Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

make sure "delpan" is not stealing money :-) #329

Closed
chadwhitacre opened this issue Oct 10, 2012 · 40 comments
Closed

make sure "delpan" is not stealing money :-) #329

chadwhitacre opened this issue Oct 10, 2012 · 40 comments

Comments

@chadwhitacre
Copy link
Contributor

We have a new person in the top ten, @delpan, and I don't know who they are ... which is awesome! It means Gittip is growing! That said, the day will come when Gittip is used for fraud, and we need to be watchful for that. We need to balance welcoming new users and communities with watchfulness for abuse. This ticket is to track the process of satisfying ourselves that @delpan is legit.

Edit: Changed to refer to talk about fraud and stolen money instead of laundering money, per this hn thread.

@chadwhitacre
Copy link
Contributor Author

@colindean points out that there is a well-known Counter-Strike player who goes by delpan. The @delpan account on GitHub was registered 11 days ago, which is when delpan registered with Gittip as well. That's fine, since one wouldn't necessarily expect a gamer to be on GitHub or Twitter. This person received $12 last week and is set to receive $60 tomorrow. As @cmbeelby points out, their Gittip statement is "ambiguous at best":

I am making the world better by listening from young people and give them advices in many situations such as love, family, friends affairs.....

What further information would we need in order to decide whether delpan's use of Gittip is illegitimate? What are the right questions to ask?

That said, @delpan is innocent until proven guilty, as far as I'm concerned. If you're listening, @delpan, welcome to Gittip. :-)

@coolbreezechloe
Copy link

Interesting thought. Do you really want to get into the business of deciding what is or is not legitimate use of the site? Not sure if you have any terms of service or acceptable usage policies. If you do and you suspect he is not following them then certainly investigation is warranted. I also assume you could do a little analysis of the source of this persons tips--and you seem to indicate you have added that feature for admins--to see if they are statistically abnormal.

Perhaps could ask this person for more information on the work they are doing. Do they have another website or background information?

Can't say I find the idea all that bad though. I'd love to start my own gittip account with a goal of something like "I make the world a better place by..." and have people give me money to pursue that end.

@coolbreezechloe
Copy link

Also, I just have to say that the Gittip statement quoted above seems to me to smell of a bad translation (i.e. using a automated service rather than natural speaker) from some other language into English. "Listening from young people" should probably be "Listening to young people" and "give them advices in many situations" perhaps "giving them advice on many topics". So if you are legit @delpan, I'd update your statement. :-)

@chadwhitacre
Copy link
Contributor Author

The only thing I'm really worried about at this point is people using stolen credit cards to send money through Gittip to themselves. If the cards aren't stolen, I don't really care who or why someone sends money through Gittip. Should I?

@coolbreezechloe
Copy link

No I don't think you should. If the cards are stolen (and have been reported as such to the cc agency) does your payment gateway system detect this and reject them? I know I've lost a cc or two in my time (and even had some fraud on one) and in all cases the cards are cancelled right away so they shouldn't work as a form of payment.

@colindean
Copy link
Contributor

I don't think Gittip should be in the business of deciding if someone is worthy of receiving money or qualified to receive it, beyond the minimum measures necessary to comply with applicable laws.

That said, is is reasonable to establish a minimum requirement to open a Gittip account? to give money? to receive money?

Some examples:

  • Minimum age of linked accounts (Github, Twitter, etc.)
  • Minimum level of contribution to those linked accounts (# repos + # commits, # posts)
  • Link to another service showing contributions (e.g. BitBucket, Launchpad, etc.)

Maybe it's appropriate to analyze the contributors to a certain account and ask for some kind of verification if it's found that a user is suddenly receiving a lot of money from brand new Gittip accounts backed by brand new linked accounts.

I think it's going to be difficult to establish some kind of flagging criteria, but it may be necessary in order to identify potential laundering schemes.

But, all of this seems like a lot of work that may not be necessary.

If the cards aren't stolen, I don't really care who or why someone sends money through Gittip. Should I?

