‘Human-Proofing’ Marketplace Fraud

Trust is the currency that makes online marketplaces of all shapes and sizes run — but in a world where cybercrime and digital attacks on consumer identity are endemic, it can also be the hardest element to guarantee.

In the good old days of analog physical commerce, Yapstone Chief Information Security Officer Richard Noguera told Karen Webster, proximity did a lot of heavy lifting for guaranteeing everyone in the transaction knew who they were dealing with.

“The challenge is, in digital marketplaces where that trust is especially necessary, it is also totally ethereal,” Noguera said. “The transaction is devoid of the old physical construction — but that doesn’t mean consumers don’t still want to feel the same level of trust.”


The goal for firms like Yapstone that service marketplaces is to be able to imbue those virtual transactions with the same sense of trust consumers and sellers more or less feel in that physical environment, he said. The supplier or seller knows the person they are transacting with is the buyer they think they are, and the seller is actually who they say they are and only who they say they are over the course of the transaction.

The data elements — when run through the right artificial intelligence (AI) and machine learning programs — are there, he said, which means to a great degree it’s possible to look at the data from the buyers and sellers on a marketplace and “build very accurate profiles on behavior.”

But the bigger picture — and bigger challenge — isn’t just about creating and refining the tools, but also about raising the game in how we use them and think about applying them going forward.

Cybersecurity and Risk Management: Two Sides of the Security Coin

Marketplaces bring a unique set of challenges in both protecting security and managing risk, simply by virtue of how many moving parts are in play. And, he noted, the forms risk takes vary greatly depending on the specifics of the marketplace.

Yapstone, for example, deals in the very specific vertical of real estate rental properties — big ticket transactions that are high-touch in that this is a transaction that is going to end with the buyer physically in the seller’s property. The kinds of security and fraud issues they are likely to see, he said, are very different from the kinds of things one is going to see on marketplace like Etsy or eBay where a much higher volume of lower ticket price transactions is the norm.

Moreover, he noted, when marketplaces are looking at the overall security picture, they are really looking at the intersection of two separate but connected things.

The first is pure cybersecurity concerns, which are about making sure marketplaces are resistant to attacks, wherever they might originate. Risk management, on the other hand, is focused on enabling transactions and making sure they can flow through based on trusted quality measures.

“There is an intersection between these two things,” Noguera told Webster, and they both need to be working in tandem in a marketplace so that good transactions are passing through without undue friction — and bad transactions are recognized before they ever get off the ground.

A feat, Webster pointed out, that seems to be increasingly difficult, since cybercriminals are always upping the level of the security system game. For all the work experts can do to create seller and buyer use patterns and profiles to evaluate transactions against, there is a black hat on the other side seeking to thwart that effort by learning to better evade detection through improved imitation.

Noguera agreed with that observation, and went one further: At the most sophisticated levels of cybercrime, actors are able to invade a device or network and imitate their target perfectly down to the keystroke. But, he said, that level of sophistication is very uncommon, because it is extremely expensive and almost wholly carried out by state-sponsored actors for whom budget is not a factor. It represents a lot more sophistication than is likely to show up in marketplace attacks.

“It is much cheaper and easier to go for bots and hope that I can take over your laptop or phone and just start spewing out fake transaction types,” he said.

That kind of activity is going to get picked up on marketplaces Yapstone or its fellows manage, he noted, because it is always going to look inhuman in some way. An actual person can’t click 20 times in a nanosecond or hit the same pixel on the screen over and over again. On an unmanaged marketplace — particularly one with a high volume of low-ticket priced traffic — there are a lot more opportunities to successfully exploit the sawed-off shotgun approach with a bot army.

And, he said, whether one is evaluating the overall security solution from a risk management or a cybersecurity perspective, the weakest link often isn’t in the tools themselves, but in the users of the tools themselves.

The Weakest Link (Is Usually Human)

No matter where one goes, what kinds of tools one builds or how well they design their systems, the reality is that human beings are going to be there — and introduce a variety of chaotic elements to the system.

“I can buy a Stradivarius, but I don’t know how to play the violin which means I am not going to be able to get the beautiful music out of it that it is capable of,” he said. “We can build amazing tools — but as practitioners in the digital space we can all do more to use our tools better.”

The rather extensive regulatory controls financial services and security players must live up to, he notes, create something of a solid floor in what every player has to do in terms of investing and innovating ahead of the curve. The challenge, he said, is getting human actors to stretch themselves so that the ceiling is rising in terms of offerings.

But even beyond using the tools well, Noguera told Webster, the simple fact that all of this rich information is just out there and floating around about every individual creates an ongoing hurdle to clear. It is easy to imitate a consumer in some sense, he said, because it so much easier than ever to learn everything there is to know about a customer.

Yapstone and its peers in the market, he said, can certainly build systems that will catch that bad stuff — and at the same time help create risk management protocols that will allow merchants to make “good decisions” when they are inundated with mixed data.

“Anything can be the target for attack or abuse — and it’s not just the systems,” he pointed out. “It is how we as humans and individuals interact with the systems.”

The Cool — But Not Creepy — Path Forward

Friction gets a bum rap, Noguera told Webster, but in his opinion there is always going to be at least a little point of friction when one gets to the authentication step of the process, and that is probably a good thing.

There are a lot of ways to do that better, he said. Apple, for example, has done a great job of keying in on the smartphone device itself — and attaching a biometric authentication layer that does a lot of the heavy lifting on the authentication side and gives firms like Yapstone a lot of data to work with security-wise, without having to add in a lot of other personal data about consumers. The power of data and limited information sharing, in this context, he said, is the power to iron out nearly all of the friction in determining the right parties are involved in the transaction.

But, he noted, high potential to do something really good and useful for the user quickly flips into potential to really alienate them when that data isn’t used correctly.

“They are, when they enter the online space, giving up permission to track everything they do. That triggers on creepiness when that usage becomes too personal and the user feels spied on,” he said.

The market is a growing one, he noted, and expectations are growing. The emergence of real-time payment, he said, isn’t going to fundamentally alter what must be done in cybersecurity and risk management, but that addition of speed is “going to require we raise the level of our tools to the nth degree to keep up,” he said. And that’s not the only challenge, as the regulatory landscape around data privacy and consumer transactions remains in flux and under construction.

But the challenge Yapstone faces — and one Noguera believes is universal no matter what types of marketplace one works with — are around data management and how to take the tools they’ve built around data utilizations and use them to their best purpose.

“The tools can only ever be as good as how we use them,” he said, “and I think I’m excited to see how the boundaries of those uses are growing and really cementing that trust relationship that is so necessary to marketplaces doing business.”