StubHub scalps fraudsters

Whenever a list of log-on credentials is dumped onto the Web, retailers get hit with waves of automated attacks. Here's how ticket marketplace StubHub fights the threat.

Robert Capps knows a lot about fraud and transaction-level risk. As senior manager of trust and safety at StubHub, Capps has witnessed just about every trick that can be thrown at a fraudulent transaction. In case you're not aware, since 2000, StubHub has provided a marketplace for event-goers to buy and sell tickets to sporting games, concerts and theater shows.

For its role as a marketplace, StubHub sits in the middle of the transaction, which makes it different from many merchants, explains Capps. "One of the keys to our marketplace being unique is that we manage the acceptance and distribution of all the payments for all of the transactions," he says.

It may be unique, however, it certainly makes the marketplace motivated to catch fraudsters. And motivated Capps is. The risks the marketplace faces are many. On the buyer side, StubHub risks tickets being bought with stolen credit cards, or buyers - after the event - deciding to dispute the charge (buyer's remorse), as well as claims that the credit card in the purchase was used without the cardholder's permission. "On the seller side, generally, it's an exception process. Such as if the seller fails to deliver the tickets that they promised. In that case, we step in and make sure the customer gets tickets. Also, if they provide tickets that were invalid for some reason, it's our job to fix that transaction," Capps says.

"Being in the middle of this marketplace and being responsible for all the edges of the transactions means that we have to be really creative about how we address the different risks within our marketplace," he says.

Many of the fraudulent transaction types can be successfully vetted and mitigated -- stolen credit card, buyer's remorse, and the unauthorized transactions on a legitimate card -- by running those transactions through a risk scoring engine and utilizing fraud models to predict the outcome of a given transaction, Capps explains.

However, fraud, like any type of crime, is constantly evolving. When one facet of fraud is under control, attacks surface elsewhere. "We found there were fraudsters who had figured out that they could validate credit cards through our platform. They were registering for a new account, and then they would post a credit card to it. Then we would, just like any merchant would, authorize the credit card to make sure that it was good before we allowed the customer to store it."

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.