StubHub scalps fraudsters

Whenever a list of log-on credentials is dumped onto the Web, retailers get hit with waves of automated attacks. Here's how ticket marketplace StubHub fights the threat.

Robert Capps knows a lot about fraud and transaction-level risk. As senior manager of trust and safety at StubHub, Capps has witnessed just about every trick that can be thrown at a fraudulent transaction. In case you're not aware, since 2000, StubHub has provided a marketplace for event-goers to buy and sell tickets to sporting games, concerts and theater shows.

For its role as a marketplace, StubHub sits in the middle of the transaction, which makes it different from many merchants, explains Capps. "One of the keys to our marketplace being unique is that we manage the acceptance and distribution of all the payments for all of the transactions," he says.

It may be unique, however, it certainly makes the marketplace motivated to catch fraudsters. And motivated Capps is. The risks the marketplace faces are many. On the buyer side, StubHub risks tickets being bought with stolen credit cards, or buyers - after the event - deciding to dispute the charge (buyer's remorse), as well as claims that the credit card in the purchase was used without the cardholder's permission. "On the seller side, generally, it's an exception process. Such as if the seller fails to deliver the tickets that they promised. In that case, we step in and make sure the customer gets tickets. Also, if they provide tickets that were invalid for some reason, it's our job to fix that transaction," Capps says.

"Being in the middle of this marketplace and being responsible for all the edges of the transactions means that we have to be really creative about how we address the different risks within our marketplace," he says.

Many of the fraudulent transaction types can be successfully vetted and mitigated -- stolen credit card, buyer's remorse, and the unauthorized transactions on a legitimate card -- by running those transactions through a risk scoring engine and utilizing fraud models to predict the outcome of a given transaction, Capps explains.

However, fraud, like any type of crime, is constantly evolving. When one facet of fraud is under control, attacks surface elsewhere. "We found there were fraudsters who had figured out that they could validate credit cards through our platform. They were registering for a new account, and then they would post a credit card to it. Then we would, just like any merchant would, authorize the credit card to make sure that it was good before we allowed the customer to store it."

"The message that we sent back in these cases -- that the credit card was accepted or declined -- is a very helpful message to tell someone who is trying to cleanse a stolen credit card list," says Capps. "We realized from this that there's this entire other level of fraud that happens in the e-commerce ecosystem, specifically around utilization of expected business logic. Through this attack any merchant could effectively be material support for a fraud scheme, effectively validating cards just by issuing business logic to the public that was intended to help provide a good customer experience," he says.

These types of attacks typically soar after a list of usernames and passwords are released onto the Web -- something that's become commonplace in the past few years. Once the list hit, Capps found that those lists would be run against their log-on page as attackers feverishly looked for combinations that worked. However, Capps says, these attacks proved elusive for StubHub to identify. "We wouldn't see it through our monitoring technologies because most vendors weren't looking for actual application responses. They were looking for error conditions within the responses. They're looking for 500 errors, not 200 successes," explains Capps.

StubHub had to look for such fraudulent transactions in a different kind of way: rather than seeking bad transactions -- things like failed log-on attempts -- they started looking for ways to catch an increase in the velocity of good transactions. "We went through considerable effort to understand how we could monitor for and solve this problem, but we found it very expensive to be able to do this in our own application code. That turns out to be a common theme when you start talking about applications defending against legitimate uses by illegitimate actors," he says.

"These scripted attacks blend into the noise for very large-volume sites if you are not looking at the individual volumes of transactions coming from given Internet addresses. And with the botnets out there today, these attacks can be distributed across hundreds of thousands of hosts and you don't have more than 10 or 20 attempts coming from any given Internet address," he says.

To get a handle on these scripted attacks, StubHub turned to Silver Tail Systems, which dubs itself as a provider of web session intelligence tools. Silver Tail Systems' Profile Analyzer, released last month, provides real-time analysis of both individual user and crowd behavior on websites to help identify malicious activity online.

Profile Analyzer analyzes web session behavior by modeling individual user behaviors against their past usage history on the website to try to determine if their activity is legitimate or not. The analysis also combines a baseline established of all of a website's user base, which Silver Tail says increases accuracy.

"We found very quickly that these scripted attacks stuck out like a sore thumb when examined with Silver Tail [Profile Analyzer]. And we were able to identify that these attacks were happening very quickly after they started based upon the fact that our normal customers didn't hit the log-in page with 10 different logins from an IP address within a public cloud, then switch IP addresses and do 10 more, and switch IP addresses and then repeat," he says.

Identifying such attacks is one thing. Stopping the attackers from doing damage is another. To do that, Capps says they're feeding the attackers poisoned responses. "When we identify someone that's coming to the site with a list of compromised credentials, the intention is to randomize the response to them. Good is bad, bad is good, sometimes good is good, and sometimes bad is bad. The idea is to give them enough bad data that they question the data they're getting from us," he says.

To protect their customers whose credentials appeared on those lists, StubHub initiates a forced password reset on those accounts so that they must change their log-on credentials upon next access attempt.

Capps isn't sitting on his success. Going forward he wants to obtain more precision when it comes to vetting potentially fraudulent transactions. Normally, when customers come to the marketplace to buy or sell a ticket, they'll interact with the site in a typical way. "They'll read reviews, do searches, make a selection and log-on, he explains. If they hop right to the end, right before log-in, and don't go through any of the normal routine, that's questionable activity," Capps says.

"I don't know of any merchants that have the ability to evaluate for potentially fraudulent transactions by looking at how the transaction progressed leading up to the checkout page. That's our next step and something we're looking forward to using Profile Analyzer for," he says. "The people committing fraud don't stop and neither can we

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline