Serge Egelman @v0max Scientician, Director of the Usable Security & Privacy Group at @ICSIatBerkeley (All opinions are those of my employer, and not my own.) Dec. 23, 2018 2 min read

Today's personal story of machine learning run amok (thread):

My research group is looking at the privacy behaviors of paid apps. Doing so requires us to purchase lots of paid apps. The Play Store processes each purchase separately, as opposed to batching them. 1/

So, purchasing, say, 1,000 apps will result in 1,000 credit card authorizations. Banks enforce a maximum number of card authorizations per day. In conducting this study, it appears as though this number is in the double digits. Thus, my card was repeatedly frozen. Repeatedly. 2/

After multiple hourly calls to my bank to explain the problem, they said there's nothing that can do: their fraud detection algorithm will always lock the account after this number of transactions. Okay, Plan B: we'll buy gift cards. 3/

I went to Amazon and bought multiple Google Play gift cards. After about an hour, the order was automatically canceled, because the cards were purchased "outside of  http://Amazon.com ." No, they weren't. 4/

I retried the order. Same message.

I tried again, with a smaller amount. This results in my account being locked. Customer service tells me that fraud was detected on my account, and that disabling 1-click buying will fix everything. 1-click was never enabled. 5/

They tell me they've cleared the fraud alert, and I should re-order.

Same thing: order is automatically canceled and I'm now locked out of my account. 6/

I talk to another customer service person, who says they will escalate this to the accounts security folks and that I'll receive an email. Yesterday, I get an email saying that everything has been resolved and that I should replace my order (for the fourth time). 7/

Same thing: order is canceled, and my account is locked again.

While on the phone with customer service, they tell me that they've noted all of this on my account, and to avoid this in the future, as long as I spend under $500, the order will definitely go through. 8/

After an hour on the phone with them, I order 2 $100 cards. Same thing: order is canceled and account is frozen.

At this point, they've given up: it seems that their fraud detection algorithm interprets *any* purchase of gift cards on my account as fraud. 9/

They conclude they cannot override the algorithm, and advise me to buy cards elsewhere.

I next discover that buying gift cards for Google Play from @PayPal @Target and @GiftCards_com result in automatic cancelation of my orders due to fraud algorithms, even a single [email protected] $100. 10/

At this point, I think I'm going to go to a physical store.

My takeaway from all of this: if the purchase of a single gift card triggers your fraud algorithm, resulting in the automatic cancelation of the order, maybe don't tell customers you sell gift cards?


You can follow @v0max.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.