Author Archives: Ohad

Israeli Culture: Why are Israeli people so hard to work with?

5 Replies

As an ex-Israeli now working with Americans, various Europeans and Israelis I can say the following:

Yes, we are hard to work with. More than other nations? Depends on how you look at it. I found that sometimes my values didn’t jibe well with immigrants from mainland China, for example. So to me this is more a question of incompatibility in communication styles than one nation being harder to work with.

Here are, though, a few reasons why working with Israelis can be difficult for the typical Valley geek or Corporate America type (or rather, how Israelis might be viewed by others):

  • Almost complete lack of respect for authority. Israelis are by and large all Chiefs, not Braves. We “know” what needs to be done and most of the time it translates to “it’s my way or the highway”. There is a constant push to advance in rank in the Israeli society and a sense that staying some time at a certain place grants you rights even if you do not over-perform – probably a relic from Army or Socialist days.
  • Aggressive demeanor. The Valley is by-and-large a highly passive-aggressive culture while Israeli culture is aggressive. There is a great lecture by an Israeli Psychologist who lives in California[1] showing the differences by looking at the production of the Israeli and American versions of http://www.hbo.com/in-treatment/index.html. In short: we are confrontational to a level that makes people in the Valley uneasy. A common way to express disagreement in Israel (at least where I lived/worked) would be to say “this is the stupidest thing I’ve ever heard”. Really. Compare to California’s “I don’t disagree, but let me offer a different point of view”. This even translates to differences in respect for personal space (read: we will get in your face).
  • Cynicism. Israelis rarely make leaps of faith and cannot deal well with some of the craziness of daily corporate life. You’ll never hear an Israeli using an equivalent of “it is what it is”. We have a basic lack of belief in leaders and we tend to challenge them frequently. This is not to say Israelis are not capable of developing a cult of personality, it just manifests itself differently. We don’t tend to believe that people are basically good, are very suspicious usually, and lose faith in others rather quickly. This can lead to behavior that seems political and silo-ed, but has different motivations. We are also action-driven to a fault; maybe the title of this bullet should rather be “lack of patience”.
  • Entitlement. As my down-voted friend demonstrates here, we are a nation in holocaust-driven post-trauma even at third generation. The holocaust (and to be honest, daily/weekly news of persecution of Jews around the globe) drives us to feel that the whole world is against us, and at the same time that we are entitled for special treatment because of it. It doesn’t help, either, that most of us arrive at the Valley via acquisition. It also doesn’t help that most of the Israelis you meet in the Valley came from top programs in the army and academia (you don’t meet the average Joe) and so come with a built in sense of entitlement.

Are Israelis hard to work with? Depends on who you ask. These behaviors above can be spun in a very positive way (see “Start-up Nation”[2]); we create small elite teams that solve ultra-hard problems for huge corporations, and you usually find Israelis at important decision points in various companies just because we have the guts to decide and lead. After having lived in various places I can easily argue each stance, and frankly, both are true.

[1]

[2]
FraudSciences, a company I helped grow and that was acquired by PayPal, appears in one of the first chapters. Knowing how the story really went I can tell you that, indeed, the book makes us look much less brash than we were.

Payments: Why does the payment industry lack technical and UX innovation?

Leave a reply

This is a great question and I don’t have a good answer for it. I do, however, have a few uneducated guesses.

  • Regulation: innovating in payments requires working with regulators and privacy concerns, and any new concept introduced requires a lot of convincing. This requires a lot of energy, taking focus away from innovation. By the time someone is done with their first payments company they are so done with the field that all of their valuable experience is never used.
  • Features, not products: most of the attempts to innovate in payments have not been viable products but rather improvements to existing options, Stripe included. Innovating in payments requires deep industry understanding because most of what you do in payments is under the hood. As a result, companies start with some novel idea, and then meet the realities of the business and wither away quickly (related to the previous bullet).
  • Stagnation in large players: once you’re big enough in payments, you’ve made so many compromises and adaptations to your system to work with regulators, acquirers, collection companies and other players in this fragmented market that you’re both worried about innovating since stuff break all the time, and unable to innovate because of your current solution’s limitations.
  • High barriers to entry: finally, as I keep noting, the two huge barriers in setting up most payment services are access to capital and user adoption. Most companies fail these, way before they can bring any innovation to market.

