Gittip is a platform for sustainable crowd-funding. It allows you to set up small weekly gifts between $1 and $24 to people you believe in. Gittip is about five months old, and currently has about 550 active users, with about $1,500 changing hands per week.
Last week, we determined that stolen credit cards were being used on Gittip. We started investigating further to understand the nature and extent of the fraud, and we started taking steps to undo it and prevent future fraud. This is part two of that post. I named this incident the Delpan Incident after the account we first suspected of fraud, and you can find a detailed incident report here.
I conclude that $567.89 of stolen money was injected into Gittip over a period of seven weeks, representing 6% of credit card charges by dollar volume, and 5% by number of transactions. The impact of the fraud is apparent in the following chart, where the weeks in question are shaded red (the Gittip gift exchange takes place every Thursday).
I apologize for this fraud, especially to the original victims of the credit card theft, and to the ten innocent bystanders on Gittip who were affected. I’m sorry.
I have investigated the network of relationships stemming from the five accounts identified as fraudulent last week (a sixth account turned out to be legitimate). I have also reviewed all accounts that moved money into or out of Gittip in the past, and specifically those that had credit card failures in the past. With help from the fraud and risk officer at Balanced (our payments provider), I looked at account activity on GitHub accounts that were linked to Gittip accounts that also have a bank account attached. My thanks to the employees of Balanced and GitHub who helped out, as well as those anti-fraud professionals who reached out in confidence via email or publicly on Hacker News and GitHub to offer their expertise and support.
We now have an is_suspicious field in the Gittip database, with options “yes”, “no,” and “maybe” (technically, true, false, and null). Accounts start in the “maybe” category. Only accounts where is_suspicious is “no” are allowed to move money from a credit card into Gittip, or from Gittip out to a bank account. Accounts in the “maybe” category may exchange gifts within Gittip, but can’t move money between Gittip and the outside world. Accounts in the “yes” category are not included in Gittip’s weekly gift exchange at all, nor are they permitted to login. Whenever an account first links a credit card or bank account, it goes into a queue and is reviewed before being included in the weekly gift exchange.
As a result of this investigation, a total of 22 accounts have been marked suspicious, out of 6,308 (0.3%). None of these introduced money into the system last week, and, as shown on the above chart, the dollar volume returned to an amount in keeping with Gittip’s normal growth during the past three months. Therefore, I believe that we’ve identified all accounts that have fraudulently participated in the Gittip economy to date, and I have whitelisted all other accounts that have successfully moved money into or out of Gittip in the past. There are currently 431 whitelisted accounts on Gittip (7%).
Here’s a summary of the new categories:
Yes - 22 (0.3%) - Can’t move money at all; can’t do anything
No - 431 (6.8%) - Can move money; unrestricted
Maybe - 5,855 (92.8%) - Can move money, but only inside Gittip
Total - 6,308
I have refunded the $567.89 of stolen money that was injected into Gittip. I have notified Balanced of the bank accounts linked to suspicious accounts that were used to withdraw $379.80 (67%) of the stolen money, and I am waiting to hear whether they are able to recover any of that money. $104.00 (18%) of the stolen money was given to ten innocent bystanders on Gittip, and will be recovered from those individuals’ existing balances and future gifts. $54.00 (10%) is still escrowed within Gittip, and another $30.09 (5%) went to fees for Balanced and Gittip, whence it will be recovered.
Then, there will be chargebacks. Victims of credit card theft have 120 days to file a “chargeback” for each fraudulent charge, which then takes a month or two to hit the affected merchant, Gittip in this case. Ideally, we’ve identified all of the fraud on Gittip to date, and all stolen money has already been refunded. However, a $15.00 fee applies for each fraudulent transaction that we didn’t refund in time, before the chargeback process began. (Chargebacks remove the moral burden of being complicit in fraud that I expressed concern about in my prior post.)
I count 29 fraudulent transactions between 2 and 9 weeks ago, so in a worst case scenario Gittip is looking at an additional $435.00 in fees. Assuming in this scenario that the money already withdrawn to bank accounts is unrecoverable, Gittip is looking at a burden of $814.80 for this incident, or about 400% of the approximately $200.00 that Gittip has earned since launching. Ultimately, whatever this burden turns out to be is the responsibility of Zeta Design & Development, LLC, the legal entity behind Gittip, and its owners, namely, me.
It turns out that Gittip is particularly suited to a certain step in the black market for stolen credit card numbers, where low-level agents purchase long lists of numbers and then verify which numbers are actually good by performing small transactions with them. This is often done in the form of small donations to charities that have simple, unsecured, online donation forms. However, the money is lost from the point of view of the fraudster. With Gittip, it is possible to set up a bank account on the other end to recover some of that waste. The upshot is that Gittip is potentially useful for a certain kind of fraud, even though Gittip doesn’t lend itself to quickly unloading large amounts of money from any given card.
Fraud was bound to happen on Gittip sooner or later. Now we know one form it will take. While the amount of bad money injected into Gittip was small this time around—only $567.89—I much prefer to gain experience containing fraud while the stakes are comparatively low than to have been overwhelmed by an even greater degree of fraud now, or to learn an even harder lesson further down the road. Gittip is better prepared for next time, with systems in place that we didn’t have two weeks ago:
- A whitelisting policy for transactions with the outside world
- The ability to blacklist fraudulent accounts entirely
- A fraud dashboard and incident reporting infrastructure
- Experience in data mining for fraud detection
- A start on communicating additional fraud detection signals to Balanced
- Relationships with anti-fraud professionals at partner companies and in the broader tech industry
Morever, this incident has given us a chance to test the principle of “maximizing transparency” that is at the heart of what it means for Gittip to be an open company. Rule #0 of anti-fraud is that you never tip your hand in the arms race with fraudsters. Obfuscation and so-called “information asymmetry” are the name of the game. What is the information that is obfuscated? Fraud signals, machine learning algorithms that mine as much data as you can get your hands on to find slight perturbations in the corporate cognitive field, slight disturbances that warn of fraud. It’s considered a truism that publicizing these algorithms gives fraudsters a much easier time inventing new work-arounds.
I accept the starting-point that fraud will always exist. The task is not to extirpate fraud—that’s impossible. Rather, it’s to keep it to a low enough level for normal life to proceed apace. It’s like insanity. Each of us has a tinge of insanity, but as long as we’re 99.5% normal, nobody notices. I also grant that sociopaths walk among us. Heath Ledger’s Joker has been my mental image during this episode. Why commit fraud? Wrong question. And yet, at this point, my own question is, can I make my fraud algorithms public, and still keep fraud below that 0.5% threshold? Because if I can, I want to. That said, I respect the right of Balanced and Gittip’s other partners to manage fraud on their own traditional, closed terms. There are fairly clear layers here between Gittip and our partners, and I believe Gittip can experiment with openness without jeopardizing the integrity of our partners’ anti-fraud efforts.
I don’t know exactly what this looks like yet, or whether I’ll end up giving up and pursuing an information-asymmetric arms race per the status quo. The incident report I published is a first step in exploring how transparent Gittip can be with regard to fraud. I hope to push that envelope further as Gittip grows. Stay tuned …
Chad Whitacre is the founder of Gittip.