Microsoft Researchers Slash Skype Fraud By 68%

mask.of.sanity writes "Life could become more difficult for fraudsters on Skype thanks to new research by Microsoft boffins that promises to cut down on fake accounts across the platform. The research (PDF) combined information from diverse sources including a user's profile, activities, and social connections into a supervised machine learning environment that could automate the presently manual tasks of fraud detection. The results show the framework boosted fraud detection rates for particular account types by 68 per cent with a 5 per cent false positive rate."

Arms Race Tips Toward Skype

[ScottCooperDotNet]

So the arms race may be tilted in favor of Skype for now, but in 6 months we'll have an article "Fake profiles up 200% on Skype".

Re:Arms Race Tips Toward Skype

Not if the boffins have anything to say about it. Don't mess with the muthafukin boffins yo!

Re:Arms Race Tips Toward Skype

absolutely not. 5% false positive is terrible, and will create a lot of negative feelings for the platform.
imagine a teacher trying to use skype with a class of 20 or more. it would be very rare if someone
didn't get falsely flagged as a bot.

Re:Arms Race Tips Toward Skype

[Wycliffe]

absolutely not. 5% false positive is terrible, and will create a lot of negative feelings for the platform.
imagine a teacher trying to use skype with a class of 20 or more. it would be very rare if someone
didn't get falsely flagged as a bot.

That's assuming they are evenly distributed. My guess is that they are using usage patterns away from the norm so
a classroom would be fine while a tech user who is using skype for some atypical use might have a 50% chance of
getting zapped. This is unfortunately the way it is. Noone cares about the outliers unless there is money in it.
Walmart sells to the 80%. if you are trying to buy swimsuits in august good luck, it might be prime swimming season
but 80% of people have already bought swimsuits so walmart has already liquidated their selection.
Also, if you are an atypical user, an atypical shopper, an atypical traveller, or even an atypical dresser expect to be
harrassed by TSA, your credit card fraud department, school security, etc... Everyone must conform to the norm. :-P

Re:Arms Race Tips Toward Skype

[Savage-Rabbit]

absolutely not. 5% false positive is terrible, and will create a lot of negative feelings for the platform.
imagine a teacher trying to use skype with a class of 20 or more. it would be very rare if someone
didn't get falsely flagged as a bot.

If we are to abstain from the use of any detection technology that has false positives we'd never use any of them at all since every detection technology has false positives and just for the record 5% is pretty good for any algorithm trying to detect complex patterns in large amounts of data. The effect that this will likely have is that Skype will hand much of the fraud detection over to the automated tools so that the case workers assigned to the fraud division can concentrate more on investigating individual cases rather than manually weeding through mountains of data trying to ferret out fraudsters like they are doing now (at least that's what I'd do). The fraudsters' main adversary will no longer be the investigators, they'll be playing cat and mouse with detection algorithm design team. As long as Skype filters any hit generated by this thing through humans I won't be very worried.

Misleading headline.

The headline implies that the fraud has already been slashed.

But the story says it's just a research project where they were looking into techniques to combat fraud.

No fraud has been slashed yet.

That's nice.

[pushing-robot]

So let me get this straight...

Your new filter works better than today's filter...against today's spam

But today's spam is designed to circumvent today's filter, and spammers will change their techniques as soon as you switch to the new filter.

This is the classic Antivirus problem, where new and unusual AV programs get great ratings until they become popular and virus developers start coding with them in mind.

And now you've also published how your new filter works, to make it even easier for spammers to circumvent your new filter. Great.

BAD MATH!

[CapOblivious2010]

Improving detection by 68% != Reducing fraud by 68%

Imagine that previous methods caught 10% of the fraudulent accounts. New tech improves that to 16.8%. It's a 68% improvement in the fraud detection rate, but only a 6.8% "slashing" of the fraudulent accounts.

(And 5% false positives is pretty horrific)

Re:BAD MATH!

[Baloroth]

TFS (and TFA, actually) are poorly phrased: the actual research article (the linked PDF) specifies (and I quote):

The aim of our work is to go beyond the present, sophis-ticated defenses, and to detect "stealthy" fraudulent users, namely, those that manage to fool those defenses for a relatively long period of time. Our concrete objective is to catch these stealthy fraudulent users within the first 4 months of activity. Our results indicate that, with our methods, we are able to detect 68% of these users with a 5% false positive rate; and we are able to reduce by 2:3 times the number of these users active for over 10 months.

So they didn't increase their detection rate by 68%, they increased it to 68%. And 5% false positive is pretty good: 95% confidence interval is standard in scientific research (outside things like physics which is able to achieve much much higher confidence by means of vastly larger data sets), which means a 5% false positive is exactly what you'd expect with proper scientific methodology ( based on a quick scan that seems to be exactly what they were aiming for). And of course higher false positive is actually better in the case of fraud detection than lower detection rate (since little is harmed by a false positive, while false negatives can directly result in people losing money).

Re:BAD MATH!

5% false positive rate is horrible unless you assume there they are a sizable percentage of the total number of accounts.

With a 32% false negative rate, if there are more than ~13X more real accounts than fraudulent accounts, you'll ban more legitimate people than fraudulent accounts.

Re:BAD MATH!

[Sockatume]

A 5% false positive rate is far too high for any broad screening application. For example if 5% of all Skype accounts are scam accounts, then when you lump those in with the 5% false positives, you're no more likely than chance to correctly label someone as a scammer.

Re:BAD MATH!

[Paradigma11]

I do not think that you are using CI correctly. The paper does not make any use of it either. CI and false positive rates are not connected. You could have a 95% CI for false positives, for example: CI(P(positive|false)))= 0.1 - 0.2. That means that 95% of all parameters, centered around the observed value, that can create the observed sample are within that interval. Also if you are using a 95% or 99% CI is an a priori decision not dependent on sample size or model accuracy.

validate email addresses...

[junk]

Hopefully their research concluded that they should validate email addresses. I have about a dozen Skype accounts (though I never use the service) because of fraudulent account sign ups. The simple act of validating email addresses prior to issuing an account would fix this. Hell, even a product targeted at the lowest common denominator (Facebook) has managed to figure that out.

Re:More Evil From Microsloth

[CohibaVancouver]

You forgot to write "Micro$oft."

Don't want a legitimate account

[Jack+Griffin]

90% of my online accounts are fake, even this one. I create new accounts with new names to preserve my privacy, I have multiple hotmail, gmail and Facebook accounts specifically for this purpose. Sure the NSA types might see through this, but the average marketing agency won't. In real life, you can separate your worlds. My wife's circle of friends know me, but they don't know my friends, same goes for work 'mates', extended family etc. I have the power to keep things separate. It seems this choice is being slowly removed in online life as every web service demands you use your real name. Who wants to live in a world where everyone knows everything? We need a right to anonymity online.

Re:Don't want a legitimate account

[140Mandak262Jamuna]

Pretty soon people will correlate creditworthiness etc to the distribution of known friends and their credit scores.That algo will mark you as loner, possibly a loser.

Re:Don't want a legitimate account

[Jack+Griffin]

I'm fine with that, I have enough money/credit for my lifetime, I'm just wondering if our children will have the same luxury?

Re:Don't want a legitimate account

[Charliemopps]

I'm a loner and a loser and my credit score is 830. So I don't think your reasoning will hold out.

Re:Don't want a legitimate account

[icebike]

90% of my online accounts are fake, even this one. I create new accounts with new names to preserve my privacy,

First, let me point out that anyone who has even one facebook account, let alone multiple, is probably staring at an empty barn and marveling at how clean it smells after all the horses have run away.

I too use multiple accounts, but not to preserve my privacy, simply my sanity. Gmail/Hotmail/Yandex are all smart enough to figure out that its all the same person. (Something about the fact that they come from the same IP addresses, I suppose)...

Its not a privacy issue, its a preserve my sanity issue. Last thing I need to do is have my brokerage accounts mixed in with my work accounts and my /. account. I don't really care that each of these companies know I'm the same dude.

But I never allow myself to believe I'm pulling any wool over anyone's eyes.

Re:Don't want a legitimate account

[icebike]

Pretty soon people will correlate creditworthiness etc to the distribution of known friends and their credit scores.That algo will mark you as loner, possibly a loser.

Too late. That ship has sailed.

http://money.cnn.com/2013/08/2...
http://www.pcworld.com/article...

Re:Don't want a legitimate account

[icebike]

I suffer from MPD (mutlipe personality disorder) and I want to know which of me is the real one and yes, I'm as serious as a heart attack folks yet Google has never been able to answer this question to my satisfaction.

Google is polite enough not to answer that question. Believe me they already know.

They simply don't want to become the arbiter of your internal problems.

But here's a good solution: Move to the EU, or even South America. MPD(DID) is largely a creation of the North American psychiatric professionals, and is openly scoffed at in other parts of the world. Even the majority of psychiatrists are beginning to doubt the whole thing.

Re:Don't want a legitimate account

[Threni]

Just use a fake `real name`. These companies have no way of knowing what your real name is. In real life, your real name is whatever you decide it is.

Re:Don't want a legitimate account

[AthanasiusKircher]

Its not a privacy issue, its a preserve my sanity issue. Last thing I need to do is have my brokerage accounts mixed in with my work accounts and my /. account. I don't really care that each of these companies know I'm the same dude.

But I never allow myself to believe I'm pulling any wool over anyone's eyes.

I think you may have missed the point of the GP a bit. Yes, I agree that his strategies for "privacy" may be a little flawed, depending on how much "privacy" he is actually expecting.

On the other hand, I'm not sure that he's trying to "pull any wool over anyone's eyes." This seems to be a common accusation whenever anyone says they want to have multiple online identities -- it's as if there's something "false" or "lying" or "hypocritical" or "fake" about this. (Zuckerberg, in particular, is on record for saying that people who want multiple online identities have some sort of fundamental "lack of integrity.")

But, come on. In real life, people always have "multiple identities." They talk differently to their kids than they do to the people at work. And they say different things to the guys at the bar than they do to the old ladies at church. There is nothing hypocritical or dishonest about this -- it just reflects different social conventions for different circumstances.

It makes sense to try to replicate this experience in an online environment, but many companies like Facebook and Google and others are making it increasingly difficult. I talk to people all the time who complain about how their boss friended them on Facebook or something, and now they have to be increasingly careful about what they say. It's not like they want to actually "hide" anything from their boss -- but being under constant surveillance by someone from work means that misunderstandings can happen or things could be misinterpreted... so it makes people nervous. This trend also sees to be leading teens away from Facebook, since they don't want their parents seeing what they do. (And yes, there are ways to manage posts and things so they aren't visible to everyone, but when you have the number of "multiple identities" to different people that a normal person does in real life, it can be unwieldy.)

Anyhow, the point is that keeping different parts of your life separate IS a "privacy issue." This is NOT about having secure walls around your private data -- just about keeping things reasonably separate, so your work and your home and your social life don't all necessarily have to blend into one thing. Or so you can have a "professional online presence," but also a place where you are slightly less formal. Some people may like having only one online identity; others may find it more convenient to have more than one. (Some actually find it necessary for their safety.)

Re:Don't want a legitimate account

[tlhIngan]

I too use multiple accounts, but not to preserve my privacy, simply my sanity. Gmail/Hotmail/Yandex are all smart enough to figure out that its all the same person. (Something about the fact that they come from the same IP addresses, I suppose)...

Actually, no. IP addresses (at least IPv4 ones) are completely useless for detecting this because there are many legitimate reasons why one IP address may log into multiple acconts simultaneously.

The most common reason? Multiple people!

With families on facebook, Hotmail, yahoo, whatever, thanks to NAT, all their traffic comes from 1 IP address, whether it's Susie checking facebook on her smartphone, John checking his on his tablet, Mom on the PC, and Dad on the other PC.

There you go - 4 legitimate logins for 4 different people on 1 IP address.

Fear not, however, for IPv6 will save the day, so you can differentiate between all their traffic, and also tell if one PC is used by multiple people.

(Or another reason why NAT for IPv6 may not be such a bad idea - it's not like the average family will have direct connectivity anyways thanks to firewalls. At best, they will appear to have it, but it won't work).

Re:Don't want a legitimate account

[Meeni]

You missed the point.

Your credit score being 830 makes you a successful member of society, by definition.

A low credit score is a verdict, you are a looser and a loner, true or not, it doesn't matter, the consequences are the same for you.

Re:Don't want a legitimate account

[icebike]

Your examples of a NATed interface may apply for large households, but I don't live in a large household, and even though I have multiple
devices, they ALL still log into the same accounts at the same time. So whether I'm out and about on my Cell phone, (on my carrier's IP) or on a Linux machine in my house, its still the same set of multiple Gmail Accounts connecting in rapid succession.

Rather than obfuscating identities, if anything, there is more than enough information there to allow Google (or any one interested) to may your internal network.

What's more, I have a static IP, and most people on cable modems have essentially the same, just by virtue of the way DHCP servers work (always trying to issue the same IP to the same MAC address).

Still I like your point about NATed IPV6. Everyone seems to think IPv6 is going to solve all problems, but it also leaks way more information, and pushes some tasks directly through to the individual workstation that could better be handled centrally at the NAT. With IPv6 you may have to run a firewall on your refrigerator, and your TV.

Re:Lovely

[Barlo_Mung_42]

Don't kid yourself.
Just because you post AC and switch email accounts often doesn't mean they aren't tracking you. If anything actively trying to avoid being tracked probably draws more attention.

5% of false positive

[manu0601]

What happens if you get caught in 5% fake positive? An e-mail asking for confirmation or a SWAT RAID?

Re:5% of false positive

[Charliemopps]

I really doubt they're going to send a SWAT team in for an Internet post... hold on, someones at the door.

Re:Lovely

[allaunjsiIverfox2]

Just hit 46. Guess I still haven't grown up.

Re:O_O

Proper channels? Microsoft? Bwahahahaha.

Find me a link for any Microsoft product ever where you can get support from people other than other frustrated users.

Re:Lovely

[rmdingler]

Don't fall for it. Growing up is a Pyrrhic Victory.

You see...

[Chompjil]

Hangouts is doing wonders for me now so I dont mind if my skype account is shut down

In other news

Microsoft has made it possible to now record 100% of all conversations and store them indefinitely for the nsa

Laugh

[koan]

Hmmm I seem to recall a complaint that the NSA (and others) couldn't break Skypes' encryption and wanted help.

https://www.schneier.com/blog/...

It was popular with the crooks.

http://www.theregister.co.uk/2...

Then an investment group Silver Lake Partners gained controlling interest.

http://en.wikipedia.org/wiki/S... (interesting crew there)

Then no more complaints or request for help by the NSA.

A couple years later Skype was acquired by Microsoft,

http://www.microsoft.com/en-us...

It's a fascinating coincidence.

Innit.

Re:Laugh

[icebike]

Nope.
I've often suspected we, the US tax payer indirectly purchased Skype to get it into cooperative hands. EBay couldn't handle the task.
Microsoft played ball. They got Skype for free, a platform they didn't need, haven't a clue what to do with, and haven't improved.
But they did add tracking of meta data by routing all directory services through their servers.
And any call they are interested in, surprise, gets special routing, because Microsoft controls all the directory nodes.

Someday the Edward Snowden of Microsoft will step forward and we will all be wiser.

Re:Lovely

[GumphMaster]

Youth, as they say, is wasted on the young.

Re:Lovely

[Mister+Liberty]

Me neither.

Here's my take. Microsoft got some data back from the NSA and are
now busy doing some parallel contruction to a) make that data operational
and b) make the operationalization optimal (effective use, good PR, etc.).

No, the fraud is Skype itself

[greg_barton]

Skype charged my credit card $60 a year after I cancelled my phone number. It somehow got un-cancelled. They gave no warning and just charged it, and won't respond to any of my requests for a refund. I've cancelled it again, but who's to say they won't do it again next year? I never agreed to recurring charges. (I never do for any service.)

Re:No, the fraud is Skype itself

[Kaenneth]

Talk to your credit card company?

Re:No, the fraud is Skype itself

[greg_barton]

The charge just cleared today and I'll be disputing it tomorrow.

What is skype fraud?

[mcmonkey]

I've only used skype a few times. What is skype fraud?

My understanding of skype is it's basically a video phone using your general purpose computer.

I read some of TFA looking for what types of fraud they are talking about, but didn't see any detail. They mention credit card fraud, but that's not a feature of skype. I mean, if some stranger knocks on your door, and when you answer, asks for your credit card number, and you give your credit card number, that's not a weakness in your door or lock, that's a weakness in you.

What I do with my landline is never answer if I don't recognize the number or name in the caller ID. Couldn't I do the same with skype, never answer if I don't know who is calling? There you go, 100% fraud prevention.

Re:What is skype fraud?

[jrumney]

Couldn't I do the same with skype, never answer if I don't know who is calling?

Even better, you can block all calls from people who are not already on your contact list. And by setting your privacy options appropriately, you can reduce the messages you get asking to be added to your contact list to a handful of spammers a year who explicitly search for you by email or mobile phone number. Apparently not enough people do this.

Re:What is skype fraud?

[tgv]

I also don't get what this fraud is. People robbing other people's Skype credit?

Slashdot editors are supposed to fill in such details, isn't it?

Re:What is skype fraud?

[rsborg]

I've only used skype a few times. What is skype fraud?

My understanding of skype is it's basically a video phone using your general purpose computer.

I read some of TFA looking for what types of fraud they are talking about, but didn't see any detail. They mention credit card fraud, but that's not a feature of skype. I mean, if some stranger knocks on your door, and when you answer, asks for your credit card number, and you give your credit card number, that's not a weakness in your door or lock, that's a weakness in you.

What I do with my landline is never answer if I don't recognize the number or name in the caller ID. Couldn't I do the same with skype, never answer if I don't know who is calling? There you go, 100% fraud prevention.

I imagine by fraud it's what happened to my wife over a hotmail account that looked just her yahoo account. Someone phished details about us, created a hotmail account with the same userid, broke into the yahoo account, stole and imported the contact list to hotmail and then erased the list in yahoo, then using the hotmail fraud account, sent out a bunch of spam asking for money to my wife's contacts and colleagues (saying we were stuck in Mexico or something). The letter was very well done, including the names of our children and friends. All emails incoing to the yahoo account were being forwarded to hotmail as well.

Sadly, a gullible, trusting coworker did send $500. While my wife could eventually restore her access to her yahoo account, the fraud hotmail account was not closable by her, because it was not opened by her, and thus hotmail support presented us with no options. If I didn't know someone who worked at Microsoft (who helped to close the account), the emails might have continued. The only thing is, I'm surprised the attacker didn't

I imagine the same sort of thing could happen on Skype as a parallel communication mechanism.

Should be the first rule of internet safety.

[ron_ivi]

90% of my online accounts are fake, even this one.

That's exactly what all parents should teach kids to do: Don't talk to strangers (whether online or in the real world. And especially don't give them true real-life information. And remember - to your kids, Zuckerberg and the Google kids giving out "free" internet services are just as much strangers as a guy in an unmarked van handing out free candy to kids. I thought that's just basic parenting skills; and one of the first rules anyone teaches kids.

Re:Lovely

[JustOK]

It's the people who deliberately make it seem that they are not avoiding tracking in order to cover that they're avoiding tracking that are the ones to watch for.

Re:So they mistakenly tell 1:20 people to fuck off

[ClickOnThis]

The 5% figure makes me suspect that they are modeling behavior with a gaussian distribution, and looking for values in their metrics that deviate more than 2 standard deviations from the mean: the classic "95% confidence interval." With this criterion, one would expect, by chance, that 5% of all non-fraud situations to be caught in the net.

I don't think it's uncommon for fraud-detection businesses to live with a moderate false-positive rate like this. Increasing the confidence interval to, say, 99% (3 standard deviations) results in fewer false positives but also more false negatives. The "sweet spot" balances losses from missing the false negatives against the cost of the false positives. Of course that's not very comforting if you're in the false positives, but I don't think that's a reason to discard probability-modeling for fraud-detection.

