Professional Documents
Culture Documents
Overview
Protecting customers on an open platform Big data + Little loops enable automation via analytics Decisions as defenses
the interdepen
the porous
Credential Theft
Fraud
Bots
Phishi
In Real Time In Time to Minimize Loss Reasonable False Positives As good as a human specialist Reduces More Loss than Cost Created Cheaper than Manual intervention
123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/wpaper.gif HTTP/1.0" 200 6248 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" 123.123.123.123 - - [26/Apr/2000:00:23:47 -0400] "GET /asctortf/ HTTP/1.0" 200 8130 "http://search.netscape.com/Computers/Data_Formats/Document/Text/RTF" "Mozilla/4.05 (Macintosh; I; PPC)" 123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/5star2000.gif HTTP/1.0" 200 4005 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" [Tue Mar 9 22:02:41 2004] [info] created shared memory segment #10813446[Tue Mar 9 22:02:41 2004] [notice] Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c configured -- resuming normal operations[Tue Mar 9 22:02:41 2004] [info] Server built: Mar 7 2004 13:38:59pausing [http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling] for 50000 ms[Tue Mar 9 22:04:16 2004] [error] [client 218.93.92.137] mod_security: Access denied with code 200. Pattern match "Basic" at HEADER.[Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4] 123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/1.0" 200 1031 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgibin/newcount?jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" [Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)[Tue Mar 9 22:03:26 2004] [error] [client 218.93.92.137] mod_security: [Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4] 123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/1.0" 200 1031 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" 123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgibin/newcount?jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)" [Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
Decisions, Decisions
RESPONSE
Authorize Block
Good
POPULATION
Bad
Downstream Impacts
Applying Decisions
SHOULD WE HONOR?
For example:
Decision
ACTOR ATTEMPTS Payment
Su SUBMIT
Authorize Review
Refer
Request Authentication
Decline
Study history...
User IP Country <> Billing Country
How much $$ is at risk? What is normal for this customer? What bad profiles does this match?
LOGIN INCE WE CANT PLAY CLUE FOR EVERY WE BUILD RISK MODELS) TRANSACTION NEW USER MESSAGE FRIEND REQUEST ATTACHMENT PACKET WINK POKE CLICK
Cart Category
Geolocate IP
How much $$ is at risk? What is normal for this customer? What bad profiles does this match?
Dependent Variable
Variance in dependent p-value of variable explained by significance, throw independent variables out if > .05
Independe nt Variables
Backtrack
- Password was changed (user had to go through reset process) Contacts, inbox, outbox deleted Nigerian IP login
Elaboration
New session variables: New login IP, new login IP country, new cookie/machine ID Change account variables: Change password, change secondary email, change name, change public profile New activity variables: Send to all contacts, # of accounts in cc or bcc, Edit/delete contacts en masse Association variables: New recipients, New reply-to fields, Similar accounts created/associated (fuzzy=more difficult) Stronger password reset options (SMS) Transparency: Other current sessions, past session history (IPs, logins) Auto-logout all other sessions upon password reset Reporting: Details of elaboration as well as cut and paste messages
User empowerment
Recap
Protecting customers requires understanding not just technology but also behavior. This requires:
Constant feedback
Analysis
Decisions that can be automated w/data Where/what data sets to use Business drivers to keep in mind
p (bad)
f(variable A + Variable B + ...)
An example
about.tagged.com/jobs