Fraud Detection & Real-time Trust Decisions

want to thank our sponsors again um if you have feedback bid.com feedback or on the uh the schedule for the talk you can click on the feedback survey button uh we have one final raffle at the end of the day uh so it's $150 gift C Amazon gift card uh so put your name and uh the Box be provided by Jim Alto um otherwise uh this is James Addison from Lyft he deals with fraud atyt and he's going to be talking about fraud detection and realtime trust

decisions thank you so uh been to a few bsides events before uh glad to be sort of uh speaking for the first time here um i' I'd start by sort of uh introducing myself a little bit I I don't really have a security background as such uh just a sort of keen interest like I I go to a lot of security sort of conferences and things um I'm I'm more of a general kind of software engineer uh and my interest tend to be around kind of slightly Arcane and unusual systems so I worked in the travel industry for a few years and I don't know if anyone here is familiar with Airline GDs systems um

there're the kind of weird booking systems that that let you book seats on flights um things like that and kind of payment processing systems are are kind of interest of mine for some reason I kind of find those slightly painful interfaces kind of interesting to work with um so my most recent experience has been at Lyft I've been there a couple years now um mostly work on payments processing and a little bit of fraud detection so I'm going to speak a little bit about uh kind of my experience in in terms of kind of battling fraud uh I'm going to speak a bit about how kind of frauders arrange their their operations um a little bit of history behind that

you know kind of looking back to kind of older kind of do companies like 15 uh 10 years ago uh and I'm going to try and draw a few Parallels for kind of discussion with um you know fraud and traditional computer security and information

security so um my my kind of thesis or kind of introduction for this talk would be that I I see fraud as a type of attack um it's a financial exploit rather than you know necessarily getting access to information or data or services um but I think there are a lot of similarities between those two um your your business whatever it is you have some kind of attack Service uh for fraud um you know whether you're kind of processing transactions yourself uh whether you're fulfilling orders for other people um there are ways to kind of Target and attack that that kind of operation um and essentially any any way to um render Goods render services uh

without payment is going to be explored like it it depends maybe at what scale you reach you know when you're when you're going to find that um you might even not notice it until uh you really begin to have problems with with kind of attacks but uh these are the kind of things that people will look out for and they will try to to find kind of loopholes in your in your system the other thing to note is this is um again it's a very adversarial type situation so we have um people myself the team I I work with we're trying to identify and kind of defend against these these fraud attacks uh using whatever signals we have um implementing

new systems and practices to to try to kind of close down any existing loopholes um and then you know it's uh again a bit like you know kind of uh breaking into systems there the the other side of things the kind of red team side of things where you can analyze a system kind of try and figure out where there might be gaps where there might be weaknesses and and try to attack that I'd also add um excuse me I'd also add that um these folks tend to be I mean there are there are various grades of sophistication but uh some of the people out here um are are quite sophisticated like they're um you should

consider the possibility that they're even developing things like malware or um kind of writing their own software to try and defeat your your uh protections so it's it's not just kind of um sort of random people using stolen credit cards it it can be quite sophisticated the types of attacks that These Guys these guys end up

using to to that kind of end um this is an example of of an attack that probably quite a few of you in the audience have heard about so um this is from a description of the Target credit card breach uh so this happened a few years ago um and I I like this diagram because it kind of illustrates that there's a whole there's a whole kind of organizational pipeline that's going on here it's not it's not just a case of uh you know some people broke into to Target somehow and kind of stole these credit cards and sold them as as one kind of one single operation you know there's a there's a real process of

sourcing cards from places whether it's things like kind of skimming at ATMs uh whether it's breaking into databases actually getting full dumps of credit card numbers of often with personal information as well like there's a big thing around not just selling the card numbers but also including personal information as well and then there's uh quite a quite a mature model well there they'll go on and kind of test these cards try and work out how much value is available on each of the credit cards um whether you know whether the cards are still valid whether any of them have been reported as as stolen and then into our marketplaces where you can can kind of go online uh some some

in the black uh well you know some available via tour Etc but somewhere you can just kind of log on uh and kind of download uh purchase stolen credit cards and of course then these finally go on to to get used in in purchases often for high value electronic Goods things which can then be kind of shipped on elsewhere and resold for for real value I think the the example here includes just purchasing prepaid kind of gift cards which are also a good way to to Ferry kind of value from from stolen credit cards into to real

purchases so this might be a touch difficult to read unfortunately but um this is a graph of various different types of fraud uh credit card fraud in particular and this is reported by the UK credit card Association um so they do quite a good job of breaking down different types of credit card fraud so these are things like um uh card not present fraud which is the vast majority of online transactions where the the physical card holder and the card are not present um to things like um uh replication or kind of creating kind of duplicate kind of uh credit cards and and a few other few other types of attack the the thing I

would note here is the topmost line which is kind of increasing and kind of heading up to the right that is the card not present so that's that's online kind of transaction fraud so the interesting thing here is a lot of this postdates the introduction of Chip and pin in the UK um sometimes always also called EMV uh so this is basically the the chip that appears in your credit card and is used as a additional form of authentication during transactions so as you can see that seems to be helping a fair bit with you know physical um kind of transactions where the card is available looks like they seem to be staying fairly steady

but what what's really happened here is that that kind of pressure against fraudsters has pushed that fraud into online where it's a lot easier to uh um simply use the credit card details we are starting to see a few Merchants introducing second Factor authentication online uh so you may have seen sometimes you get a prompt to enter your PIN code or some other bit of information on the web that that's going to start to help there um but for the moment the fact that it literally is just kind of card number and a few other details which are supposed to be somewhat difficult to obtain but the reality is if a credit card has been sourced from a database

there's a decent chance the other information is going to be there

alongside so wanted to talk about a bit of the history like how how did we get to where we are just now now um kind of uh we now have the situation where um the frauders have quite an evolved kind of mature uh business pipeline um there are a lot of good pieces of advice out there about kind of how to you know sort of best practices for how to avoid uh fraud on your own service but what what's the background what are the things that led to to where we are now so um a lot of kind of his attacks really relied quite heavily on the navity of of online Merchants so um you

know think kind of late 1990s still fairly kind of uh quite a new thing to be transacting with credit cards online um e-commerce wasn't wasn't a big deal uh we maybe hadn't kind of uh seen many examples of failures or problems in the past so there are some classic things like just not having very good Security in your database like not not treating kind of credit card information as as a kind of first class piece of data um I think sort of zooming ahead to current day if it's all possible I would say you you really shouldn't be storing any credit card information if you can possibly avoid it like services like stripe and brain tree do a great job of

letting you pass on the job of tokenizing and storing all of that kind of uh sensitive data elsewhere and that really doesn't limit the amount of stuff you can do as a service you can still transact kind of huge amounts of value um you can still do any of the things that you'd be able to do by hooking up to a sort of fully fledged payment processor but it reduces all of that risk and that's a that's a great way to go um another example of sort of early naivity here would be um services in which the Fulfillment systems and the kind of card processing systems are are disparate so a user places an order your

fulfillment system kicks in and within a few hours you've got some Goods which are being shipped on a a truck off to the other side of the country country and yet you haven't yet charged the credit card so you don't actually even know if that's going to succeed or get or get declined so again seems like an easy thing but uh you know that was a that was a classic attack just kind of try all these cards on all kinds of merchants see which ones you can actually use to to get some Goods out the other side another thing is uh I think there are quite a few limitations with the verification systems that the card

companies themselves expose um there are there are standards for these like they they provide documentation about AVS systems um and uh forget what the a stands for but it's address verification thank you um so these will do things like check the ZIP code that your cards register against um check that your name possibly matches against the card although haven't had much luck with with that kind of functionality uh they'll also check things like the street address uh that's registered for your card um this this is good stuff uh from from reading a lot lot of the documentation about this like it's it's not um it's not a super easy to use thing and I I I

think you know maybe not blame but there's an element of kind of there's a hurdle to overcome in using those kind of things which uh again I would say look at what apis are available out there now and I think you'll find that things are are much easier nowadays um and then sort of sort of final point there I think also there was a lack of sort of reputation or trust assign to accounts for a long time so one of the things you really need to do is make sure that when you have user accounts you're you're keeping track of how many sort of payment methods have been attributed to this account you know has the user successfully added a couple

of credit cards have they failed to add 10 different credit cards like that would be a you know a big big red flag there um and I think in the early days people maybe didn't do a great job of of storing that kind of account trust and and

attribution so so that's great you know let's say we we do start having these accounts where we've got uh more more verified information about the user um we're not going to ship our Goods until we we know that everything's okay with with the payment um there are still sort of potential loopholes so um classic attack which uh we've seen sort of people attempt as well is uh you'll create a good a good account you'll fill that with kind of um the best verified information that you have available uh try and get that account into a good state where it's it's trusted by the system and at that point you do a sort of switch up like at that point you'll

start to use some of the uh uh sort of stolen or otherwise acquired like credit cards u maybe use other kind of payment mechanisms to try and try and use that account to to get some service so um something I'd recommend there is basically you know you have to treat any any attempt to add new payment information um or any action with that account you have to be quite careful to run maybe some of the same amount of checks uh certainly if for for new payment instruments you want to run all of those same kind of verifications and you generally should consider kind of degrading the value of signals over time so um if an account has been dormant for

a long time then you might want to be a little bit more kind of skeptical of the the state of that

account to go into a little bit more detail about um what happens to these these Goods that people are trying to acquire um so obviously this doesn't apply to all businesses you know many bus businesses provide kind of online services um transportation could be an example of that um but if if you are shipping kind of physical Goods one classic thing to watch out for is is reshipping so I have a bit of a story from from PayPal um from a colleague of mine he was on the kind of fraud team at PayPal when it was it was first developing and I think they're they're a really good source of uh a lot of early

stories for kind of fraud detection in uh the early days of of online payments um so what what they identified they they don't always require kind of delivery addresses on on their accounts but what they did start to discover from the address information they did have is um very big clusters of kind of fraudulent addresses things where a lot of transactions would be charged back uh so the user would you know claim that the goods weren't delivered or um uh basically sort of result in in other kind of failed transactions uh and what what they had identified is um basically Services called reshipping Services a lot of these are are legitimate but they will receive Goods

on your behalf and then forward those to other addresses um some of them will do kind of international forwarding as well uh and so it it can be pretty tricky particularly with PayPal now to use use things like Freight forwarders uh so this is an example of how they they took a signal from from The Real World they they found something that allowed them to kind of clamp down on these these transactions and of course I recognize you know there are times when that is legitimate business so it's it's not a perfect solution um but for them and for their bottom line that that helped them kind of uh trim down on fraud a lot um I

think there are one or two cities in particular sort of around the US which they're now it it's very difficult to transact on PayPal if your kind of delivery destination is one of those cities just just because of rules like this it's also interesting to see how attacks have evolved as a result of this so um the uh the example which is actually highlighted up here is in relation to um human mules for reshipping so if if you know that you're not going to be able to get Goods to all of these sort of zip addresses or locations what what's a possible kind of workaround you can use so uh in a couple of fraud attacks what people have

started doing is actually recruiting kind of mules um so these are people you know just with everyday street addresses who will receive those goods and then it'll be up to them to actually kind of either physically take those goods or kind of mail them themselves to some other destination so it's basically a way to kind of work around uh that those kind of address address limitations uh there's a pretty good story um air parcel express is is the name of one company there's a a fairly good report um by RSA in fact which um has like a good good story of like an example of this that's taking

place so if we do want to have kind of flexible delivery options so let's say we're we're a company like Amazon which um also of course transacts huge amounts um we do want to enable things like same day delivery we want to have multiple addresses per account what kind of things can we do to deal with this and also scale this out like we we need to be able to perform kind of millions of transactions per day how how can we we deal with this kind of stuff um and what they and sort of many others do is they build kind of trust models so take all of those accounts your your users have um again ensure you can do as much

upfront as possible to verify information about the billing address um information about those cards other user activity as well is valid like how did the user sign up for an account um do they tend to use kind of lots of discounts is there anything abnormal about the way that they use the site or the service um do they tend to deliver to one address one or two addresses um basically any any kind of signals that you and your team can kind of come up with which which might help um kind of determine different types of behavior collect all those and then um kind of build trust model so starting to look a little bit towards kind of machine

learning and things which will scale more than any kind of uh human defined rules possibly could for for identifying uh issues one other thing I'd add there as well is um I I haven't talked a great deal about chargebacks but um chargebacks will be reported to you by your payment processor or whichever service you use and it's very much worth including kind of data about chargebacks into into these models they're very expensive to you as a merchant like if a if someone charges back um um on a credit card transaction made to them uh not only will you not get the revenue for the transaction which occurred in the first place but also you often have

