Hacker News new | past | comments | ask | show | jobs | submit login

> The problem with many of these examples is that 99% of the time, it is a sign a fraud, and 1% of the time it’s a false positive.

That’s the key. It may very well be the wrong business decision to care about this 1%.




This is exactly it. Nobody assumes these factors are always true. Absolutely nobody in the fraud prevention chain.

They're just true often enough that the company is better off declining to serve the few exceptions than it is trying to build things around the edge cases.


it makes sense that every company ever has a bunch of broken by design security features that were justified after the fact by "risk model", after failing to arrest anyone who pointed out that they were broken, that award people who are uneducated and even moreso not self-accountable to just manage their password or key properly. it makes sense that these features that cannot be opted out require you to constantly give every company your personal id, location, comprehensive profile of your voice and speech patterns (and mouse movement patterns), and selfies using proprietary apps which require you to own highly specific products from 1 or 3 companies.

it makes sense to require email as a second captcha^H^H^H backup authentication thing^H^H^H mechanism we cant explain for your security which requires using one of the 4 remaining email services all of which cant be used without phone verification (btw all these will do things like, lock you out when you switch phone number which is even smaller space than IPv4). what if use different emails for two companies and they are corroborated at some point? do they think i'm identity hopping? but wait, should i be punished for using the same email for my games as my bank? is my email address my identity or should i use multiple to mitigate risk? oooooh i'm thinking too hard, it just makes sense because an adult on HN said they are also totally adults making these decisions based on sound reasoning. if i thought too hard that would also break the risk model because it would no longer be secret which is essential for it to work, and therefore i would be a criminal.

it makes sense that someone can just steal my money from my bank account because he spent an hour figuring out how it really auths you (actually they just learned all they need is the last restaurant you ate at and a rough amount you spent, totally not a guessable number) whereas i assumed just nobody having my password would be sufficient.

it makes sense that my keyboard, monitor, and speaker each have their own OS that takes 10 seconds to boot and also have remote code execution vulnerabilities, because none of that would ever matter for a casual user. it makes sense that my dishwasher doesn't work, that doesn't matter for a casual user since regurgitating crap onto the dishes only gives you disease 1% of the time, its green!

it makes sense that my random photo id is a password and i give it to 50 different companies because everything in the world is good.

some ceo said so, it all makes good business sense.

tl;dr you're literally just defending the garbage dystopia Richard Stallman warned about 70 years ago or whatever.


I don't think it's safe to write off that 1% if you don't first make sure you understand who that 1% is and how decisions like this, especially at scale, could harm those people. If a person says that they are eligible to work in the USA, that should be taken in good faith. If 99% of applicants are fraudulently answering this question, you're probably doing something wrong and need to figure out what's broken in your application process, rather than aggressively filtering out applicants based on correlation. It would be better to filter them out with a more robust application process that doesn't attract these scattershot job applications typically pushed by bots.


> I don't think it's safe to write off that 1% if you don't first make sure you understand who that 1% is and how decisions like this, especially at scale, could harm those people.

Businesses prioritize profit, not "safety" or whatever else you're talking about. Profit always comes first.


laws and regulations are supposed to provide a counter to a corporation's amoral greed which prioritizes profit over all else (including human life or suffering) and the harms that greed causes on a societal/global level.

If enough people are being wrongly treated because companies won't (and arguably shouldn't) care about the harms they are causing, that's when government should step in and find a way to force them to stop acting in ways that we (those of us who aren't amoral monsters) deem unacceptable.

It sounds like it might be time for governments to step up and address this situation with fraud detection, but hopefully part of that will involve cracking down harder on the rampant fraud going on that caused these flawed detection systems to be seen as necessary in the first place


Businesses control the government.


Idk, if your aim is to find the "best talent", then what's the chance that they stumble along and you treat them like shit?

That's what's going to happen when you say "out of this other group, this 99% of people who I didn't want anyway, many of the Google Voice people were fraudsters".

Same thing for asking people to reverse a linked list on a whiteboard, or getting them to re-do their résumé, but in your HTML form instead of just emailing you their pdf. If you do ever get your dream candidate, you've pissed them off.


With most interview processes, your aim is to have a high degree of certainty that you will find someone in the top 1% or so of people, not to find the absolute best person. Given that, arbitrary filters that save your time are very much worth it.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: