Carnegie Mellon University (CMU) researchers are relying on an old adage to develop anti-fraud software for Internet auction sites: It is not what you know, it is who you know.
At sites like eBay, users warn each other if they have a bad experience with a seller by rating their transactions. But the CMU researchers said savvy fraudsters get around that by conducting transactions with friends or even themselves, using alternate user names to give themselves high satisfaction ratings -- so unsuspecting customers will still try to buy from them.
The CMU software looks for patterns of users who have repeated dealings with one another, and alerts other users that there is a higher probability of having a fraudulent transaction with them.
"There's a lot of commonsense solutions out there, like being more careful about how you screen the sellers," said Duen Horng "Polo" Chau, the research associate who developed the software with computer science professor Christos Faloutsos and two other students. "But because I'm an engineering student, I wanted to come up with a systematic approach" to identify those likely to commit fraud.
The researchers analyzed about 1 million transactions involving 66,000 eBay users to develop graphs -- known in statistical circles as bipartite cores -- that identify users interacting with unusual frequency. They plan to publish a paper on their findings early next year and, perhaps, market their software to eBay or otherwise make it available to people who shop online.
Catherine England, an eBay spokeswoman, said the company was not aware of the research and would not comment on it. But England said protecting the company's more than 200 million users from fraud was a top priority.
Online auction fraud -- when a seller does not deliver goods or sells a defective product -- accounted for 12 percent of the 431,000 computer fraud complaints received last year by Consumer Sentinel, the Federal Trade Commission's consumer fraud and identity theft database. Auction fraud was the most commonly reported computer-related fraud in the database.
And the scams run the gamut.
Last year, a federal grand jury indicted an Ohio man on charges he sold hundreds of thousands of dollars of stolen Lego merchandise on the Internet. Earlier this year, a New Mexico woman was sentenced to nine years in federal prison for selling forged hunting licenses on eBay, over the phone and by e-mail, and then not delivering trips paid for by out-of-state hunters.
Earlier this month, a man who failed to deliver tickets to last year's Ohio State-Michigan football game to 250 online auction customers was sentenced to 34 months in federal prison.
Johannes Ullrich, an Internet fraud expert with the SANS Institute in Bethesda, Maryland, said the CMU research "sounds like a credible way to detect fraud."
"Essentially, what they're trying to do is find these extended circles of friends who make positive recommendations to each other," said Ullrich, the chief technology officer of SANS' Internet Storm Center, which tracks viruses and other Internet problems.
But Ullrich said the CMU researchers must find a way to screen out false positives. He said a small group of users -- such as baseball card collectors -- might repeatedly buy from one another and could be flagged as high-risk.