StubHub scalps fraudsters

April 23, 2012 — CSO — Whenever a list of log-on credentials is dumped onto the Web, retailers get hit with waves of automated attacks. Here's how ticket marketplace StubHub fights the threat.

Continue reading this premium content and access hundreds more.

April 23, 2012 — CSO —

Robert Capps knows a lot about fraud and transaction-level risk. As senior manager of trust and safety at StubHub, Capps has witnessed just about every trick that can be thrown at a fraudulent transaction. In case you're not aware, since 2000, StubHub has provided a marketplace for event-goers to buy and sell tickets to sporting games, concerts and theater shows.

For its role as a marketplace, StubHub sits in the middle of the transaction, which makes it different from many merchants, explains Capps. "One of the keys to our marketplace being unique is that we manage the acceptance and distribution of all the payments for all of the transactions," he says.

It may be unique, however, it certainly makes the marketplace motivated to catch fraudsters. And motivated Capps is. The risks the marketplace faces are many. On the buyer side, StubHub risks tickets being bought with stolen credit cards, or buyers - after the event - deciding to dispute the charge (buyer's remorse), as well as claims that the credit card in the purchase was used without the cardholder's permission. "On the seller side, generally, it's an exception process. Such as if the seller fails to deliver the tickets that they promised. In that case, we step in and make sure the customer gets tickets. Also, if they provide tickets that were invalid for some reason, it's our job to fix that transaction," Capps says.

"Being in the middle of this marketplace and being responsible for all the edges of the transactions means that we have to be really creative about how we address the different risks within our marketplace," he says.

Many of the fraudulent transaction types can be successfully vetted and mitigated -- stolen credit card, buyer's remorse, and the unauthorized transactions on a legitimate card -- by running those transactions through a risk scoring engine and utilizing fraud models to predict the outcome of a given transaction, Capps explains.

However, fraud, like any type of crime, is constantly evolving. When one facet of fraud is under control, attacks surface elsewhere. "We found there were fraudsters who had figured out that they could validate credit cards through our platform. They were registering for a new account, and then they would post a credit card to it. Then we would, just like any merchant would, authorize the credit card to make sure that it was good before we allowed the customer to store it."

"The message that we sent back in these cases -- that the credit card was accepted or declined -- is a very helpful message to tell someone who is trying to cleanse a stolen credit card list," says Capps. "We realized from this that there's this entire other level of fraud that happens in the e-commerce ecosystem, specifically around utilization of expected business logic. Through this attack any merchant could effectively be material support for a fraud scheme, effectively validating cards just by issuing business logic to the public that was intended to help provide a good customer experience," he says.