To me, something neat about Gittip is its focus on developers. A purist would expend a lot of energy to prohibit unintended uses. If the mission of Gittip is to provide a way to tip developers, then that's one thing. If it's to provide a way for people to tip other people regardless of the reason, perhaps there's an opportunity for Gittip to grow into a service with a wider audience once some of the initial problems (such as this one we're discussing!) are identified and resolved.

To be direct, at this stage, it's perhaps worth monitoring lightly, but there are likely other more pressing issues to address. If the merchant/payment gateway can handle misuse of credit cards, let them and implement whatever's necessary to protect yourself (and Gittip) from the consequences of someone's misuse.

@jkwade
Copy link

jkwade commented Oct 11, 2012

Fascinating thread. I work at @balanced, Gittip's credit card processing backend, so I thought I'd chime in.

@colindean is right on with his suggestion to look at data from linked services as a signal of legitimacy, but he nailed it when he said:

Maybe it's appropriate to analyze the contributors to a certain account and ask for some kind of verification if it's found that a user is suddenly receiving a lot of money from brand new Gittip accounts backed by brand new linked accounts.

The main thing to look at with any double-sided payment scheme are signals that have meaning when examined across both parties. For example, if the tiper and tipee have linked accounts (github or twitter) or Gittip accounts that have similar created_at timestamps, then the chances of collusion are high.

@cmbeelby Is also right in pointing out that @balanced will be notified of a stolen credit card if it has been reported and will decline the transaction outright.

But there are obviously times when CC info has been compromised, and the card has not been cancelled yet. In those cases there are some characteristics of Gittip that make it unattractive to credit card thieves looking to liquidate value on a stolen card they have access to:

  • Latency - Gittip works on a weekly disbursement model. If I were a fraudster working with only a few days to extract value from a stolen credit card, I woud't go to a time-delayed service like Gittip.
  • Low average transaction values - doing some simple math, one can figure out that the average transaction value on Gittip is fairly low. If I were a fraudster, I wouldn't waste my time on a service where a single transaction over $50 is going to get noticed pretty easily.
  • Many to one - Gittip is a many to one platform. For a fraudster's transaction profile to resemble "normal" behavior, he/she would have to use many stolen credit cards. Too much trouble, so they won't even try.

Finally, by using Balanced, each Gittipee must go through an underwriting process. While this process is not a fraud prevention step, but rather used for compliance, a nice side effect of it is that the recipient cannot receive their funds unless they provide real identity information. @gvenkataraman can tell you more about this.

@colindean
Copy link
Contributor

Finally, by using Balanced, each Gittipee must go through an underwriting process. While this process is not a fraud prevention step, but rather used for compliance, a nice side effect of it is that the recipient cannot receive their funds unless they provide real identity information.

Do I correctly assume that this step is for AML compliance? I'm gaining an understanding of AML laws hanging around Bitcoin circles - the AML paperwork is necessary to deposit or withdraw cash at an exchange, and I assume it works the same for Gittip!

With the AML paperwork requirement in place to deter laundering on the receiver's part, and some kind of automated way to detect if a bunch of new accounts with new linked accounts raising flags for givers who may be malicious, it seems that the remaining factor is simply purpose.

Should Gittip allow non-developers/designers/documentarians, etc.?

I don't see the harm, except that people not in the target audience end up signing up for Github accounts that they'll likely never use :-p

@ironchefpython
Copy link

Should Gittip allow non-developers/designers/documentarians, etc.? I don't see the harm, except that people not in the target audience end up signing up for Github accounts that they'll likely never use :-p

In the short term, they could sign up via Twitter. In the long term, gittip could implement a wider variety of sign-up mechanisms, from bitbucket or unfuddle to facebook/google+ to app.net, or even anyone with a webpage or an oauth-compatible email provider.

@chadwhitacre
Copy link
Contributor Author

This is getting worse. Four of the five anonymous on the givers leaderboard are linked to empty Twitter accounts.