Re:Aha, coming soon: slash user base by 68%

[icebike]

* Stolen money from the accounts (you didnt use it before expiration)
* Centralize the traffic (no more P2P)
* Screwed client for Linux
* Removed "Now Llstening to..." status ...Go go Power Rangers, this year will be the year of Jabber on the desktop

Its not clear just what Microsoft did with the traffic.
Their page still insists they are using P2P for traffic but a centralized directory. I don't know how much I believe that.

The centralized directory is probably forced on them for CALEA compliance, so that the NSA can track who calls who.
The Business Case for Microsoft to buy Skype never made any sense at all, and especially not at the price they paid. I suspect the NSA paid the entire bill to get Skype into someone's hands that could impose a level of tracking on it that met their needs. They had to get it out of Ebay's hand, because they were incompetent. Microsoft was the only company willing to play ball, add the tracking, preserve an appearance of security and fake encryption, and in return for doing that, they get a platform for free, bought by government funds, washed through Microsoft's opaque accounting.

There still exist Skype clients for Linux, but I don't know a single self respecting knowledgeable Linux user who would put that crap on their machine.

But seriously, Now Listening to? Do you really think anyone cares what you are listening to?
Once you get past your Narcissism, you'll get over scrobbling addiction.

Re:So they mistakenly tell 1:20 people to fuck off

[icebike]

Yeah, I've seen the request for re-authorization pop up after expanding ram too.
The first time, I groaned, because it meant a trip through the closet of despair looking for the original Cert Tag.
And further, I go through this every time I increase the memory on one of my virtual windows machines.

But you know what? Nothing needed entering. It found everything by itself. It was literally a "click through."
Me thinks thou doth protest too much.

The collaterial cost of wadging unwinnable wars

[WaffleMonster]

Yep, I'm sure everyone who a machine deems to be undesirable is just going to sit quietly on the sidelines and take no further action like any self respecting fraudster/scammer/spammer always does.

Unless algorithms are smarter than humans and you have a monopoly on such algorithms expect humans to adopt and continue with their bullshit only now they will be much harder to systematically "classify". All the while during this unwinnable evolution of war real people continue to be flagged and collateral damage accrues... but don't take my word for it ... try to send an email and have any assurance if it being delivered and not silently ignored by a "machine learning" algorithm answerable to nobody.

Skype Email

[Sarkie]

They say this, but someone signed up for Skype on my email account. They just put my email in, (they were Arabic) and for the next 2 weeks I got Skype spam, so I reset this persons account, logged in then I emailed their support, they said sorry, but I asked how they allowed it without verifying it, "just the way it is and it'll probably take 2 weeks for the batch processes to delete your info"

Re:Aha, coming soon: slash user base by 68%

[jonwil]

Its a miracle Skype still works on my Nokia N900 (Linux phone, much better than the Windows Phone crap Nokia are doing now and still with functional Skype or at least as functional as Skype on a phone can get)

Re:Lovely

[cayenne8]

Maybe so...but the 'smart' minority, and hopefully, after all the NSA scandal, and news about how corporations are vacuuming up personal info, and sometimes losing it (Target), perhaps more people are more inclined to start being a little more anonymous.

And wow...I didn't know you were required on Skype to give real, honest, personally identifying information?!?! My account is under a pseudonym under a throw away email account...

Sure it is traceable, but not readily without some decent effort.

Re:So they mistakenly tell 1:20 people to fuck off

[sayno2quat]

Me thinks thou doth protest too much.

You're using the phrase incorrectly. That phrase doesn't mean "You're whining too much". Rather, it is an argument for attributing guilt. An archaic form of the more recent "He who denied it, supplied it".

Re:So they mistakenly tell 1:20 people to fuck off

[icebike]

Me think thou doth pedant too much.

Re:Lovely

[viperidaenz]

No, I'm part of the minority as well.
You're part of the problem, profiling people in to specific categories based on meta-data and implications of content you observe taken out of context.