Gittip is a platform for sustainable crowd-funding. It allows you to set up small weekly gifts between $1 and $24 to people you believe in. Gittip is about five months old, and currently has about 550 active users, with $1,400 changing hands per week.
On October 10 (27 days ago), I noticed a new user named delpan in the top ten receivers list on the Gittip homepage. This user was suspicious, because the associated GitHub account was recently created, and empty: no repos; no followers, starred, or following; no name or location or avatar. Gittip has grown by word of mouth, so to have a new user unconnected to the rest of the Gittip social graph is unusual. But I didn’t want to jump to conclusions. There’s a Counter-Strike player that goes by delpan; maybe Gittip was breaking out into a new community? We adopted a wait and see approach.
Since then, it has become clear that delpan and other accounts on Gittip are in fact being used to steal money. The basic pattern is to create two Gittip accounts, one linked to a stolen credit card, the other to a bank account, with a tip set up from the one to the other. On payday, Gittip pulls the money in from the credit card and deposits it in the bank account. It does this via Balanced, Gittip’s payment processing partner.
I have identified six Gittip accounts that I strongly believe are linked to stolen credit cards. I determined this by manually reviewing the top 100 or so givers on Gittip, and looking for patterns. My heuristic boiled down to the following:
Secondary factors included:
I have reported these six accounts to Balanced. Together, these accounts have been used to steal $488.15 since September 27. The total charge volume during this six week period was $8,414.92, so the money stolen through these six accounts comprises 6% of Gittip’s volume during that time. However, we had an unusual number of credit card failures during the October 18 payday, and unless new stolen cards were associated with the same Gittip account, which I only noticed in one of the six cases, these would not have been reflected in the top 100 at the time I conducted the review. Consequently, I expect that even more stolen money has been funneled through Gittip. I need to do more research to determine how much.
Where is the stolen money now? Again, I need to do more research to fully answer the question. Anecdotally, most has gone to suspicious Gittip accounts, though a significant portion has also gone to legitimate Gittip users. Some remains escrowed within Gittip, some has been regifted, some withdrawn to a bank account—again, both by suspicious and legitimate Gittip users. Some has been paid to Gittip and Balanced as fees. The ideal is to get the money back to the people it was stolen from. Is this feasible? Do Visa and Mastercard make this possible?
The uncomfortable truth is that Gittip, Balanced, and our legitimate users are financially incentivized to turn a blind eye to fraud, because we have benefitted and are benefitting from it. I have stolen money in my bank account. Heck, I pretty much have stolen money in my pocket right now. The difficulty of unravelling the flow of money once it’s in the system makes this even less comfortable. We’re accidentally complicit in the crime, with no easy way to make good.
The most important thing is to prevent stolen money from entering the system in the first place. Therefore, I am instituting a whitelist: every giver will be reviewed and approved before Gittip charges their credit card. Gittip has about 350 credit cards on file and is only adding a few each week right now, so for the immediate future I will just manually review all paying accounts before payday each Thursday. I’ve already started adding admin UI to facilitate this and updating the payday script to enforce it, and no money was charged last week to the six accounts I identified.
As Gittip scales, we’ll need to rely more on algorithms and less on human intervention, though it’d be nice to avoid the nightmare scenarios that people run into with PayPal. The fact that Gittip accounts must be linked to a Twitter or GitHub account comes in handy here, and an automated or semi-automated approach based on the heuristic above seems like a good next step.
We still have the problem of recovering stolen money once it has entered the system. I need to do more research to understand what that looks like and what our options are with Balanced before I know how to proceed there, and that’s why this is Part 1. Stay tuned …
UPDATE: Here’s part two: The Delpan Incident.
Chad Whitacre is the founder of Gittip.