There exists a particular anti-fraud heuristic at a YC company. They shared it to me in confidence, because as soon as you know it exists, you can trivially avoid it. I mean trivially. It's apparently insanely effective, though, half because it has a really good handle on who it wants to frustrate and the other half because it's not in the literature at all and, as a consequence, the bad guys don't even know they have to avoid defenses in that class of algorithms.
That moment when I realize I should've come up with a way of demonstrating my own ability to keep other peoples' secrets, so that I can be let in on this one and satisfy this burning desire to figure out what the heck that particular fraud detection technique could possibly be...
Well, clearly I'm going to be thinking all day about fraud detection methods and about guessing your technique. Hmm. I may as well guess your technique openly:
Your technique must be something unexpected, and seemingly unrelated to "actions that fraudsters would normally be careful not to give themselves away with." So I'm going to guess that the technique is to analyze the linguistic traits of each user's password. Most people reuse passwords, and if the fraudsters share a similar cultural background then the password has a decent chance of giving away the fact that a particular user is from that same cultural background, e.g. if the password contains a foreign dictionary word in their native tongue yet their their purported home address is in a completely different country. That sort of thing.
Or if the same group of fraudsters keep reusing the same passwords, or even parts of their previous passwords, then that would probably be enough to accurately detect them. Most people who don't use a password manager tend to reuse substrings of their prior passwords, so they end up leaving a pretty distinctive identity "footprint" by the type of passwords they choose. Their passwords are likely to share a similar structure, such as always consisting of two words followed by two numbers, for example, or always starting their passwords with two symbols like %#.
And of course, if the fraudsters became aware that their password was giving themselves away, they'd trivially dodge the detector in the future.
Hmm. I'll just have to invent my own fraud detection techniques. This is a lot of fun.
That moment when I realize I should've come up with a way of demonstrating my own ability to keep other peoples' secrets, so that I can be let in on this one and satisfy this burning desire to figure out what the heck that particular fraud detection technique could possibly be...
Well, clearly I'm going to be thinking all day about fraud detection methods and about guessing your technique. Hmm. I may as well guess your technique openly:
Your technique must be something unexpected, and seemingly unrelated to "actions that fraudsters would normally be careful not to give themselves away with." So I'm going to guess that the technique is to analyze the linguistic traits of each user's password. Most people reuse passwords, and if the fraudsters share a similar cultural background then the password has a decent chance of giving away the fact that a particular user is from that same cultural background, e.g. if the password contains a foreign dictionary word in their native tongue yet their their purported home address is in a completely different country. That sort of thing.
Or if the same group of fraudsters keep reusing the same passwords, or even parts of their previous passwords, then that would probably be enough to accurately detect them. Most people who don't use a password manager tend to reuse substrings of their prior passwords, so they end up leaving a pretty distinctive identity "footprint" by the type of passwords they choose. Their passwords are likely to share a similar structure, such as always consisting of two words followed by two numbers, for example, or always starting their passwords with two symbols like %#.
And of course, if the fraudsters became aware that their password was giving themselves away, they'd trivially dodge the detector in the future.
Hmm. I'll just have to invent my own fraud detection techniques. This is a lot of fun.