The Evolution of Anti-Abuse
I am old enough to have been online when the Internet was a much nicer place. In the last 25 years, it has turned into a very unsafe place where everything is constantly under attack. When you launch or grow anything where money exchanges hands on the Internet it is only a matter of time before you see folks trying to abuse your product. In my experience, companies tend to follow the same evolution of anti-abuse as they try and defend their products. In this post, I will highlight the typical evolution that everyone goes through. When I say abuse, I mean any abuse of your product or services, for example, sign up fraud using a stolen credit card or account take over where a bad guy accesses a real customers account.
The Stone Age
This is right at the start of your problems, the point where you first start getting abused. It isn’t crippling your business and you don’t know what to do or what is going to happen. Companies in this stage don’t really have any anti-abuse processes and just deal with the problem in an ad-hoc fashion. Basically, you wait for bad stuff to happen and then try and deal with it as best you can.
The Bronze Age
Eventually, abuse is causing a big enough problem that you put your ops guys on it. They can preemptively find abuse before it is reported by looking at applications logs. This always ends up with some crazy shell scripts that have to be constantly updated to keep up with the changing bad guys. As the scale of your business (and therefore abuse) increases, the logs will get too big and someone will suggest using a big data solution to help out. So now all your logs get shipped to a Hadoop cluster or similar and the same janky scripts get written in another language, but the effect is still the same. The log aggregation is expensive and now you are paying for the headcount, storage and processing and what-ever the actual cost of the abuse is. This is a very frustrating stage because you have now invested real money into fighting abuse and what you have just isn’t very good.
The Iron Age
The ops guys can't keep up with the problem and this is where you put an engineering team in the mix. They, of course, do what all product teams do and start writing software to try and solve the problem. For some things like sign up fraud there are good 3rd party tools you can integrate with but when it comes to abuse of your actual product you are pretty much on your own. You will build some custom tools around your business logic and probably make some kind of dashboard that support, or ops have to use to police the abuse. As with each age of anti-abuse, this is even more costly because engineers and 3rd party sign up screening services are not cheap.
The modern age of anti-abuse tools requires that you invest in machine learning and automation. The driver is the manpower used to drive the tools and processes that have been added in the previous years will have become too expensive to maintain or scale. Some companies never enter this age because of the cost of the headcount needed to do it. Another point is a data science team is typically used to develop core product features, not work on abuse. If we had our way, we would have companies skip all ages of anti-abuse and go straight to this age but instead of hiring a bunch of data scientists they would use our software.
The tools and processes from each age work better than the previous generation but none of them satisfy the business. The biggest problem as they provide more sophisticated protection, they also get a lot more complicated. This means they are slow to change and hard to update. In my experience, the tools from the previous ages seem to stay around and not deleted until they stop working. Just rotting technical debt. Most places are stuck in the Iron Age of anti-abuse. This is one of the reasons we started Siegescape. We can help people have an effective anti-abuse system that doesn't require as much time and money to operate.