@chadwhitacre
Copy link
Contributor Author

And it looks like anon 1 and 2 ($108 and $90) had bad credit cards. They're off the leaderboard now that Gittip 21 has actually run (#341).

@chadwhitacre
Copy link
Contributor Author

One thing that hampers investigation is that we don't have a timestamp for credit card failures. Reticketed that as #342.

@coolbreezechloe
Copy link

What about not showing anonymous people in the top givers list? Or perhaps just a separate metric for total anonymous giving.

A comment you made earlier makes me think that you show people in the leader board before you have actually processed their payments? If so maybe it should only be based on money that has gone through...or somehow show that part of the total is not "for sure" yet, kind of how your bank might say you have money in your account but not available right away to withdraw.

@chadwhitacre
Copy link
Contributor Author

Repair

We should identify suspect givers and receivers. "Suspect" means the giver used a suspected-stolen credit card, and the receiver received money primarily from suspect givers. Any suspect receivers with bank accounts associated should be reported to Balanced and escalated from there.

I've noticed that some suspect givers also give to legitimate receivers, such as me, in effect making me complicit in the crime. I probably have money in my bank account that was stolen(!). To what lengths should we go to undo that? If we can confidently say that money given on Gittip was stolen, shouldn't we try to give it back? Is that feasible?

Also, what about stolen money that isn't directly withdrawn, but regifted on Gittip?

Fix

The thing we want to prevent is people using stolen credit cards on Gittip.

Apparently people using stolen credit cards prefer to do so anonymously. Would disallowing anonymous giving discourage the use of stolen credit cards? Maybe you can only be anonymous after certain conditions are met (four consecutive weeks of successful giving)?

Maybe we cap giving to a dollar a week for the first four weeks? As @jkwade points out, people using stolen cards are working against time to unload money before the card is reported stolen. This can be worked around currently by using the same credit card from multiple accounts. Throttling that is #134, and it should be investigated whether that's going on here. Also, once money is in the system, it stays in the system until someone withdraws it. This gets complicated.

@chadwhitacre
Copy link
Contributor Author

@cmbeelby Yes, the givers leaderboard is based on the future, not the past. Basing it on the past isn't a bad idea, reticketed as #346.

That said, it's precisely the leaderboard that tipped us off to possible abuse. If we change the leaderboard (and we're talking about that on, e.g., #216) then we want some way to visualize the system to spot abuse.

@colindean
Copy link
Contributor

Maybe we cap giving to a dollar a week for the first four weeks?

This isn't a bad idea. At worst case, it simply delays the effect by four weeks. At best case, stolen card numbers are reported stolen, marked un-chargeable by the processors, and the problem is resolved.

It's obviously infeasible at this point, but simply ceasing acceptance of credit cards is a better way to avoid the situation. ACH/SEPA transfers kinda scare me trust-wise; this is where Bitcoin would shine! If direct account transfers are feasible, then perhaps have the delay present only for credit transactions.

However, this also has repercussions for honest people. If someone wants to give $20 per week immediately to somebody else, then there's a technical measure in place to prevent them from doing that. Perhaps that measure can be removed if the person's connected accounts are older than a certain age.

This really is a hard problem! There's never really a way to ensure that payment comes from honest people, without some kind of measure of trust.

@ironchefpython
Copy link

then we want some way to visualize the system to spot abuse.

I would recommend four new leaderboards on the stat page:

  • top new gifters for the upcoming week
  • top new gifters for the previous week
  • top new recipients for the previous week
  • top new recipientsfor the previous week

These would be based on gifts newly created that week, and would privide both the sanity check for new givers, it would provide an opportunity for competition.

@chadwhitacre
Copy link
Contributor Author

The fix is to write an algorithm that flags suspect accounts, which then go into a queue for review. Things to check:

  • age of linked account as @colindean suggests
  • ratio of followers to following (mentioned in passing here and here)
  • name of bank where money is being dumped

Flagged accounts should not be included in payday until they're reviewed and cleared.

Creating new visualizations as @ironchefpython suggests would also help spot abuse. Reticketed as #347.

@chadwhitacre
Copy link
Contributor Author

The twist is that since we're developing this in the open, @delpan and his buddies will know what our review algorithm is, giving them an easy opportunity to game it. Can we develop an algorithm that is both public and difficult to game?

@chadwhitacre
Copy link
Contributor Author

The root problem here is using stolen credit cards on Gittip. Withdrawing the money to a bank account or sending it to other Gittip accounts is a dependent issue. The further money gets downstream, the messier it is, however. Some portion of the stolen money is being sent to "bystanders" (mostly me and @readthedocs at this point), with the majority of it going into bank accounts held with Inter National Bank.

@chadwhitacre
Copy link
Contributor Author

@jkwade Let's have a chat about this in the next day or two.

@jkwade
Copy link

jkwade commented Oct 28, 2012

Would you like to discuss via phone or email? If email, we could just have the conversation here. If phone, I'll have availability Tuesday.

@chadwhitacre
Copy link
Contributor Author

@jkwade Here's fine with me. What's the best way to proceed here? Does @balanced have an established process for reporting suspected stolen cards and fraudulent bank accounts?

@alexwoehr
Copy link

Hey, thanks for checking on me! Thanks for what you are doing. Thanks for
letting me continue to utilize your service. I hope it really takes off.

I should probably change my git tip tagline since right now it doesn't
really mean anything.

Yes, I haven't done a lot with github. I keep really busy but I plan to put
up some projects at some point. I guess my gittip tag line does kind of
look spammy, but I figure no one reads it anyway.

I'm on http://dynamicts.com/about about half-way down the page.

The following two comments on my handle on Hacker News are pretty
substantive, much more detailed than a spammer would ever try. I can prove
it's me if you need me to.

http://news.ycombinator.com/item?id=4707713

http://news.ycombinator.com/item?id=4643777

On Thu, Nov 1, 2012 at 7:48 PM, Virginie [email protected] wrote:

Hi,

good to know that you check this kind of things :)

But I'm real ^^
I just came on Github to be able to use Gittip to help a friend :)

I don't have any repos because actually I don't know how to use them and
don't really have something to say there!

Voilà!

2012/11/2 Chad Whitacre [email protected]

Just went through the current top 100 or so givers on Gittip and have
identified nine suspect accounts. Three are linked to Twitter:

https://www.gittip.com/SueAlle44381516/
https://www.gittip.com/HeathKern/
https://www.gittip.com/AngieMarshall18/
https://www.gittip.com/AngelaRudnick/

And two to GitHub:

https://www.gittip.com/r3s7/
https://www.gittip.com/hypershop111/

I also suspended payins for these four GitHub-linked accounts, which
upon
closer inspection appear to be legit.

https://www.gittip.com/kaiwetzel/
https://www.gittip.com/alexwoehr/
https://www.gittip.com/lsartran/
https://www.gittip.com/NessaAstaldo/

My apologies to @kaiwetzel https://github.com/kaiwetzel, @alexwoehr<
https://github.com/alexwoehr>,
@lsartran https://github.com/lsartran, and @NessaAstaldo<
https://github.com/NessaAstaldo>,
and the people they give to. Those gifts will be back on track next
week.

The primary reasons I suspect the other accounts of using stolen credit
cards are two:

  • Empty linked account. No Twitter followers, no GitHub repos, etc.
  • The giving profile: these accounts give $1 to a couple legit people
    drawn from the top 10 (e.g., me), and then give $12 or $24 to other
    accounts also linked to empty GitHub or Twitter accounts.

We need to explore the graph of the flow of money from stolen cards
better. For today's payday I took a step in the right direction, at
least.


Reply to this email directly or view it on GitHub<
https://github.com/whit537/www.gittip.com/issues/329#issuecomment-10000001>.


Reply to this email directly or view it on GitHubhttps://github.com/whit537/www.gittip.com/issues/329#issuecomment-10000420.

@chadwhitacre
Copy link
Contributor Author

Thanks @NessaAstaldo and @alexwoehr, for chiming in and for your understanding.

@chadwhitacre
Copy link
Contributor Author

I am working on a blog post explaining this issue. Once that's done I'll close this ticket. That is resulting in new tickets such as #354, #355, #356.

@sigmavirus24
Copy link
Contributor

Well first, I came here via the blog post so I guess this should be closed, but I think the GitHub API can be of some assistance in this matter. For one with each account you can check on their repos and creation date. You can also check out their public events timeline.

@chadwhitacre
Copy link
Contributor Author

@sigmavirus24 There's some mention of using GitHub and Twitter API on #355.

That blog post is part 1. ;-)

@sigmavirus24
Copy link
Contributor

Ah ok.

@sigmavirus24
Copy link
Contributor

Along the lines of limiting how much new accounts can send, what about putting a delay on when new accounts can withdraw their amounts?

@r3s7
Copy link

r3s7 commented Nov 6, 2012

Yes, r3s7 is legit - thanks for reinstating that. I take it that means the initial payment last Thursday to one fellow who has been a help to our project did not go out?

El Nov 7, 2012, a las 3:26 AM, Chad Whitacre escribió:

Just went through the current top 100 or so givers on Gittip and have identified nine suspect accounts. Four are linked to Twitter:

https://www.gittip.com/SueAlle44381516/
https://www.gittip.com/HeathKern/
https://www.gittip.com/AngieMarshall18/
https://www.gittip.com/AngelaRudnick/

And one to GitHub:

https://www.gittip.com/hypershop111/

I also suspended payins for these five GitHub-linked accounts, which upon closer inspection appear to be legit.

https://www.gittip.com/r3s7/
https://www.gittip.com/kaiwetzel/
https://www.gittip.com/alexwoehr/
https://www.gittip.com/lsartran/
https://www.gittip.com/NessaAstaldo/

My apologies to @r3s7, @kaiwetzel, @alexwoehr, @lsartran, and @NessaAstaldo, and the people they give to. Those gifts will be back on track next week.

The primary reasons I suspect the other accounts of using stolen credit cards are two:

• Empty linked account. No Twitter followers, no GitHub repos, etc.
• The giving profile: these accounts give $1 to a couple legit people drawn from the top 10 (e.g., me), and then give $12 or $24 to other accounts also linked to empty GitHub or Twitter accounts.
We need to explore the graph of the flow of money from stolen cards better. For today's payday I took a step in the right direction, at least.


Reply to this email directly or view it on GitHub.

@chadwhitacre
Copy link
Contributor Author

I take it that means the initial payment last Thursday to one fellow who has been a help to our project did not go out?

@r3s7 Correct, my apologies. :-( It will go out this week.

@chadwhitacre
Copy link
Contributor Author

incident report and blog post part 2 are up. Once I figure out how to account for recovery of stolen money in the database I'll close this ticket.

@chadwhitacre
Copy link
Contributor Author

I promise. :-)

@chadwhitacre
Copy link
Contributor Author

I'm eating the $104 given to innocent bystanders. Not worth figuring out how to garnish tips or whatever.

chadwhitacre added a commit that referenced this issue Feb 9, 2013
@chadwhitacre
Copy link
Contributor Author

The way to garnish tips would be to relax the constraint on minimum balance (see #161) and set the balance for the affected individuals to be less than zero. Then as they receive gifts those would be effectively be applied to refunding the stolen money before accruing to them again.

@chadwhitacre
Copy link
Contributor Author

The record-an-exchange (#53) UI is perfectly suited for these adjustments, were the db constraint relaxed. I would also want some investigation, reasoning, and tests to ensure that this would indeed behave as I expect.

@abnor
Copy link

abnor commented Apr 10, 2013

TLDR: umm, did anyone ask the kid if they're legit?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants