Working in fraud prevention and I would love to know how to detect a botnet system, beyond the usual velocity checks. A decade of working in this space and I haven't found a reliable, fail-safe way to do this. Genuinely interested to know if there's a suggestion.
This was the year I got my attention under enough control to be able to read voraciously again like I used to in my childhood :)
* I'll always bring up The Three-body problem because I re-read it every year
* Piranesi because of it's fantastical story-telling
* The Covenant of Water - because it's a fantastic medical drama and a sweeping story spanning generations
* Victory City - Salamn Rushdie's latest novel which is surprisingly readable
* The Enchanted Forest/Kaikeyi/Palace of Illusions - because they cover the major Indian epics from the lens of the women characters (think Circe with an Indian background)
* Trust - The same story told from different viewpoints with a setting in the early NY financial world, which makes it extra interesting
I notice that I do tend to favour books with an Indian background because of my nostalgia for it as I live in a foreign land. Maybe I'll branch out more next year!
That's okay, different people can like different things :)
As for myself, I liked reading about some bits of Chinese history that I was not very familiar with, and it also provides a really good foundation for the reason behind the lead character's far-reaching actions. I also do think the best parts of the story do come later in books 2 and 3 - I like the larger-than-life ideas and the imperfect characters.
It felt similar to Foundation series, and I liked the focus on the overall ideas being presented and not any individual characters. I think I’ve heard this called philosophical science fiction but am not sure that’s the most accurate subgenre. Anyway, as OP says adjacent to this answer, I agree that books two and three are far better than book one. Like 30 plot twists per book; real page turners.
I got Loops on Amazon based on someone's recommendation and they work pretty well for me. They're cheap enough to try once and see if they work for you.
I work in fraud prevention with vendors such as this. Let me be the devil's advocate here: trust and risk scores such as these are often very useful for identifying account takeovers and stolen identities in the financial and telecom worlds. We often see folks on HN complaining about how banks don't protect them from fraud losses - companies like this are how there is any hope left for some modicum of consumer protection.
You may ask: Then why do banks not protect me from losses better?
I say: They're already doing something (invisible as it may be). They can definitely do a better job. But without companies such as Telesign, fraud losses would far, far worse.
You may ask: What if my data gathered is used for nefarious purposes?
I say: In my experience, data such as this is not allowed to be used for marketing purposes but strictly for consumer protection. I'm not specifically speaking about TeleSign but similar vendors. The worst that should happen is that you get a transaction declined, or get denied for a credit card etc. But no marketing or any other manipulative practice is allowed, in theory.
> They're already doing something (invisible as it may be). They can definitely do a better job. But without companies such as Telesign, fraud losses would far, far worse.
Until banks accept that they got defrauded, not you, whatever they do will be too little.
> Until banks accept that they got defrauded, not you, whatever they do will be too little.
True. Regardless of accepting responsibility, I think they're spending a good bit of money in preventing fraud from happening [1]. Maybe some regulation around banks taking fraud losses would do the trick but the flipside would be that simple financial flows of legitimate customers would become full of friction as banks race to lock down fraud losses. Fraud detection is a really hard fraud problem for even a human, let alone models.
No-one is actually breaking into a bank and stealing $$ from your account.
Virtually most of the fraud is happening due to customer's own fault, not strictly bank's fault:
1. installed malware and got all saved CC data stolen
2. website you ordered your widgets got hacked and your CC stolen
3. clicked phish linked and lost your online bank credentials
4. got scammed and sent zelle to a scammer
5. used shady website to order deeply discounted electronics / signed up for adult membership website - and gave your CC data right into hands of fraudsters
6. used shady third party ATM in tourist place like Cancun and got your card skimmed etc
7. used same user/pass credentials for online banking, as your email account, and your online bank got taken over
So point by point:
1. Stealing a credit card number, ccv, expiry, and name shouldn't be game over. It is because businesses want to reduce friction for customer purchases. If card not present transactions required a second step of verification, for example, multi-factor authentication, it would drastically reduce this type of fraud. Unfortunately it would also increase friction for online purchases, which is why everyone in the card processing chain is looking to shift liability away from themselves.
2. That is not the customers fault. Full stop. Yes, some sites are more shady than others, but there is nothing a consumer can do to determine if a service provider will get hacked.
