***** To join INSNA, visit http://www.insna.org *****
PITTSBURGH - Carnegie Mellon University researchers are relying on an old
adage to develop anti-fraud software for Internet auction sites: It's not
what you know, it's who you know.
At sites like eBay, users warn each other if they have a bad experience
with a seller by rating their transactions. But the CMU researchers said
savvy fraudsters get around that by conducting transactions with friends
or even themselves, using alternate user names to give themselves high
satisfaction ratings — so unsuspecting customers will still try to buy
The CMU software looks for patterns of users who have repeated dealings
with one another, and alerts other users that there is a higher
probability of having a fraudulent transaction with them.
"There's a lot of commonsense solutions out there, like being more careful
about how you screen the sellers," said Duen Horng "Polo" Chau, the
research associate who developed the software with computer science
professor Christos Faloutsos and two other students. "But because I'm an
engineering student, I wanted to come up with a systematic approach" to
identify those likely to commit fraud.
The researchers analyzed about 1 million transactions involving 66,000
eBay users to develop graphs — known in statistical circles as bipartite
cores — that identify users interacting with unusual frequency. They plan
to publish a paper on their findings early next year and, perhaps, market
their software to eBay or otherwise make it available to people who shop
Catherine England, an eBay spokeswoman, said the company was not aware of
the research and would not comment on it. But England said protecting the
company's more than 200 million users from fraud was a top priority.
Online auction fraud — when a seller doesn't deliver goods or sells a
defective product — accounted for 12 percent of the 431,000 computer fraud
complaints received last year by Consumer Sentinel, the Federal Trade
Commission's consumer fraud and identity theft database. Auction fraud was
the most commonly reported computer-related fraud in the database.
And the scams run the gamut.
Last year, a federal grand jury indicted an Ohio man on charges he sold
hundreds of thousands of dollars of stolen Lego merchandise on the
Internet. Earlier this year, a New Mexico woman was sentenced to nine
years in federal prison for selling forged hunting licenses on eBay, over
the phone and by e-mail, and then not delivering trips paid for by
Earlier this month, a man who failed to deliver tickets to the 2005 Ohio
State-Michigan football game to 250 online auction customers was sentenced
to 34 months in federal prison.
Johannes Ullrich, an Internet fraud expert with the SANS Institute in
Bethesda, Md., said the CMU research "sounds like a credible way to detect
"Essentially, what they're trying to do is find these extended circles of
friends who make positive recommendations to each other," said Ullrich,
the chief technology officer of SANS' Internet Storm Center, which tracks
viruses and other Internet problems.
But Ullrich said the CMU researchers must find a way to screen out false
positives. He said a small group of users — such as baseball card
collectors — might repeatedly buy from one another and could be flagged as
Faloutsos said the researchers have thought of that in developing the
software called NetProbe — short for Network Detection via Propagation of
"We're not just looking at your neighbors (on the auction site),"
Faloutsos said. "We're looking at the neighbors of your neighbors, and the
neighbors of your neighbors' neighbors."
But couldn't there be a huge amount of surveillance and false positives?
Barry Wellman S.D. Clark Professor of Sociology NetLab Director
Centre for Urban & Community Studies University of Toronto
455 Spadina Avenue Toronto Canada M5S 2G8 fax:+1-416-978-7162
wellman at chass.utoronto.ca http://www.chass.utoronto.ca/~wellman
for fun: http://chass.utoronto.ca/oldnew/cybertimes.php
SOCNET is a service of INSNA, the professional association for social
network researchers (http://www.insna.org). To unsubscribe, send
an email message to [log in to unmask] containing the line
UNSUBSCRIBE SOCNET in the body of the message.