to pay an additional fine on top of that um and this is a common technique that people will use to to try to pay for something and then sort of recoup those funds and get the get the value back on the

card so we're now in a world where um we've got a lot of kind of ond demand and more like realtime Services out there so let's just kind of take a moment and think about um what is really kind of different here you know what what has actually changed about this this situation so a lot is still the same uh the way that we pay for things hasn't hasn't been modified a great deal um what has really changed is that that time duration between it could even be someone signs up installs an app and then uses that for some kind of service straight away so that that time window can be very short um so that's something

to consider um we also have much higher expectations on the behalf of the user so people expect to receive that service right away they tend not to like friction like um so the fewer details you are required to add you know in order to activate the service the better um um and in some sense you know you there is there is better information available in terms of a little bit more identity like you can argue that we're now using sort of mobile devices which have some level of identity attached um I think that's countered by the fact um you know as we're all aware you can kind of clear identity on devices you can use Virtual

devices you can spoof locations so we need to be a little bit cautious about sort of what we do there but um it's certainly true that in some sense we we might have more kind of identifying information uh but the big risk of course is that we have a lower kind of decision time with which we can uh either approve or deny a user a given

service so given these these assumptions um so we can assume that frers are resource bound so um if they want to do kind of more sophisticated attacks they are going to need kind of fake numbers that they can use potentially even fake devices uh depends how effective like virtual devices are for them um they may need email addresses depending on your the service you're um the the verification steps you're using um and there there may be other things other barriers that you can kind of put up to to increase the the cost of of fraud um the other thing that we we definitely know which is very good is we definitely know what our exposure is from from various

transactions so uh if you're shipping some Goods uh electronics good for a couple hundred dollars worth you you know what the potential cost to you is if you if you kind of lose that shipment if that that disappears um so we can use that to balance the cost that we're applying to the fraudster you know how difficult are we making it for them to set up an account versus what are the risks to us and that's that's a very useful uh trade-off to be able to make and we can also we can assume that it it is it is somewhat difficult to kind of clear device identity it's certainly not not impossible and uh again depending on how sophisticated the

the groups that are attacking you are uh you may see kind of various levels of that but for a lot of kind of Fairly ground level fraud uh it is true that you you will see kind of repeat devices getting getting reused and also uh as with the kind of goods examples previously in many cases you can still just charge upfront um you know if if a user is making a reservation for something a few days ahead um then you can go ahead and uh run that transaction now and then you then you're not taking on any of that risk so that's that still applies in a lot of cases so something that I've seen that's

been sort of very very effective in terms of combating and and detecting fraud is to build relationship graphs so um cph datab bases are are perfect for this um what we what we really care about in this situation is we care about the relationships of the various entities in our our service so I would include things like credit cards I would include user accounts um I would include user locations building locations all that stuff in there um get all of that stuff into some kind of graph Network um and that'll start letting us draw kind of connections between between users we'll we'll start to see has this credit card been shared between 5 10 100 users

you know things like that can be a very very strong signal um again you can see maybe a huge spike in 100 or so accounts getting created in the same location sort of clustering you know things like that are also sort of worth worth looking out for and then what we can start to do is we can start to record reputation against the nodes in that graph so I'd hinted a little bit you know a few times there about having reputation per account this is this is a perfect kind of place to store that information so um most of the graph databases are know know about will let you store kind of plenty of attributes against each node uh and so

you might have an account the number of transactions they' made in the past the uh number of failures um perhaps the value of the transactions that customer has made that could be useful information um but then we're getting on to you know what's what's the challenge after that like let's say we've got all this information what what's that actually going to be good for um so this is when we need to start bringing in uh machine learning so there's there are kind of basic rules we could extrapolate once we've got this graph but we want to avoid encoding too much of our own sort of human business logic in this like it's better if we can just feed in all

of those and have the system tell us like what its decision would be like should we let this user continue and I'd add that we we have the perfect labeled data set for that um like your your business has run plenty of transactions you've seen the ones that have failed you've seen the ones that been approved so you actually you actually know from your own data set um what are the classifications what are the labels for the results of that that kind of training so use that graph use those accounts as input and train with the the historic results as as labels um the other thing to do is like make sure to um Shadow these models uh

you want to be very careful about anything that's going to affect your Production Service of course so before introducing one of these models into production you should make sure to kind of Shadow those results offline so keep keep records keep very good sort of analytics about what de would have been made um but determine after the fact whether those were effective you know how how correct were those would there have been negative impact to to good users like false positives are are definitely something to watch out for and you know this might sound a little bit heavyweight we but you you should be able to get um for any kind of action that user is taking like maybe they're

about to make some kind of purchase you should really be able to retrieve any of the uh relevant information from your your graph database and run maybe a few models in sort of sub couple hundred milliseconds like this shouldn't be this shouldn't be expensive stuff this should be the kind of thing you can do without the user necessarily even realizing there's been any uh kind of checks taking place and that compares pretty favorably I think to um sort of more heavyweight operations like actually talking to the bank Network to perform any any card checks so a few kind of Lessons Learned um from sort of seeing some of this stuff uh it does it definitely requires quite a big

internal engineering investment like this stuff is quite application specific you need to know what signals you're going to extract what kind of stuff you're going to store in your in your reputation Network um and that's not really something that can be sold um kind of as say off the shelf kind of product um some vendors may claim otherwise uh I I would be skeptical of those claims but uh it's always worth kind of uh seeing what's out there um certainly try to use kind of ground truth signals where you can like I I talked about kind of previously decline transactions and charge backs like those are those are things that happened in the real world that you know from your

own data they're the perfect kind of things to train against um I've sort of heard of stories where people have tried to use kind of other feedback from the system or maybe use previous decisions of models to to relearn against I tend to think that kind of stuff is a bit risky like you you risk getting into things like feedback loops uh when you're training um another thing is consider deteriorating the signals from older data um so it you know if if a user hasn't used an account in a long time uh again you maybe don't want to apply the same level of trust that you once had for that account kind of 6 12 months ago

um and very much like use external signals as well where available uh so there's one really useful feature that most credit card tokenizers like so stripe prry as examples again they can provide a sort of a fingerprint like a a hash of all of the card details and you can use that in a non-identifying way to link appearances of the same card uh across multiple usages so that that's a great example of something that the perfect thing to use it's like the edges between the nodes in your graph that's a a very very powerful kind of

signal and a few more kind of useful tips I [Music] can so um there are existing kind of graph datab bases out there uh so Neo Neo forj is like a very popular jvm based one um there's something I haven't really looked into yet called gaffer uh which is from gchq and that seems to have a lot of these kind of properties these same kind of mechanisms built in so that might be something worth looking at if you're think you're building something like this from scratch um I've had great experience with like pyit learn in terms of training and kind of deploying models um there are more sophisticated things you can do there I'm sure uh and I think there are even

like a few sort of cloud and hosted based kind of machine learning tools becoming available those might also be worth worth looking into depending on your level of kind of sensitivity about personal information um certainly y sort of be aggressive about performance goals like you should you should consider these kind of checks to be NE negligible in terms of latency cost you know you you should be able to run these things frequently um you should kind of use the scores that you get back from them uh and use those to wait against the the cost your business for various actions and also another maybe maybe not obvious note do build for a world where you have

different types of decisions that you want to make so uh to give a a sort of concrete example um sometimes it can be useful before kind of making a transaction to perform an authorization on a credit card like just to check that it has the right amount of uh value available um or sometimes you might just want to go ahead and sort of charge straight away like that that's maybe a good example of the kind of thing you'd want to do here uh if you have a reason to suspect this person might be might be fraudulent maybe you'd want to perform that check ahead of time um and I'd also add like I've got a few resources which are in

the slide deck and will be posted uh for a few kind of Articles uh which all relate to building these kind of fraud detection systems so so definitely refer you know kind of see what's out there there are there are people who have been building these kind of things as well and uh there are lots of resources out there

so sort of towards the the closing of this um I just want to think about some of the parallels with security so um this is all sort of very much for a discussion um again I don't have much of a security background my myself um I've heard a few people comment that this is kind of similar to what SIM systems are to do uh sort of like them all them um it's certainly possible for these fraud detection systems to involve a human feedback element uh that's something I've seen used a little bit so especially to avoid false positives like if if you're in any doubt you know maybe we should get we should alert someone

use a human operator to kind of intermediate there um I think that's more similar to sim maybe where you'd have kind of alerts that are raised um I think maybe one of the key differences is all the stuff I've talked about there is very application specific whereas I think these vendors are are trying to sell things where you just plug it into your network into your access logs and it it just kind of magically provides you what we need um uh and another sort of thought is like would any of these kind of approaches work for other kind of privileged access decisions like if you if you were trying to decide whether to allow a user to to log into a certain

resource would these kind of like fuzzy metrics ever be useful um that's again something I'd be interested in in chatting people about and one thing which I don't have so much experience with but I've have definitely sort of seen uh in the past as well is some more sophisticated attackers will sort of actually stage their operations you know it won't just be a case of uh sign up for an account and make some make some transactions there'll actually be clusters of accounts that are created ahead of time um sometimes we're able to detect those again using account linkages but sometimes they're prepared quite well and quite carefully uh and then they may sit idle for a long time um and I don't

know sort of of any great ways off that's on my head to kind of automatically detect or kind of look out for that kind of stuff I guess you could use things like uh account inactive accounts um we certainly try to kind of reactivate and kind of keep people interested but i' I'd also be very keen to hear from anyone who has ideas about kind of protecting against those kind of network network attacks so I think that's about all I had I think we should have a little bit of time for questions um I do some work for a nonprofit which had its fund fundraising campaign at the end of November December as many do and one of the things we

discovered is that the card vendors were using us as an oracle to figure out if their cards were still alive they were making very small numbers of you know $1 or $5 charges and of course these would all be charged back or we would decline them but we finally figured out that our objective was to give them as little feedback as possible so they couldn't use us as an oracle um but the other funny thing we noticed is that there were some people who were Robin hooding and they were giving us thousands of dollars on other people's debit cards and we still don't understand why they were doing that because we could think of no way that they can convert that to

their benefit so I I wonder if you happen to have seen that in any context people doing very large transactions on debit cards just to figure out what its value is for example yeah that's that's really interesting um and yeah the that term Oracle there is a very good one to know so um basically this is good example of kind of people testing credit cards trying to figure out you know how much value is on there yes we have seen that kind of stuff and yes the the kind of best practice advice there is be very reserved about kind of what you actually indicate to the user about why you didn't accept the transaction like you

you don't want to hint um you know that you've that there's something wrong with a card like maybe you might even know it's stall and I think some of the kind of responses that credit card process will give you will'll tell you why the card was declined but generally it's good good practice not to expose that to the users um regarding this second point about have I seen kind of Robin Robin hoodes use of credit cards um so I mean the main point of reference I have is lift and I I would maybe leave it to your imagination but there are reasons why people would want to use transport you know to to get from a Tob onst stol on

credit cards so for us there's a pretty pretty clear kind of value uh proposition why they would donate using stolen credit cards that is very interesting I I don't have any answers but maybe someone the audience would um I have a question here so I have a friend who shall remain unnamed um with it's more for the lack of a better word called friendly fraud so um you know Lyft used to provide referral bonuses I'm not a big user of Lyft so I I don't know the details um and so did Uber um so he would actually refer himself email IDs are free Google wise numbers are free and his credit card provider had virtual account

numbers where he could generate virtual account numbers so he pretty much didn't pay for any of his lift rids for like six months um do you have any Lessons Learned From that type of an attack uh yeah yeah so so I didn't I didn't really mention that but um yeah I mean we we and Uber and many other kind of companies make a lot of use of coupons uh to kind of incentivize users um we we really like to think of those we like to think of them in essence in many ways the same as credit cards like they're just a source of funds it so happens that we've issued them to you ourselves um but we certainly don't want

to issue too many of them like we we really want to grant them uh we're granting credit to you in the hope that you're going to use our service so I would actually say that like coupons were one of the first applications of a lot of the the type of Technology we're using here like just detecting has someone kind of logged in you know from the same device multiple times are we going to kind of grant them coupons uh for for that new new device um so I I hope I hope that answers your question I mean basically we are we are very concerned about that kind of stuff and this is also an application of the the

type of stuff that we do to defend against

[Music] it so the question was is that the only form of protection we have against that um it's not like uh we have trying to think I mean we have limitations on the number of coupons will will issue um we often have Geographic restrictions and other things to to make sure that kind of use isn't ballooning and we have a lot of sort of monitoring and alerting on on that kind of stuff as well um it at the end of the day most of it does come down to kind of detecting the same person again I mean there's not ultimately a huge amount more we can do than that but uh we we do have you know

there are various checks that we have to try and make sure it's not being abused on a a regular basis um I have two questions the first one should have a fast answer the second one is it um maybe a bit longer I worked for a uh it's it's um kind of an on demand Marketplace company um and two-sided Marketplace and we're facing a lot of issues with fraud right now uh the fast question is um is there an industry standard for how much uh customers are willing to get pre-authorized charged um my boss told me that if you charge them more than a dollar people freak out and there's a huge drop off uh but that would solve a

large number of issues that we have and the second question is you mentioned using kind of more complex graph based solutions to tackle fraud but what about using something like signal FX um where it's based on collecty and you just kind of you know raise an alert if you have uh I don't know um more cards created than you know above above one standard deviation than what's usual for uh the same user uh yep cool so yeah regarding authorization amounts like what what are some industry standards for that kind of stuff so there's actually there's a really nice thing you can do with uh what are called zero doll charge authorizations so this is basically just the Ping that

kind of hits it does hit the um the person's kind of uh the linked bank for the card uh so it is going to verify that the card is valid and exists but it's not actually going to check anything about the balance like it's not going to hold any funds so that can be extremely useful like I I definitely kind of look into that kind of stuff $1 is also a kind of implicit standard um PayPal does this interesting thing where if you authorize for $1 they don't send an email to notify the person which is kind of unusual but I think is a sort of implicit understanding that you know this is a a temporary authorization

there are also things you can do to change the statement text uh for these these ORS which is is worth doing um once you get into higher kind of values I think it's less clearer like I don't really know of any standards there um and then to answer your second question um yes I would say like graph databases they're they're not necessarily complicated I think where things start to get a bit tricky is once you've got the machine learning as well then you usually need some kind of somewhat expert engineering knowledge there is definitely a lot you can do without having to invest in any of this stuff like um so yeah things like you

suggest just having thresholds um even just using traditional databases like have an index on a column which is the device ID for a user and kind of look for kind of too many people using that that device those are those are much lower cost ways and that's that's a good way to get started and then you can kind of roll into more mature stuff when you when you need it hi uh back here hi there uh very good session thank you very much one question I had is oh back here have you been a most of the information seems to be more uh about the transactions themselves have you been able to tie any of this or have you

looked into like click stream analytics like how fast someone's moving through the site and and registering and stuff like that yeah great great question um so yes um a lot of it depends on the level of instrumentation you're willing to go into but um it's actually I should apologize if too much of that seemed to be about the transactions like there there are a lot of other user signals um I think Twitter had a lot of success actually with their anti- spam team of just determining how quickly people are kind of typing into the the various login Fields so so yes don't don't just look at the financial stuff use any signal you think would differentiate a

real user from from a fraudulent user hey um I was going to say in response to the person who was talking about large uh donations we have the exact same problem and my understanding is that in some cases it actually is like a Robin Hood motivation but like we had people from like Anonymous donating stuff to us they're like you guys are cool here's some free money and it was just a charge pack in the end um right yeah we're free with the Press Foundation um but so the other problem that that I other thing I've heard is that a lot of that is actually people testing high value or high limit credit cards and proving that they can get the

high limit or the high value out of it so it's probably

that one here

y yeah so the the question there was how to learn more about the economics of reshipping um so I have have a couple of links in the slides to there was that one article in an RSA publication about that reshipping slide I think that' be a good place to start I actually haven't done a huge amount of research into that but I'm sure that would lead you lead you

places cool well thank you again appreciate it and again on behalf of bsides and thanks to our sponsor Fitbit here is a Fitbit and we also have a special announcement as well hey so everybody who's worried about that burning smell it's cool uh it's I've had like six people be like are is are you is it okay do we have to EAC no it's at Ninth and Harrison something's on fire which if you're not from here is like seven blocks away so we just happen to be downwind we're fine and EMS is all over it so don't worry about it and please stop asking me if you need to Evac if you need to avac

we'll tell you thank you