That said, I think that Braintree (payments company) and Stripe (company) are making interesting, innovating moves in the gateway segment and Square, Inc. is reinventing UX for offline purchases (and, a plug, at Klarna we are doing something new in eCommerce payments). There are things to look for.

Why using Bitcoin is like abstinence, and other thoughts about cryptocurrency and financial systems

4 Replies

Elad Gil has this brilliant post titled “6 Startup Ideas Every Nerd Has” with a poignant explanation of how these are thought out. As someone who works on macine learning I can tell you that idea #2 repeats itself too often. I, too, have dabbled with ranting about ideas I hear too often. There is yet another type of ideas, though – ideas that are essentially interesting and good but that are too deep in geekdom to be relevant. Cryptocurrency is one of them.

If you work in payments you can’t get away from cryptocurrency, and its poster child Bitcoin. Every talk of fraud in payments draws scoffs from random commenters; Bitcoin will solve your fraud problems, they say. Irreversible, anonymous, plain and clear. Objecting responders talk of Bitcoin’s (lack of) merits as legal tender and the probability that governments will accept a legal tender they don’t control, if only for money laundering control. Both miss the point: Bitcoin isn’t a contender in the race to replace money. Claiming that Bitcoin solves fraud is like claiming that abstinence solves STDs; at zero participation from the general public, proliferation of fraud in Bitcoin is as futile and unadvantageous as being a sexually transmitted disease is in a world full of monks.

If everyone used Bitcoin, there would be ways to defraud people out of it; from Man In The Middle to 419/Nigerian Prince scam to simple MLM, scams and fraud in eCash are as old as eGold. The human factor is the weakest link, and no cryptocash will replace that. Furthermore, the barriers to entry into cryptocash usage, even if it could solve the problem of fraud, are too high, and prevent wide acceptance. The crypto-community likes this difficulty so much, cherishes it so, that wide adoption is impossible. If you disagree, have your mom mine me some bitcoins. I’ll pay more than the $42 they’re asking for in Mt Gox. You know what? Just have her read through the documentation and explain them back to someone who isn’t you.

Is the system broken? No doubt. The problem isn’t in the way legal tenders are minted, though, but in two other places: identity brokers and financial infrastructure.

The brokers – the card issuers – own the financial relationship and data to underwrite consumers for credit. That’s one major part of the financial equation that let financial institutions dictate the rules of the game both online and offline. If you undermine that relationship you get access to one of the most significant relationships consumers in the developed world have. That’s why I love short term credit schemes like Klarna and prepaid card services like Card.com; the first creates a financial relationship from thin air by extending credit in real time, and the second encourages consumers to deposit some of their paycheck directly to their prepaid-supporting account. Both have the ability to disintermediate issuers.

The financial infrastructure is where I actually think cryptocurrency can be helpful. No matter what you do you can’t run away from the card networks or clearing houses; they are the backbone of money movement. Every dollar moving around ends up paying tribute to the eternal gods of monetary movement. What if Bitcoin didn’t try to become a replacement for money consumers are using, but rather create the first true cloud based clearing house, where newly created financial institutions trade reserves and foreign currency using the Internet, but securely, rather than using the current broken systems? That for me is a big promise, and one huge problem no one’s tackling. What it would require is large Bitcoin liquidity reserves, backed by real currency, and with a stable enough exchange rate to plan a 12 to 18 months window. If new lenders could borrow in Bitcoin from a central Bitcoin exchange, its way to becoming a de-facto backbone of a new breed of financial transactions will be much more probable. So far, it doesn’t seem remotely as available and stable as required.

The payments and personal finance world is broken, but it enjoys a distorted local maximum that a lot of energy is required to move away from. Simply waving an interesting idea at the public doesn’t work. Like flash players weren’t as popular before the iPod and Napster, while changing the music industry, crashed as a business, cryptocash is a precursor to something, but is still not it. It can go somewhere, but is still not there. We need to recognize that to be able to move ahead.

 

Fraud in Digital Goods Sales 201 (Signifyd post)

Leave a reply

The Signifyd blog has a blog post worth reading today:

Selling digital and virtual goods is a lucrative business, but one that also attracts a lot of fraud attempts. The logic is obvious: no shipping requires no physical presence or appearance of one, fast delivery allows fraudsters to quickly buy multiple items and exploit much more of every stolen card, recourse by the seller is almost impossible due to the speed and finally, reselling stolen products is much easier than tangible goods. After our blog was featured in Balanced’s post about fraud, we saw multiple questions about fraud in digital goods. One of them was this comment on HN. One reason for Signifyd getting a lot of retailer attention is our ability to provide quality fraud prevention decisions that help reduce fraud in cases where there’s little recourse. We wanted to share some insights.

Common wisdom about preventing fraud in digital goods is abound. We’re not looking to repeat the regular tips – using IP address to billing address distance, purchase velocity, email domain type and device fingerprinting as indicators. What we’d like to do is add some more details as to why these things often fail, and suggest a few best practices. Here are some:

  1. Digital goods purchases provide a quick feedback loop, allowing fraudsters to test and learn fast and adapt. Deploying rules with a single threshold or indicator (e.g. number of past purchases over 4, or IP country must match BIN country) and rejecting 100% of purchases immediately simply provides faster feedback. Either compose rules that have multiple indicators, randomly reject less than 100% of purchases, or implement a random delay in your response.
  2. IP to billing address location is a complex indicator. Simply measuring distance won’t work when the network is mobile, and setting a single threshold won’t work in most countries. Use sources like GeoIPOrg to understand what connection this IP comes from, and implement bins to your distance function.
  3. Email domain type is relevant but simplistic. After you weed out the free but rare ones (bad) and corporate emails (usually good) you remin with a ton of Gmails. What then? Using online searches to determine that this email is actually tied to a person is an important next step.
  4. Customer browsing patterns are highly indicative. New customers, returning customers and fraudsters all navigate differently on your website. Count the number of clicks to initiating a purchase, as well as which types of pages new customers pass through. You’ll see obvious patterns emerging.
  5. Don’t wait for chargebacks to come. Have one person on staff reviewing purchases randomly to detect emerging trends and respond to them.
  6. Machine fingerprinting is helpful, but is often a glorified javascript. Build basic matching in house based on information you collect from consumer sessions, and watch for users who look similar to previous ones but always have new cookies. Fraudsters know how to flush cookies – it’s not the linking that gives them away, but rather the attempt to not be detected.
  7. Don’t use 3DS. You will pay much more in lost business than prevent fraud.

Fraud in digital goods is a real problem, but a solvable one. Don’t let the threat of lost money shut down your business and drive you to blocking whole countries from your system. And, give us a buzz. We’d love to see how we can help you.

PayPal, Lenovo and killing the password

2 Replies

I like this new initiative from PayPal and Lenovo. With little software installation it basically turns every device into a random password generator providing another authentication factor. It’s hard to know whether phishing and brute force password hacking are still prevalent issues since most of the data are from solution providers’ FUD campaigns; my view is that the problem is real, however not as big and complex as it’s made to be. Based on my experience in PayPal most hacking activity can be detected through probabilistic means rather than assigning the consumer with more secrets. You can read more about that here.

Will this solution prove useful? Having an app to automatically contribute an authentication factor removes some part of the human factor in the equation, and that is a lot of potential security breaches. No argument there. Still the biggest problem in access control is the human factor, and that is what makes defending against it so complicated, and turns additional authentication factors into a limited solution: people forget, and more often, they compromise themselves.

No matter if simple or complex, secure or un-secure (actually ,more so when secure and complex): if there’s a password, users will forget it, and you will have to offer some kind of password retrieval flow that may not require the secured device. Once you allow going around that requirement, it will be used by fraudsters to access accounts.

The bigger problem is that users compromise themselves. They give their credentials to others, they give their devices to their kids, they use shared devices to access confidential information. They do that because it’s what they need to do in their day to day, this is how they need to use your product. Many times there’s no alternative to sharing credentials since the product itself doesn’t allow shared use (multiple users with different permissions on a mobile device? Hard to imagine) but even when such solutions exit they are hard to use and aren’t taken up by consumers . A good example is shared/linked prepaid child accounts that get loaded with cash by parents. While these solutions exist, their use is rudimentary unless the child already has an established, separate financial relationship. It’s so much easier to just give the kid your card.

The bottom line is that usability trumps security, at least the type of security that adds barriers and authentication factors. The industry is long due on moving to behavioral and probabilistic measures to provide online security, but is definitely lagging. Until such knowledge gets properly dispersed, which may take years, and as a mid-way solution, I definitely like what PayPal and Lenovo are doing.

Don’t pitch me, bro: 4 common payment startup ideas that you should avoid

5 Replies

You think I’m kidding? I’m not. The days of payment providers and payments companies set-up and grown the way they have, trying to replicate a PayPal model, are gone. Consumers don’t care enough and cannot effectively differentiate your service from others to really choose to sign up. I looked at that several times in the past.

Still I get pitched on ideas I find far fetched and, frankly, a waste of time for smart entrepreneurs. There are many possible smart, ground breaking and really difficult directions to take in payments; the following ones are not, and anyone who understands payments will advise you to stay away from them.

  1. The mobile wallet: Square (PayWithSquare) isn’t gaining traction. gWallet is failing. Serve isn’t taking off and ISIS is… well, you get the picture. Mobile wallets aren’t working: merchants are slow to adopt additional hardware that will allow them to accept these. NFC is years behind in adoption and many large and small players, including me, just don’t believe in it. Consumers are slow to adopt a solution that gives them no advantage over credit cards, and even giants with big pockets can’t get them hooked.

    Signing people up and getting to add their credit cards is impossible without high, unsustainable customer acquisition spend. No startup can grow this way.

  2. Micro-payments: I understand the rationale. Payments should be as easy as Liking something. People don’t pay for content because it costs too much. We can start from digital goods and charge a large percentage that will cover costs.

    It all sounds good until you realize that it doesn’t work. Consumers don’t pay for content by the pound since they are used to free content. Paywalls have limited success and even that success is always with big brands that spend millions on advertising, reducing market size to a minimum. More importantly, zero cost of goods sold – a blessing and a curse – allowed large take rates and supported many interesting business models, ones that cannot expand to any other vertical. Once you’re hooked on these sweet 30% (or 10%), you can’t really go to tangible goods with their lower margin and fraud and other issues. No payments company really grows out of that niche.

  3. Split bills: oh, the ever eluding perfect offline shopping experience. Entrepreneurs mean well – the experience does need a revamp. Is it really about not having to split a bill at a restaurant or the downtime of waiting for your check to arrive? As it turns out, these are very weak drivers to action when they are required to (again) sign up and add a credit card. It’s not that consumers don’t respond to call to action at those points; apps like OwnerListens prove that they do. They just don’t respond to THIS call to action. They want to do something, just not split the bill.

    The reason is simple: the actual shopping experience, while indeed a big issue, is just the tip of the iceberg when you approach it as a payment application. What you’re trying to build is the network of merchants and consumers, and you’re again faced with the two sided chicken and egg problem, with a weak call to action to consumers and not so easy integration for merchants. Adoption never crosses the usual suspects on Emerson street in Palo Alto, and even they are growing tired.

  4. Facebook Connect checkout: an alternative to the previous idea, here we have an attempt to streamline online checkout. This one fails not only because consumers are not too enthusiastic about giving their Facebook details in financial settings – they are not – but also since much like with the mobile wallet idea, they have a current option they like just as much. Credit cards work, and no incremental solution is going to displace them anytime soon.

The payments landscape is fragmented, commoditized and highly competitive. It is ripe for disruption, but that disruption will not come from new card-based services but from innovations in payroll, cross border trade, emerging markets, new identity trust authorities and other interesting ideas. Research those, and stay away from ideas that will take you nowhere. We need your energy focused on the right things if we are to really see a change in the coming years.

 

Using social network data in fraud prevention

Leave a reply

Linking to a post I put up on Signifyd‘s blog:

Some of the most common questions we get asked are around social data. How do you use social data in fraud prevention? What’s the right way to leverage social network analysis in fraud investigations and real time decisions? We’ve had to deal with this issue with many of our customers, and found a few major obstacles and some very interesting use cases.

To be able to use social data, you first have to gather and understand it. In Signifyd‘s system, one of the first steps we take for each automated decision is “enrichment”, using a large number of online data sources to augment the consumer’s profile and understand the information we get from you to make the best decision.

The first challenge is getting the data. For many smaller retailers, using social data means using their personal (and sometimes fake) Facebook profile to look at a consumer’s profile and learn more about them, maybe run a few Google searches. Doing so at scale, however, is impossible. We went through dozens of online sources and integrated them through public and private APIs to allow collection of public information into a central repository. Doing that allows Signifyd to gather a lot of small pieces into a concrete mosaic of social data, since not every source will yield results at any given time.

When dealing with social data, one of the most important concerns regards consumers’ privacy. When you use a fake profile to friend a consumer you don’t only harm their privacy but also violate Facebook’s terms of service. Being able to use social sources without violating privacy – collecting publicly available information only, while respecting proper use, and only using it for highly targeted use cases – is what allows us to use social data but make consumers, and the businesses that use Signifyd to inspect those consumers, safe.

Once you cross that off, you’re faced with integrating the data. Social data is that it’s highly fragmented; inferring relationships between different pieces – the consumer’s work place, whether their kid is using their details or whether the provided phone number is indeed theirs – is a complex inference task. It requires normalization of provided data into one common form, fuzzy comparison algorithms and other tricks.

Once you have it, how can social data be used for fraud prevention? At Signifyd, we see it being handy for two main uses:

  1. Identity validation: when you accept payments online, stolen credit cards are common. Many times the fraudster doesn’t have all of the card holder’s details, and they augment what they have with invented details. Emails, phone numbers and occasionally names and parts of the billing address are invented. Using social data, different details can be tied to multiple people or be identified as invalid – using, for example, complex white-pages searches. As a result, identity validation becomes a simpler task.Some of this can be used by your team very easily: using a consumer’s social fingerprints, you can establish whether they’ve had any meaningful activity online and how far back that activity has occurred. Profiles that haven’t existed for more than a few weeks or months are often times connected to fake or stolen identities.
  2. Friendly fraud prevention: friendly fraud, or abuse, often happens when a relative or co-worker uses one’s identity to make a purchase. These cases are more subtle in both detection and handling since the offender is often highly informed – knowing passwords, personal details, and having access to personal devices. By using social data on provided details and behaviors, you can infer that there are actually two different people involved in a certain purchase.One of the basic and common scenarios is when, using the provided email address, you learn that the alleged shopper is grossly underage. That immediately raises the suspicion of a kid using a parent’s details. Tying an email address to a work place, and through it to the IP the consumer has connected from, can allow you to better validate their identity and make sure that their information is not used by a family member.

Social data is complicated to use since it’s unstructured and often lacking. Building a strong portfolio of data sources, integrating them effectively and using the data to make fraud detection decisions is one of the important pillars of Signifyd‘s solutions. Try us out!

 

Smart, non-techie people sought for new project

2 Replies

You read it right! I’m looking into a new and exciting project in financial services, and it requires 1-2 people that are not engineers but can handle technology, operationally minded but not necessarily with years of experience. Here’s something I wrote a few years ago that captures the kind of people I enjoy working with (this is not for PayPal!, see after the quote):

What I’m looking for is results driven, quick thinking do-it-alls who want to be involved with new products, markets and risk challenges within Paypal. You should have the passion for consuming a lot of data and information, be able to learn quickly and identify and define trends in concise terms. You should be analytical and with a quantitative approach but not a data cruncher without any understanding of the big picture – we are playing at all fronts. Know or be able to learn how to drive processes through other people and organizations; working in ambiguous situations and coping with change is a must, as well as an ever changing operating rhythm. This is not your classic 9 to 5 and I’m not your classic 9 to 5 manager.

Experience is not a must (=graduates are also encouraged to apply), definitely not previous experience in risk management. However, please be an avid internet user, preferably a gamer in your past or present. Some security experience or tech savvy is a big plus – don’t get intimidated by developers, architects and tech talk. Impress me by having interesting hobbies out of work that you maintain although you are an aggressive achiever, and by having vast general knowledge (as in: you shout answers at “who wants to be a millionaire” while watching it on TV).

This is an excellent opportunity to be part of a founding team of a new startup that I think is very interesting, and to get a glimpse into the method and ideas that made FraudSciences, Analyzd, Signifyd (and hopefully this one as well) such a lucrative deal for investors, customers and acquiring corporations. This is also an opportunity for extremely smart people who aren’t engineers and are looking for a way into startups and don’t know how. Refer your best friends 😉

Please help me spread the word! Contact me directly for details.

 

NOTE: local SF Bay area folks highly preferred.