Hacker News new | past | comments | ask | show | jobs | submit login

Kindel's Law: "Every new payment system rapidly transforms into an anti-fraud system."

Even lower-level, anything consumable by, well, anyone, quickly transforms from add-to-cart, checkout, and ship (whether digitally or physically), to add-to-cart, checkout, make sure they're actually the cardholder and legitimately authorizing the purchase, ship.

I have seen far too many places -- whether they're side projects, smb, or even enterprises -- completely miss the antifraud step. There are companies like MaxMind who <help identify and somewhat prevent this> but for someone who is above average-intelligence and an apt "carder", it's so trivial to get around.

When I'm tasked by x company -- a bank, company, security team, or someone with a side project -- to run through their site and try to get an order shipped using false credentials, I can't even speak to how easy it is for me to do so with trivial effort. And it's not all fun to see.

There is a company who does gift cards, and they'd ship them out instantly. Once redeemed by the other merchant, bam, they're SOL.

Don't be this company. Don't be this entrepreneur. Don't be this hacker. Reach out to someone who knows what they're doing. If your business relies on conducting transactions, I don't care if it's flowers or dog leashes, or some shit that's going to end up on Shark Tank, you need to have anti-fraud in place.

Sorry for my ignorance but what are possible anti-fraud rules for, say, a flower merchant?

Depending on how often the merchant is bitten by fraud, they can require to see an ID card for certain types of transaction (such as cash or check), or raise prices to cover the fraud costs.

Generally, they try to ensure that the liability shift is on the bank's side, by using an EMV capable system for most payments. Of course, that usually requires them to have a specific contract; banks, on their side, perform a risk assessment to ensure that they won't be covering too much fraud.

It's difficult but it comes down to loss-prevention.

I could setup a site with a front-facing flower shop, accept orders, take in the peoples $$ legitimately, and then transact and fulfill their orders (via fraud) on 1800flowers.com for example.

I realize that anyone could do this for anything, but the weaker your weak points are, the easier it is to capitalize on them.

Or the opposite, and started as an anti-fraud system (see PayPal)

PayPal didn't start as an anti-fraud system? It was a payment system that developed a pretty novel anti-fraud system and which was the foundation for a different company that does a ton of anti-fraud.

It most certainly did.

"Confinity Inc. is best known as the creator of PayPal. It was founded in December 1998 by Max Levchin, Peter Thiel, and Luke Nosek, initially as a Palm Pilot payments and _cryptography_ company. Confinity launched its milestone product, PayPal in late 1999."

[0] - http://en.wikipedia.org/wiki/Confinity

In the book "Founders at work", there is a chapter about Paypal's founder and half his interview is about how banks told them they'd be crushed by fraud, then how fraud was probably eating up 10-30% of their transfers, then how they built such an incredible alrogithm against fraud that they had to build a room around the server to protect their trade secret.

Actually the key differentiator of PayPal, at least according to Thiel, is it wasn't an algorithm. It was a method to abstract the transactions enough to allow a fraud analyst (not a computer, or even a computer/data scientist), to interpret the patterns.

It had some cute name that I can't recall right now. Hugo or something? It was spun out into a separate company to use the same philosophy to fight terrorism. That company is Palantir and seems to be Thiel's opus magnum.

Oh wow. That's crazy how it seems never to be mentioned in the history of the "PayPal Mafia," or at least not the ones that I've read. Cool info, thanks.

except bitcoin

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact