
Stolen Money on Gittip, Part 1 - heathanderson
http://blog.gittip.com/post/35057426257/money-laundering-on-gittip-part-1
======
shawnee_
The most unfortunate thing about this whole situation is that it was poor Chad
himself who ended up discovering and shutting down the fraudsters. This should
not have been the case, and I apologize on behalf of my former employer. I
sincerely wish I would have been able to help catch this before it got out of
hand. (Disclaimer: I am the former Operations / Support / Fraud Investigator
for Balanced Payments).

As it turns out, the CEO of BalancedPayments is (there is just no nice way to
put this) an unethical bag of scum. He recently went on some kind of insane
power trip, completely disregarding the needs of his customers, putting me on
unpaid leave for ... reporting an incident of fraud to a bank. I reported an
incident exactly like the one Chad discusses here, but the dollar amount
stolen was much higher, and the fraudster a repeat offender.

Anyway, after that last meeting where he was sneering and enjoying _way too
much_ the power trip of getting to "fire" somebody, I can confidently exhort
that Balanced should not be trusted.

It's important that any company a marketplace entrusts its financial data with
is an ethical one. So, yeah, looks like I'm on the job market; ping me :
<http://lnkd.in/NuBGDY>

~~~
steve8918
There are so many things wrong with this post, I would strongly advise you to
delete this. Besides the libel, it doesn't really paint you in a good light
either, especially if you're going to be looking for a job. I would suggest
keeping your dirty laundry off the Internet, and delete this post.

~~~
jrockway
I enjoyed reading it. I doubt this will come back to haunt the author with
respect to future work. If he's good at programming, pretty much anyone will
overlook his "scumbag" remark. After all, who identifies with the group
"scumbag" and will be offended?

~~~
unoti
This is, sadly, false. It may be true that anyone cool would ignore such
things, but there are plenty of companies and recruiters out there that will
consider this kind of thing a red flag and downvote people during the
recruiting process. (Edit: this comment has been getting upvoted and downvoted
in equal proportions, which kind of supports my point. It's an ugly truth,
what I'm saying here.)

~~~
jrockway
Oh sure, some people will discriminate against you, but you need very few jobs
relative to the number available.

~~~
unoti
That's a great point. And perhaps working for cool people is better. Maybe the
doors it closes are doors best left closed.

------
brandonb
My company (Sift Science) helps sites fight credit card fraud. We work with a
few large ($100m+ revenue) marketplaces, and here are some things I've
learned.

First off, strictly speaking, this is most likely to be a stolen credit card
(i.e., fraud) rather than money laundering. You do NOT benefit from fraud,
because when the cardholder notices the charges, they'll call up their bank
and issue a chargeback. The $488.15 in your account will actually be removed
and given back to the original cardholders. In addition, each fraudulent
charge carries a $15-$25 fee, which you're liable for.
[https://www.balancedpayments.com/docs/testing#chargebacks---...](https://www.balancedpayments.com/docs/testing#chargebacks
---disputes#tokenization)

What's worse, chargebacks can take 60-120 days to reach you, since there's
delay at every step: the customer's bank, the credit card networks, your
payment gateway, and the acquiring bank (your bank). Unfortunately, that means
you won't know how much fraud you have today until February (!). It's a broken
system, but that's how all the major card networks work, so it's something
that everybody who sells online has to deal with.

If your fraud rate is higher than about 2% for two months in a six month
period, Visa and Mastercard reserve the right to block payments entirely to
your (or Balanced's) account unless you prove you can get the chargeback rate
down. This is called an "excessive chargeback program."

In terms of heuristics, fraudsters adapt rapidly to whatever counter-measures
you use. The half-life of a good heuristic is maybe a couple of months. The
best approach is to evaluate hundreds of different signals, using a machine
learning algorithm to constantly adapt to changing fraud patterns. My company
is running a private beta of exactly this technology and we're happy to help:
<http://siftscience.com>. Even if you don't use us, I can recommend other
services or give you general pointers.

Hope that helps! Let me know if you have any questions:
brandon@siftscience.com.

~~~
whit537
Thanks Brandon! Great info. If you see a way for Sift Science to add value to
Gittip then I'm open to a proposal. Balanced won our business by stepping
forward and contributing the integration themselves:

<http://blog.gittip.com/post/28351995405/open-partnerships>

I'd welcome a conversation with Sift Science along the same lines.

~~~
whit537
I started a GitHub issue to track this for Gittip:

"use a fraud detection service"

<https://github.com/whit537/www.gittip.com/issues/357>

------
dsl
This isn't money laundering (from your initial github ticket its obvious that
is what you were looking for, so thats what you found).

Before selling stolen credit cards, bad guys have to verify them. This is
often done with small (<$10) donations to charities or small purchases of
intangible goods that are considered low risk merchants.

With Gittip they found a way to get the low dollar amounts to come back to
them, but since this wasn't really the goal to start with, you'll likely see
donations to random leaderboard members that are unaffiliated with the fraud
itself in the future.

~~~
exratione
This is exactly correct.

I've supported a number of different online credit card donation forms for
various charitable and other causes, and you see this behavior of card testing
whenever you set the minimum allowed donation too low, and adopt too few of
the necessary precautions.

I wrote a post on the approach to raising the bar I took - it really doesn't
require much to get the credit card testers to go away, and if you don't get
rid of them rapidly, you'll be dealing with chargebacks from here until
eternity:

[http://www.exratione.com/2010/10/three-necessary-defenses-
fo...](http://www.exratione.com/2010/10/three-necessary-defenses-for-open-
credit-card-submission-forms/)

~~~
whit537
Thank you, good info. For privacy reasons, we've been hoping to not track IP
addresses:

<https://github.com/whit537/www.gittip.com/issues/345>

Even then, I'm not sure I would trust this approach. I feel much more
comfortable white-listing accounts, and for the time being that's not too
onerous.

~~~
rmc
_For privacy reasons, we've been hoping to not track IP addresses_

You could hash the IP address, with some suitable salt. Then compare against
that.

The purpose of storing IP addresses isn't to find out "the IP address of the
user submitting the form", but instead to answer "How many other credit card
numbers have come from this address?", something that can be done with
sha512("salt_mc_salty_$IP")

~~~
whit537
Good call. I've made a ticket for this, "roll our own automatic fraud
prevention," and have included this suggestion:
<https://github.com/whit537/www.gittip.com/issues/360>

~~~
schiffern
The only problem here is, IP addresses are such a small space (4 billion
addresses) that it's so easy to brute-force the entire database that I don't
see it offering any protection. If the data is stolen it will be cracked in no
time, and if the data is subpoenaed that cost will likely be ruled as
insufficiently "onerous". Even IPv6 doesn't save you, since the space is
sparsely populated.

No, with IP logging it's all-or-nothing. You might as well store them as
uint32/uint128.

~~~
rmc
It's not as clear cut as that. With suitable salt and suitable (long) hashing
function, you can delay

From a security / data privacy angle, things are rarely 100% perfect or 100%
broken. Just because an approach is not 100% perfect, doesn't mean that it is
worthless. It can still offer protection of sensitive data.

Storing IPs in the clear in a DB means that if anyone gets any access to it
(e.g. SQL injection type attack), they can have the whole lot. With salted IPs
it's harder and much longer before they have any decent data.

If you tweaked a hashing algorithm to take circa 100 milliseconds to hash an
IP, then "brute forcing" would be much less of a problem because it would take
about 13 years to hash the whole lot.

~~~
schiffern
>If you tweaked a hashing algorithm to take circa 100 milliseconds to hash an
IP, then "brute forcing" would be much less of a problem because it would take
about 13 years to hash the whole lot.

Or $31,000 on EC2. Are these logs per-request or per-transaction? The former
could get awfully expensive.

Of course, checking a single target IP address would be trivial. Whether that
matters depends on their threat model.

------
ig1
Pull this post and talk to lawyers if you haven't already.

Depending on where you're based you'll have legal obligations that'll define
what you should be doing at this point. This may well involve lawyers, your
regulators and the police.

Some countries make it a criminal offence if you let a criminal know that you
suspect them of money laundering or similar offences (this is known as
"tipping off") so you should be very very careful about what you're disclosing
both to your users and the general public.

~~~
bmj1
Just wanted to +1 on this - this is a fairly severe offence in the UK

~~~
whit537
Thanks for weighing in. I'm based in the US. I am going to proceed along the
path of openness for now.

~~~
cynicalkane
_I'm based in the US_

You should still pull this post and talk to lawyers.

~~~
whit537
Yeah, sorry, I wasn't clear: I'm pursuing openness because I believe in
openness, not because I'm based in the US. I am glad to learn about this
potential legal ramification, however.

------
flibble
Looks like you have just discovered chargebacks, something that just about
every merchant discovers at some point.

What to do? Some options to reduce your fraud are \- outsource the problem by
using an indemnified payments system (a payment processor who do their own
fraud checks and don't pass on any chargebacks to you). Pros: easy. Cons:
expensive and lots of valid payments will be refused.

\- Use an e-wallet that usually has few/no chargebacks, eg Skrill & Neteller.
Pros. Easy, not too expensive. Cons: more difficult for people to make
payments as they need to create an account with the e-wallet first.

\- Use services to help with your fraud detection. Eg. Iovation. Pros: you can
keep it easy for your customers to make payments. Cons. a lot of work to
implement (relatively speaking).

\- Use bitcoin, eg bitcoin247.com. Pros. no chargebacks ever. Cons. about
0.00001% of your customers use Bitcoin.

Edit: I forgot to add: \- require 3D Secure / Verified by Visa payments. This
removes the chargeback liability from the merchant in most cases and shifts it
to the card owners bank. Pros. much fewer chargebacks. Customers can still
deposit directly on your site using their card (apart from the 3D redirect).
Cons: entering 3DS details another barrier to making payments so will reduce
payments. Plus I'm not sure of the penetration of 3DS cards in the US.

~~~
antiterra
Gittip's professed concern is with ethics (and possibly sustainability), not
losing money from chargebacks. The author realizes he has stolen money in his
bank account, and that bothers him.

~~~
AUmrysh
I'll take it off his hands for him if it makes him feel better.

~~~
whit537
Sure, what's your Gittip? :^P

------
davepeck
This is unfortunate, but quite common. If you accept credit cards online,
you're at risk. The specific kind of fraudulent behavior you see will depend
on several factors (the nature of your business; whether you enable transfer
from users to just yourself, or whether you push money from one user to
another.)

Credit card companies will, some time later, probably notice the fraud. At
that point, you'll get a chargeback: you'll have to pay back the money you
charged in addition to a fixed penalty per fraudulent charge (usually $15.)
Especially if you're enabling a marketplace, like gittip does, these fees can
be devastating. Regardless, if chargebacks become too common, your merchant
account may be suspended.

I've written some about my company's experiences with fraud, if it's of
interest:

<http://davepeck.org/2011/11/17/fraudsters-gonna-fraud/>

[http://davepeck.org/2011/12/01/dealing-with-credit-card-
frau...](http://davepeck.org/2011/12/01/dealing-with-credit-card-fraud/)

~~~
whit537
Thanks, Dave, lots of good pointers. I made these new Gittip issues based on
your posts:

use a fraud detection service:
<https://github.com/whit537/www.gittip.com/issues/357>

detect and prevent botnets:
<https://github.com/whit537/www.gittip.com/issues/358>

detect and prevent scripting:
<https://github.com/whit537/www.gittip.com/issues/359>

------
dmethvin
Openness about the problem is good, but I am not sure that it helps to provide
that much detail about the ways you detected the fraud. That just give the
attacker more information about how to circumvent your detection.

~~~
reidmain
Security through obscurity is never the solution.

~~~
dasil003
You're cargo culting on security dogma.

Information assymetry is probably your only advantage against credit card
fraudsters, because there is no security hole, rather they are exploiting your
core business flow.

~~~
whit537
I want to explore openness wrt fraud prevention, not out of a facile rejection
of "security through obscurity," but as part of Gittip's identity as an open
company. It's accepted doctrine that "information asymmetry is probably your
only advantage." I'm asking: can we be open about fraud prevention _and_
prevent fraud? If we can be, we should.

What are your thoughts on the value of the social graph in spotting suspicious
accounts? It seems to me that we should be able to whitelist new accounts
based on a review of GitHub or Twitter profiles, and perhaps for flagged
accounts we "authorize without capturing," as dangrossman suggests above.

~~~
dasil003
I admire your motives, but I can't offer much encouragement.

My experience is that there is no such thing as preventing fraud in the
absolute sense. It's not a binary proposition—maybe general security isn't
either, but it's a hell of a lot less gray than credit card fraud. So while I
think it's good for general fraud prevention techniques and information to be
widely disseminated, I can't in good conscience discuss specifics of
techniques that I've employed because those would be easily traceable to
companies I've worked for, and thus would impose an undue cost on them. A lot
of people who have worked on these issues are probably in similar position
where we'd be happy to go into details over a beer but not on public record.

------
singingwolfboy
Kudos for being open and honest about this sort of thing. Publicly
acknowledging difficult issues makes me support a company even more.

~~~
whit537
:^)

------
VBprogrammer
I'm impressed at how quickly the criminal underground pivots. To identify
Gittip as a potential money laundering scheme while it is relatively unknown
even with Tech circles is, in a slightly discussing way, actually quite
impressive.

It does make me wonder, did the bad agent happen across Gittip independently
or are they active within Tech communities?

~~~
jasonlotito
Anyone that knows about these things would see this immediately. Anything that
involves transferring money from one agent to another is quickly pounced upon.
That HN is a popular place for launching new startups would make this an
obvious target to watch. And most people starting new money transfer systems
are ignorant of the potential for fraud and laundering.

Essentially, this is standard practice.

~~~
whit537
For the record, I've been waiting and watching for this to happen. It did
happen sooner than I expected, however. Not sure if that means Gittip has
grown faster than I expected, or our Jokers are earlier to adopt than I
expected. ;^)

------
hcarvalhoalves
Welcome to the nightmares of dealing with money.

Any good payment gateway should be managing the risk of stolen credit cards,
but it's likely that because Gittip works with small recurrent payments
instead of big upfront payments, it doesn't trigger any red alerts.

~~~
mbesto
Hence also why most people don't realize that Paypal was the side effect of a
company that originally was created to handle fraud. Source:
<http://www.amazon.com/gp/product/1430210788/>

To take this to the next step, this is also why I believe Paypal is one of the
very few companies that has been able to scale online payments. I'd love to
see anyone challenge their ability to balance customer service with fraud
prevention at scale.

~~~
jacquesm
Starting a new payment service, even from the point of view of a company
specializing in fraud prevention is a lot harder now than it was in the past.
You're basically entering an arms race that has been going on for a decade+ as
a rookie or at best a semi adept. Likely your main contribution to the field
before folding is target practice.

Gittip should work with a party that is already in the possession of the
required knowledge or they'll be shutting down. This post raised their
visibility as rookies considerably and you can expect the sharks to move in
now that there is blood in the water.

~~~
whit537
Thanks, I started a ticket for this:

<https://github.com/whit537/www.gittip.com/issues/357>

------
japhyr
I am a strong supporter of Gittip. I think it is an important funding model to
make available, across a variety of disciplines. I hope there are some people
around with experience identifying money laundering patterns, who can keep
Chad from having to reinvent the wheel on this.

------
davidu
Good catch. You'll be fine.

For what it's worth, a little bit of fraud is a good thing. It means people
are using your system and it's growing. Too much fraud and people will lose
confidence and your payment processors will punish you. Too little fraud and
your system is probably too complicated to be useful to anyone, including
fraudsters.

------
zzzeek
what's the responsibility of Balanced in this regard, isn't it on them to
ensure the validity of credit card numbers?

~~~
dangrossman
It's impossible to tell, with certainty, if a credit card is being used by its
rightful owner or someone else. That's not something anyone anywhere in the
payment processing industry guarantees. In terms of who can do the best at
predicting the likelihood a transaction is fraudulent or not, it's definitely
the merchant/website, not their processor. He has much more information
available to him (IP address, github account, etc) than Balanced has.

------
splicer
My GF just found out a few hours ago that she was the victim of a similar
scheme. Someone used her Amazon account (which has her credit card info) to
donate to a Kickstarter account. Unfortunately, she has no way of finding out
_which_ Kickstarter account. Luckily, her credit card company took care of
everything without a hassle. She also spoke with Amazon customer service, and
they "were completely useless and almost hung up because they didn't know what
Kickstarter was."

------
huhtenberg
> _My heuristic boiled down to the following:_

So that's that for that heuristic. They will adapt now.

~~~
whit537
The problem with hiding heuristics is that false positives get squished. I
want to avoid the horror stories we hear about people getting their Google
account shut off or their PayPal funds withheld.

------
olalonde
Another alternative would be freezing money transfers for 30 days or so. Or
use a payment processor that is used to deal with high risk websites (for
example, CCBill).

> The uncomfortable truth is that Gittip, Balanced, and our legitimate users
> are financially incentivized to turn a blind eye to laundering, because we
> have benefitted and are benefitting from it.

That's only true until you start getting chargebacks.

~~~
whit537
> That's only true until you start getting chargebacks.

Phew. I'm saved from the moral burden by the financial burden. :^)

------
PeterisP
This is why banks frown upon offering CC merchants to "marketplaces" - anyone
who is not charging cards for their own business, but allows one user to give
money to another.

You didn't get money laundering, but if your volumes would be larger, you
would get also money launderers.

------
noeltock
This doesn't seem to be a case of money laundering, but credit card fraud.
Thanks for the share!

~~~
pyre
It's both. Gittip is 'laundering' the money, so that it's clean on the other
side. It's not the greatest money laundering scheme as the launderer is
unwitting, and therefore can 'flip' exposing the source of the ill-gotten
gains.

~~~
noeltock
Negative. The layering stage of ML does indeed lead to "cleaning" funds, but
Gittip isn't doing that. ML means giving money a clean-slate with virtually no
history. Everything from casinos, offshore entities, to wiring funds through
FATF blacklisted countries will be closer to what ML actually is.

~~~
whit537
Right.

<https://en.wikipedia.org/wiki/Money_laundering>

I changed the blog post and GitHub issue to not refer to money laundering
anymore.

------
jacquesm
Any system handling funds should be approached from the angle of minimizing
the potential for fraud. If you don't do that right from day one there will be
a lot of hard lessons which are more than likely to kill your company. Please
team up with a company that has the experience to deal with this, balanced
(which should have been your first gatekeeper here) dropped the ball in a
terrible way, their anti-fraud measures should have definitely tripped over
this so clearly they're not in control of the situation. From your posting and
the comments here it is clear that you have the right general idea but you
lack the relevant experience and tools.

~~~
whit537
Thanks, I started a ticket for this:

<https://github.com/whit537/www.gittip.com/issues/357>

------
sdrgalvis
The link is broken. the tumblr page is down. you can still read the post at
Altavista's cache at
[http://74.6.117.15/search/srpcache?ei=UTF-8&p=http%3A%2F...](http://74.6.117.15/search/srpcache?ei=UTF-8&p=http%3A%2F%2Fblog.gittip.com%2Fpost%2F35057426257%2Fmoney-
laundering-on-gittip-
part-1&fr=altavista&u=http://cc.bingj.com/cache.aspx?q=http%3a%2f%2fblog.gittip.com%2fpost%2f35057426257%2fmoney-
laundering-on-gittip-part-1&d=485744127291&mkt=en-US&setlang=en-
US&w=uTdF6zbG3Yk&icp=1&.intl=us&sig=3bb8L0Lthk9mqSGJfyK_DA--)

------
kmfrk
This is always a concern when new value exchange services are invented.

None have been as open and ethical about this as you, though, so it's very
comforting to know that gittip won't be a free-for-all bonanza for asshats.

------
driverdan
Nice job being proactive and catching on quickly. Have there been any
chargebacks? Chargebacks are usually what alerts people to credit card fraud.

~~~
whit537
I am not aware of chargebacks yet. My understanding from other comments in
this thread is that it takes months for chargebacks to hit.

------
maplesyrupghost
looks like Bitcoin could prevent this.

~~~
colindean
We'd love help implementing it.

[https://github.com/whit537/www.gittip.com/issues/search?q=bi...](https://github.com/whit537/www.gittip.com/issues/search?q=bitcoin)

------
loceng
Best of luck. I imagine noone imagines themselves being in this situation.

------
Codhisattva
So basically this is the most popular article about Gittip?

~~~
whit537
Yes, though HNSearch hasn't quite caught up yet:

[http://www.hnsearch.com/search#request/submissions&q=git...](http://www.hnsearch.com/search#request/submissions&q=gittip&sortby=points+desc)

------
noagendamarket
Should have used bitcoin :X

------
tkahn6
IANAL but isn't this one of those things where you need a lawyer?

------
arjunbajaj
Looks like Tumblr can't handle HN! The site is down. :(

Haha! That's why i'm never gonna use Tumblr! :P

