they need to be utilized properly. Here's a common approach: "Heck, the last fraudster did one hundred 5$ digital goods transactions, let's stop anyone from doing that. Then that other one opened 5 accounts that are linked, let's not let any linked accounts in our system". Synchronous, always on controls, espcially explicit ones, raise the incentive to reverse engineer them. Use too many quotas and limits and you reach an unmanageable system with thousands of rules you forgot exist, and which effect on future (legitimate) buyers you cannot predict. This is why, among all recommendations, I would support heuristic profiling. It's a big word, true, and we'll need to shed some light on this subject before we move on; but only right profiling and segmentation of your legitimate and fraudulent users can allow proper use of risk controls and authentication mechanisms - one that doesn't strain legits for something fraudsters are trained at overcoming, and doesn't create a overgrown operations center (that doesn't justify itself) to manage.

That one small detail

2009-04-14T04:25:00.000-07:00

"When the Chinese government instituted the policy in 1979, it touched off a wave of sex-selective abortions as pregnant couples decided that if they could have only one child they would benefit most from having a boy. That helped leave modern China with the largest gender imbalance in the world. Today, there are 37 million more men than women in China, and many of the boys are growing up unable to find a job or start a family.

So what are these “surplus” boys doing to fill their time?"

This isn't just a story about risk management - it's a story of pure business intelligence - it is a story of freakonomics. The German police has spent years chasing down someone that turned out to be a phantom, a woman who wasn't really a feared killer in many different, distant crime scenes - but merely a lab worker whose DNA "slipped" onto the cotton swabs German CSI people used to collect evidence (on another note, wouldn't it be just morbidly funny if that person turned out to be a real-life German "Dexter" copycat?).

So what does an unsanitized cotton swab have to do with abortions in China, and with risk management?

When one approaches modeling of complex situations (either to explain what just happened, or to improve decision making in the future), often the "sense" made in the process gets deterred by the fact that not all the data is revealed. This is why when Freakonomics' author Steven D Levitt says something along the lines of "if we had enough data, we could unravel the mysteries of the universe", many of us nod (however, I must say, we are not always right); we are in constant search for the added detail that, when added to the equation, will help the story make sense. It's not only as extreme as claiming that a rise in abortions is correlated with a drop in crime rates - retailers are always looking for the additional factor that will verify a bank account, provide details for a phone number or do this automated super sophisticated AVS check. But fact is that most of the added data doesn't do the trick, since looking for that additional detail requires a system.

Yes, having a single source of truth helps give foundation, but even the brightest have a hard time without a system - and the right one at that - for collecting, validating and understanding data. I've seen this in organizations here and there and the German CSI story demostrates it well. The CSI department has a system for examining a crime scene and extracting evidence, and they came up with a concrete linking theory between cases. It didn't shed light on the actual identity of the misterious killer, however it gave an interesting spin to a bunch of unsolved crimes, until it didn't make sense anymore.

What the CSI department lacked was a key component of creating robust linking stories - indetifying common resources. That common BIN number in your last week's transactions might be a result of a data breach in the processor level, but might also be a result of a marketing campaign for a new eCard; and that repeated IP creating new accounts may be a script attacking your system but may also be a whole trend-struck fraternity house shopping through the same computer for that special item only you are offering for a great price. Noticing the trend, understanding it and making the right call on how to handle it are key decisions we are facing every day, and not only in eCommerce. Common resources are one simple example where correct classification, using an external resource, makes the difference between turning away good business and letting the fraudsters in; between chasing a phantom killer and tracking down a less-than-perfect lab worker. Using the right contructs for doing this is key in our ever-changing profession.

The single source of truth

2009-04-07T04:54:00.000-07:00

"Great Oracle, sleeping through the centuries,
Awaken now at last
And tell us how to save us from ourselves
and how to survive our own rulers
who would make a plutocracy of our democracy
in the Great Divide
between the rich and the poor
in whom Walt Whitman heard America singing"

(Lawrence Ferlinghetti, "To the Oracle at Delphi")

Ok, no politics. Here's the first rule of proper engagement with complex decisions: know the truth. It's so simple yet one of the hardest tasks ever in a large organization, especially one that deals with transactions every day. Because the Knowledge Boom hits hardest where you actually need to make sense of it. This isn't just going through your Google reader and finding the 5 interesting posts to read between the dozens you got last night from TechCrunch and Slashdot. It is (first and foremost) about finding those pieces that really matter, and using them to make money, or prevent from losing it; it is about finding what's the most important piece of data you aren't logging or don't have, and getting it; and finally, it is about making it all connect. Because without all of these, you're left with a blur called your payment system, and your best chance is third party vendors and Chargeback representment, and you know my opinion - it's not the best place to be in.

So, you say, what's the problem? I'll hire someone who understands Risk and I'm good.

Not quite. Here's an interesting dynamic: since many merchants either relate risk management to CS or demand a clear ROI for any headcount they're hiring, the risk or fraud management department often ends up as an underdeveloped group with CS responsibilities. Yes, this means that they'll start calling a lot of people. On the other hand, when the organization grows, in comes the industry veterans with their zest for business intelligence, segmentations and graphs. So you end up with a group of "factory" workers on one hand - who feel the "field" but do not know what to do with this knowledge (little to say generalize on it), and on the other hand you have the top squad, segmenting the world but never actually meeting the real fraud cases on a non-aggregate level. When the second group need to find what is happening exactly, they cannot rely on the first group, and they end up reverse-engineering the answer to "what really happened?" by digging deeper into your already-huge data warehouse, always reaching something that is just that-much better than a random variable, but never the actual answer. I know this is industry standard, I know it works well to a certain extent, I also know it loses flexibility and degrades after a while. In addition, I can tell you that this is the reason to not only fraudsters having a ball, but also (and much worse!) for legitimate people not making it through the grid of filters. So my advice to you is: get an oracle.

Who's or what's an oracle? You can think of this position as, at the very least, the missing link between your field agents and the BI experts. The "oracle" knows what's a good transaction and what's a bad one; they can rationalize the case and furthermore, they can generalize. Because proper usage of rationalization and generalization are key for an efficient decision making process: they lay the foundations for understanding why bad things happen, how do you spot them on time (and not in restrospect analysis of business performance or when the processor is already knocking on your door with chargeback fines), and what should you check. They have the ability to dive into the material and resurface with additional insight, and the ability to test your systems while you develop them. This is much more than a field agent becoming the newest member of the BI team - the oracle is not only a person with a specific talent, but also has the right system to enable their way of thinking that has nothing to do with Customer Support - as important as CS might be in your organization.

What's the talent profile, and what's the right system? Allow me to call this my little trade secret. But you have an important tip now - find an oracle. Find two. Have your own source of truth, that isn't just your most experienced field agent, and make sure they are all in sync (which is a challenge in its own). Then, finally, you'll be able to start planning automated systems that actually do the work your way.

Here comes the scary part

2009-03-31T00:46:00.000-07:00

It is a dark night in Tel Aviv, the kind in which bad things lurk in dark corners. Sitting in a small cafe with the security expert, I hear the wind blowing between the trees. The waitress looks worried as well. A dark night indeed. I look across the table to my partner, a serious person with thick eye glasses that add to his already grim demeanor. Then, to accent his last sentence, he leans towards me - his glasses almost opaque in the dim light - and barely whispers: "but you know, man, you know what the real problem is, right? the real problem is BOTS!".

Oh, is it really?

I didn't go to the MRC conference this year. Somehow, boogieman stories from interested third parties (over early morning session, in Vegas!) sounded less appealing for someone who needed to fly 18 hours for the experience. I did, however, read excerpts and ideas. Boy, I have to admit that the set up was a lot more successful than a Tel-Aviv cafe. Because here's the thing with 3rd party vendors - they are looking to sell, and if you're looking for the real gap in your system (rather than the perceived one), you probably shouldn't be looking at that direction. Let's see what's hot this year: it sppears that Malware and Botnets are attacking everyone, and that Machine ID and phone verification might be the only way of stopping this.

Now's probably the right moment to wonder what's my case. True. Here's my case: buying flashy new technologies when you haven't exploited the old ones is pricy, redundant, plain dumb sometimes. Most of the merchants that will purchase anti-malware and machine id solutions do not, I bet, have a decent user-location system in place, and are instead declining multiple good buyers who live in a set of black-listed locations; most of the merchants that will purchase phone verification products will double their fraud operation costs before they realize that calling alarge percentage of the transaction volume only slows them down instead of bringing that solution to loss mitigation. My case is - proper analysis of what you're dealing with, rather than going with the nifty, trendy new fraud filter, will bring you much higher ROI and a method for solving your own problem. It does, however, require some extra effort that cannot be bought off the shelf: training the right kind of people to do the right kind of work. More on that in future posts.

Black men can't shop?

2007-12-13T05:58:00.000-08:00

Here's a familiar scenario:

Your working late hours, late enough to reach the time when you have to go and get yourself a strong one from the coffee house downstairs to wake everyone up. Only after you volunteer to be the ones who'll go get it you find that you forgot your card at home. No problem, what could be simpler? You just borrow your friend's card.
After choosing exactly what you need, with a list you made earlier at the office, come the time to pay. You reach into your wallet and hand the cashier your firend's card. It's ok, your friend gave you the card. Even when the slip needs to be signed you sign it, it doesn't matter what signature you use (btw, do you sign your own or "invent" one for the friend?), no one will notice anyway, right?

Wait.

You've just committed the basic scenario in "card present" C2B (consumer-to-business) frauds, ones in which there's a real plastic that's being put through the POS (point-of-sale) terminal.
True, you're no thief (or "carder", as one may be called). You did this all very honestly and there's no suspicion of a crime. The cashier came out clean - indeed he didn't use a very simple identity verification method (forinstance - asking for a driver's license, like other "stung" merchants already do) yet the liability is on the issuer, as long as the buyer signs the slip.

You are not thieves maybe but Gregory K, for instance, is. His method was a combination of the very simple and the somewhat sophisticated: He scanned trash cans and looked for copies of credit card slips. Sometimes he did great and hacked computers over eMule and other file sharing platforms to copy credit details. He used those details to buy online - in this kind of shopping it's much easier to pretend you're someone else, you can be Barbara from Australia for all we know, all you need is her card details and some other details people usually keep together with their card, when they are gullable and unsuspecting. Gregory had it easy, he lives in the states, and it will cost him a few years behind bars now, carried away by the (justified) fear of identity theft.

So why can't black men shop? Well, the legitimate ones can, but the thieves among them, those who orchestrate scams from third world countries, find that going into a store with a just-stolen card and claiming to be George Costanza the third will be a bit hard, but stealing on the net is so much easier and profitable. In addition, when shopping over the net the purchases are under the merchants' resposibility and those - lacking substantial knowledge in preventing fraud - turn into easy victim to sophisticated Nigerian, Vietnamese and Russian carder exploiting many stations en route to the desired loot of watches, jewelry and electronics for thousands of dollars.

How do the merchants protect themselves? Well, they just don't sell, or ask for riculously frustrating actions (you can't imagine how many times a year does an Israeli need to send their passport's or credit report's scan, little to mention not even being able to ship to Israel). Next time, when you get rejected over a simple order online, remember Greg K. and his Nigerian friends, that cost the eCommerce business billions of dollars a year, and turn online shopping into a much more complicated procedure.