3. Yes. Unfortunately, phishing is really easy. Despite the prevalence of this attack, training users to effectively detect and avoid being a victim is almost impossible.
4. See #3.
5. See #2.
6. How is a customer supposed to validate the security of an ATM against modern skimming technology, many of which are virtually indistinguishable from normal bank machines.
7. Yep, not great. Why don't banks require 2FA? Because it creates friction and increases costs. Better to just externalize the risk.
Your entire blame the user argument is bunk that has been packaged up and recirculated by the finance community for almost 20 years (and I have been using these arguments against them for nearly that long, granted it's close to ~12 years since I worked in infosec at a bank).
Answer is simple: if you cant use technology safely - dont use it! Problem is nobody is teaching effective fraud defense for consumers at scale.
Disable online banking, use checkbook and write checks everywhere or carry cash. I still see older people use checkbooks from time to time, even shopping groceries.
Problem solved.
We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.
So that you cannot blame the bank for your own fault.
Or migrate to something Apple Pay, but that also does not guarantee 100% fraud prevention
Oh if the world could just be so simple. Can't protect yourself from getting mugged, stop going outside. Problem solved.
The reality of any non-trivial issue is that we have to consider potential improvements from all angles. I want to improve tech for grandma and for the bank, doesn't that seem like a goal worth working towards? And let's please not pretend that banks are infallible in all of this, they also have opportunities to improve.
the actual protection from getting mugged is moving to a safe neighbourhood.
People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.
same with fraud - user will continue getting defrauded and scammed until user learns the lesson and either abandons tech he.she is unable to use securely, or adapt and learn how to use it
> the actual protection from getting mugged is moving to a safe neighbourhood. People must adapt, because it is unreasonable to expect the world to adapt to the most naiive user. You either will get mugged every day, or you learn your lesson and move out to safe neighborhood, or you buy a gun and solve mugging problem for everybody else one shot at a time.
It's almost cute how you think people living in places with high crime rates wouldn't jump at the chance to move to a nicer neighborhood with lower crime rates, and that the reason they don't is because they haven't "learned their lesson".
Everyone buying guns and then going around shooting criminals is not a solution to crime, but if you're convinced it's a good idea, why not try it for yourself and "learn your lesson"
So you are advocating for the vast majority of the internet population to stop using online banking.
Let's flip the omelette: no one forces banks to do business online; if a bank can't build secure online banking, they can default to checkbooks and cash. They have the means and motive to build solutions that are actually secure and usable, so they should bear the burden of dealing with fraud when their solutions fail to be secure.
Most of the online banks are pretty secure for non-oblivious person.
I always used online banking and never got scammed. It is pretty secure for me.
Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
These people need life lesson to learn how to operate technology safely.
Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
> Most of the online banks are pretty secure for non-oblivious person.
Ok, granted, I spent the last 23 years of my life working in IT security across consulting, government, finance, and tech companies, but this is just garbage. Banks only invest in security to the degree that:
- they are legally required to
- they have contractual obligations to
- that the risk of loss for a specific class of incident exceeds their self-insurance threshold
That's not a hypothetical comment, that is something that was explained to me as an AppSec lead when running into walls trying to get some issues fixed at one of the largest banks in the world. For the record, the issues that I was trying to have remediated would have had to exceeded an annualized loss expectancy for the region I was operating in of 10 million dollars per year to be considered risky.
Your definition of a bank being pretty secure and mine are probably radically different.
> Combination of user & password with enough entropy, and basic brute-force defense that blocks after 3-4 attempts is the industry minimum standard.
Sure, users should choose strong passwords. Banks should also require multi-factor authentication (real 2fa, not the SMS based weaksauce that a bunch use). But, that increases support and transaction costs. So, instead, blame the user! Beyond password selection, there is also the issue of how passwords are hashed, salted, stored, and brokered into a more reliable back-end credential that can be used, absolutely none of which the user has input into or control over, but sure, blame the user.
> User is the weakest link always, you cannot fix the "stupid" user that downloads malware, warez, adult content and gets infected and loses everything.
sigh you really like banging that drum.
> These people need life lesson to learn how to operate technology safely.
> Although I agree that online banking could be made more secure, but the threat model will immediately evolve and adapt because scammers/fraudsters are still there and they want to eat.
There is absolutely no way to train average users to operate modern internet technologies safely because the average user has no effective control over the software and hardware they use (yes, Linux is a thing, and so is open source hardware, but users of those OS and hardware are not average users)
The primary reason the incidence of fraud is so high in the finance sector is because business has chosen to optimize for high transaction volume, and has accepted the risks of doing so. Stop trying to blame end users.
> We require drivers license to operate vehicle, it is time we should require infosec101 training before handing over credit cards and or online banking accounts.
Sure. Why not start with an outline for what infosec101 should look like. Include estimates for how long the training should take, what the cadence for testing should be, and which agency should be responsible for validating that training. Do be sure to accurately communicate the degree to which an end user with a chip enabled bank or credit card has the ability to distinguish and disambiguate what constitutes a 'safe' or 'legitimate' online business. Also, include some details about how individuals who have been certified as completing this class and/or licensing scheme should procure insurance to protect themselves in case of an accidental data breach (for example, they leak their card info), and outline the process by which that same licensee can file an insurance claim against the insured party downstream of the physical point of payment or online payment portal that allowed a breach to happen. After all - if we are going to require online safety training, and licensing, then we should create another insurance scheme to facilitate resolution of those claims and resolve the costs.
It is really easy to point the fingers at a customer and say "problem exists between chair and keyboard", but the reality is that in the modern economy, the end user has almost no control over the security of their transactions, and little ability to influence how their purchase is handled beyond the question of "cash or card".
The only incentive that retailers, online stores, payment processors, and financial institutions have to resolve this is the simple fact that they own the liability for this, and it's only through the myth of the idiot user that they have been able to shift that liability, to varying degrees, back to the consumer.
8. Using android phones that haven't received any security updates in the last few years because the vendor stopped releasing updates a couple of years after the release.
So true and something I see everyday on my job! it's no wonder then that financial companies have to resort to using data from companies like Telesign to view these red flags and attempt to detect fraud.
The question here isn't (primarily at least) whether this is a good or bad thing, the important question is if this arrangement is legal under EU law. It can be the most beneficial thing in the world and still be illegal.
That's very true. I think my comment was more in response to other comments talking about "surveillance" and "trust", but you're right that if the data collection itself is illegal, there are no two sides about it :)
Since the NSA has shown they can't do it, I'd venture to guess the likelihood of Telesign or any other company being breached is approaching a 100% chance.
Ahh that's a great question - it's a very real risk. In my mind, most of the data these companies have is sourced from other companies so all that these vendors do is increase the surface area for the attack vectors. And the (probably naive) hope is that the attackers can't do much with data such as trust scores and the underlying factors.
How come all online VISA transactions don't have to completed through a redirect to visa.com or master.com (or may bank website), but instead we're typing card numbers into sketchy websites? (I guess EU 2FA requirements are pushing the boundary, but very slowly and often in ways that still appear remarkably sketchy).
Trust scores of IPs and phones numbers is a tool, but when physically hardened security tokens aren't widely supported, I'd argue the essential tools simply aren't available to users.
I support your argument about Yubikeys - I myself use them for any financial site that allows it. A lot of companies do use them to check for fraudulent logins. But the friction of it is high enough that companies would much rather take the loss than force their customers to authenticate every time a transaction has to be made. Also, I think until it is normalized in the industry, there is a consumer perception of physical keys being too technically difficult to obtain, set up and manage. Not to mention, all the Yubikeys in the world still don't help if one goes and gets phished/socially engineered :)
It would be trivial for sketchy websites to have fake (but real looking) "official" Visa/MC forms, or even for multiple fake "official" sites to be set up. So redirecting everyone to the One True Payment System is no solution to fraudulent websites.
It is when a bank phone app is being used as a second factor (or, when on your phone, it redirects to it). This has been used in the Netherlands for almost 2 decades[1] for online payments (iDeal) and card fraud is basically a non-issue.
[1] Before smartphones a hardware token that requires your physical card was used.
What I want to know is how "the regularity of completed calls, call duration, long-term inactivity, range activity, or successful incoming traffic" translates to a trust score. Do less trustworthy people tend to make longer or shorter phone calls than more trustworthy people? And what even is range activity, not to mention how does it relate to trustworthiness?
I haven't worked with Telesign data but I can attempt a guess. Think of how a fraudster uses a phone versus how a legitimate customer uses a phone:
1. The former is likely using a throwaway phone number, the latter is using an established phone number. You can tell the difference with the number of completed calls over time, call duration etc. Burner phones will have bursts of high intensity activity to several different phone numbers whereas legitimate phones will have lots of successfully completed phone calls over a long period of time to repeating phone numbers.
2. The former will likely place calls all over the country or world as they attempt to raid several bank accounts digitally. The latter will probably have more local calls since they're calling their doctors, schools, etc. This is probably where range activity plays a role.
I'm not defending Telesign or how they collect data - I'm merely saying this data has value in account protection.
> Musk — who is no longer CEO of Twitter, but still deeply involved in operations — may also be motivated by a desire to prevent AI tools from searching Twitter.
This seems very unlikely. If they really just wanted to stop just AI tools from searching twitter, it would be very easy to prevent them from doing it at scale by imposing basic rate limiting and device intelligence (or even something like the puzzle LinkedIn makes you solve before viewing someone's profile while not logged in).
I'm very confused as to why they may not want unlogged-in human lurkers who are still seeing and clicking on ads when on the Twitter website.
> This seems very unlikely. If they really just wanted to stop just AI tools
Same issue with Reddit, it's a false excuse for embarking on some other kind of cash-grab policy.
They claimed the almost-no-warning API changes were necessary to stop the "AI", except that all the big (and therefore significant) actors could have been stopped by a change to the terms of service or some modest rate-limits.
Too many finance companies depend on National ID number, date-of-birth and Driver's License numbers to verify the identities of applicants for bank accounts, loans, credit cards etc.
At this point, assume that all your personal information is out there. There are some steps you can take to make it a little more secure for yourself. In an ideal world, the fintechs and banks would protect you better, but we do not live in that world.
* If you are in the US, go to one of the credit bureau sites (Transunion/Experian/Equifax) and sign up for a fraud alert. You'll need to provide your current phone number and what this does is this: no fintech/bank is supposed to create an account or issue credit in your name unless they have verified the activity with this phone number.
* If you have previously been a victim of fraud, sign up on one of the aforementioned bureaus for an Extended Fraud Alert.
* Isolate your email tied to your finance accounts from regular email that you give out on website signups, doctors' offices, etc. Only your bank/brokerage needs to know that this email exists
* If you can afford to, pay to track leakage of this information on the dark web or password sharing forums
* Use a password manager
* Use 2FA on all your accounts and use an authenticator app if possible. It's not ideal but it's better than the SMS/email 2FA
* If your telecom provider supports it, ask them about how you can protect yourself from sim-swapping and porting. Add a PIN to your phone provider account if you can.
Wait, why should I take steps to prevent some random asshole defrauding a bank?
I am not the victim, nor a participant in fraud in that situation, the bank is. Maybe they should follow some steps and not give out money to randos that walk in and ask for it?
I get what you mean but sometimes it's really difficult for a bank to tell if it's really you or someone pretending to be you. Funnily enough, if we all "walked in" physically to a bank, it would be much easier for them to tell :). But now, they have to rely on phone numbers and emails and SSNs to tell them if it's really you. They don't have much of a choice - would you have any suggestions on what they could use?
Going to a branch physically is impractical these days - how many of us have even been to a branch that houses our brokerage or 401k accounts for instance? And so many mainstream Fintech apps like Stripe and Robinhood don't even have branches.
1. It's not my job to tell a bank how to not get defrauded. That's their problem.
2. If they are stupid enough to lend/send money to random people over the phone, that's their problem.
3. If they don't have enough branches open to support in-person services, which forces them to turn to over-the-phone work, that's their problem.
There's many other things they could do. Snail-mail identity confirmation, partnering with FedEx or another bank whomever to attest identity, etc, etc. It's not my problem if they are too cheap to operate branches, and too lazy to do any of those things, just like it's not my problem if you keep a chest of gold coins in your unlocked shed, and then go on to tell everyone about it!
Something that blew my mind after I spent a few years learning art is that: everyone makes bad art.. even the best artists. For every good painting an artist produces, there are several that have been trashed or painted over. Sketchbooks are often encouraged in the artist community in order to allow ourselves to do bad art that doesn't have to see the light of day.
And finally, when a customer buys a piece of art, they're not just paying for that piece but also for the time that the artist spent finding themselves :)
