The fraud ratchet
5

The fraud ratchet

I want to write a bit about businesses that make their money through fraud, inspired by Jon Bell’s post The Graph That Changed Me. In it, he talks about RealNetworks. RealNetworks was one of the first companies that provided streaming media infrastructure. They created proprietary streaming audio and video prodocols. They offered a free version of their client, and tried to make money by selling licenses for premium versions of the client and their streaming server. More importantly, they were pioneers in bundling unwanted software with their client downloads in exchange for cash.

As Bell’s post points out, the money they made this way was a substantial part of Real’s business. While people at Real hated the shady business, they were in, their jobs were also dependent on it. Bell’s manager showed him a graph with a big dip in the middle and then explained the implications:

“That’s what happens when we do the right thing”, he said while pointing at the drop, “and that’s how much money we lose. We tried it just to see how bad it was for our bottom line. And this is what the data tells us.”

The ratchet effect is one of my favorite metaphors, and it applies perfectly to companies that make fraud part of their business model. Bell’s manager went on to inadvertently explain how the ratchet effect prevented RealNetworks from abandoning their shady practices. What’s particularly depressing is that RealNetworks was in many ways an innovator and influencer in teaching the rest of the industry how to exploit people’s need to download your software to earn money through fraud. This fraud-based business model is alive and well today.

Scott Hanselman wrote last week about Download.com’s “download wrapper,” a piece of malware that they attempt to foist on every unsuspecting user who uses the site for its intended purpose. Similarly, there’s the Dark Patterns site, which catalogs the practices Bell and Hanselman wrote about, along with many others. As much as the “app store” model of distributing software depresses me, it remains an infinitely superior alternative to “free” distribution funded through deceptive business practices.

The main thing I’d suggest is that if you work for (or run) a company that engages in these practices, it’s already too late. The ratchet effect all but insures that once a company goes down this road, it is nearly impossible to reverse course. If this sort of thing bothers you (and it should), you might want to seek other work.

I’d also recommend not using software from any company who engages in these practices. Awareness of these practices makes it likely that you can make your way through the minefield when you install the software, but you’re being subsidized by the portion of the user base that is being defrauded. You can also assume that companies that engage in these practices will eventually sell out completely and just install malware on your computer without asking you.

We should be exposing and shaming companies that engage in these practices to the extent that we can stand to. Sites that review software should always take care to mention when the installers attempt to foist unwanted crap upon the user, and mark them down accordingly. This business model isn’t going away, but those of us who are familiar with it should not be enablers.

Amazon’s misplaced faith automated anti-fraud algorithms
1

Amazon’s misplaced faith automated anti-fraud algorithms

Amazon has gotten a lot of bad publicity today because they canceled the account of a customer named Linn and deleted all of the content on her Kindle because her account was flagged by a fraud detection algorithm that linked her account to an account associated with fraudulent activity. Let’s look at what went wrong.

First, a lot of the coverage is focused on DRM. This is the risk of purchasing DRM-protected content. Amazon was able to revoke her access to material that she previously purchased because of the DRM. That’s bad. DRM is bad. Don’t buy books protected by DRM.

What interests me as a software engineer, though, is the fraud-detection part of the equation. Using algorithms to identify related accounts is pretty standard stuff. Amazon is closing fraud-related accounts, and then apparently running an algorithm that finds related accounts and closing them as well. The problem with any algorithm like this is that false positives are inevitable. Some number of accounts identified as being related will actually be unrelated.

Given that this is a foreseeable outcome of any algorithm that performs this sort of categorization, Amazon’s business policies should reflect this. For one thing, they shouldn’t be automatically suspending accounts based on the results of this check alone. It’s incredibly hostile to customers. Furthermore, the responses from customer service reflect an absolute faith in an algorithm that is certain to be imperfect. That’s bad business.

If a business is going to use an algorithm-based approach to fraud problems like this, there’s got to be an understanding of the limitations of such a system. When you ignore that fact, you run into public relations disasters like the one Amazon encountered today.

What to do if your Web site is stolen?
6

What to do if your Web site is stolen?

Smart Football is one of my favorite blogs. If you’re a football fan at all, you should check it out. Unfortunately, the site’s owner has run into a problem. Some person (whose name is supposedly Anil Jayanna) has registered the domain name smartfootball.net and put up an exact copy of his Web site, apparently to make money on ads (but potentially to distribute malware).

From the whois results, I can see that the registrar is Melbourne IT and that the DNS for the domain appears to be handled by Yahoo. A lookup on the site’s IP address reveals that it’s hosted in Russia.

The obvious steps are to email the registrar to report the abuse in homes of getting the domain name revoked and to email Yahoo in an attempt to get the DNS turned off. Maybe I’m cynical, but I don’t believe that emailing the hosting company in Russia is going to do a lot of good.

What else should Chris do? I hear about content theft fairly regularly, but I haven’t seen too many instances of an entire site being copied in this fashion. For all the horrible misuses of the DMCA, this is the sort of thing it was actually designed to prevent. This incident demonstrates its ineffectiveness, though, because the registrar and the hosting company are overseas and are thus out of reach. I guess if SOPA were in effect the Web site could be blacklisted — but in a thankfully SOPA-free world what recourse does the content owner have?

Abusing foursquare
1

Abusing foursquare

Jim Bumgardner explains how he used the command line tool curl and a bit of clever thinking to cheat at foursquare on a massive scale:

At some point last week, I devolved into a 12 year old hacker, and I spent many spare hours (and my computer’s spare cycles) abusing the system with a set of scripts operating fake accounts. Not only did I add new venues like the North Pole, but I started persistently checking into coveted landmarks, like the Statue of Liberty.

What can I say? It was fun, and foursquare’s incentives (badges and mayorships) spurred me on. Incentives invite abuse, even from mild-mannered folks like me.

I wonder if anyone has ever tried to calculate a percentage of the engineering budget that should be allocated in advance to fighting fraud and abuse? The folks at Glitch probably need to figure out what that number is.

Update: Speaking of the incentives to game systems, what happens when you create a system where teacher performance is evaluated based on how students do on standardized tests? Some teachers cheat on the tests on behalf of their students. Testing companies have developed a system that can detect this kind of cheating by evaluating erased answers.

How Priceline whores out your credit card
5

How Priceline whores out your credit card

Today a Senate staff report prepared for Jay Rockefeller was released that details how “loyalty programs” harvest subscribers by purchasing ads on the “thank you” pages that are displayed after you complete a transaction with various online merchants, many of which you’ve heard of.

These Web loyalty programs, run by Affinion, Webloyalty, and Vertrue, have hauled in $1.4 billion in revenue and paid about $800 billion of that back out for ad placement. The Consumerist has a list of the 88 companies that have earned at least $1 million in this fashion.

Felix Salmon has more on the numbers and the ownership of the firms that are doing the scamming.

Xconomy has a page that illustrates changes Webloyalty made to comply with a settlement in a lawsuit filed against them. You can see how the scams work from the illustration. Basically, when you’re done with your transaction an add is displayed offering you a coupon or a special offer. I’ve seen them many times, but never clicked. When you agree to accept the special offer, you’re enrolled in a “loyalty program” that charges you a monthly fee after 30 days. Because of agreements the merchants have with these other companies, your credit card number is automatically given to the “loyalty” vendor. So people are accepting these offers without reading the fine print and subscribing to a service they don’t want or need. The next thing you now, weird charges are showing up on their credit card bills.

There are other scams, too. For example, Ben Stein makes ads for a “free” credit score reporting service that secretly signs you up for a $29.95 monthly subscription in exchange for accessing the free report. Felix Salmon has been all over this for a few months.

There are active comment threads about this at Hacker News and Metafilter.

Update: For a somewhat unfiltered look at what WebLoyalty promises, check out this page at the Americart site. Americart is a third party shopping cart provider, and one of the “benefits” they offer is free WebLoyalty integration. If you add it, they’ll give you $100 for every 1000 transactions they process, which isn’t a very good deal compared to what you’re getting. Your customers get a $10 discount coupon so long as they sign up for one of WebLoyalty’s insurance programs. I feel gross just having read about it.

The sleaziness of wireless carriers
1

The sleaziness of wireless carriers

David Pogue has blown the whistle on unethical billing practices at wireless carriers before, and he does it again today, this time calling them out for making it difficult for customers to avoid getting tagged with excess data charges every month. Here’s a quote from an unnamed Verizon employee:

The phone is designed in such a way that you can almost never avoid getting $1.99 charge on the bill. Around the OK button on a typical flip phone are the up, down, left, right arrows. If you open the flip and accidentally press the up arrow key, you see that the phone starts to connect to the web. So you hit END right away. Well, too late. You will be charged $1.99 for that 0.02 kilobytes of data. NOT COOL. I’ve had phones for years, and I sometimes do that mistake to this day, as I’m sure you have. Legal, yes; ethical, NO.

AT&T pulls exactly the same stunt. (Via Daring Fireball.)

Links from June 8th
0

Links from June 8th

The risks of monkeying with DNS
1

The risks of monkeying with DNS

It looks like the increasing unwillingness of ISPs to just return a “host not found” response to the browser is starting to cause problems. ISPs have figured out that it’s easy to make money by intercepting DNS errors and redirecting browsers to ads. The ISPs justify this by saying that the DNS errors aren’t helpful and that they’re adding value, but it’s a transparent money grab.

As is so often the case with these kinds of schemes, the people who implemented it did an awful job, and opened a huge exploitable hole that enabled malicious sites to hijack real domains and impersonate their owners. I can’t help but wonder if the reason so many of these boneheaded money making schemes are rife with security holes is that the companies can’t find any decent programmers who are willing to build them.

I expect to see a lot more of this thing happening as ISPs continue to try to exploit their position between users and the sites they’re trying to reach.