Add "Help Trust and Safety mitigate crypto-abuse by storing non-identifying credit card meta data" to Engineering Allocation
Proposal
Follow up from our FY22-Q3 GitLab.com Daily Standup where we recently noticed crypto-abuse spiking again.
This MR is a proposal for an Engineering Allocation to Help Trust and Safety mitigate crypto-abuse by storing non-identifying credit card meta data. This work will provide our Trust and Safety team with the ability to identify which abuse accounts were opened using the same credit card to reduce repeat abuse behavior.
Justification
In FY22-Q2, we put in place Require a valid credit card for trial and free users to run any pipelines which helped mitigate crypto-abuse.
More recently, we've noticed that crypto-abuse is once again increasing on our free tier. It seems that some dedicated miners are using the same credit card to validate many accounts which lets them efficiently bypass the credit card validation we put in place in FY22-Q2.
Dashboard: https://app.periscopedata.com/app/gitlab/869057/Cryptomining-abuse-dashboard
The Security and Trust and Safety teams also believe this work is important to help them combat crypto-abuse:
From Steve Manzuik (Security Team)
I would think it’s pretty important. Would allow for some additional automation - find all accounts linked to the same card and auto block. Would force the miners to change tactics and be less automated on their side if they have to worry about one bad card exposing all accounts. https://gitlab.slack.com/archives/C01PWV3E39C/p1631052464030100?thread_ts=1631033981.026100&cid=C01PWV3E39C
From Charl de Wit (Trust and Safety Team)
@WayneHaber I agree with Steve Manzuik that this is important. The success they are having will only embolden them and lack of ability to relate a CC to an account is limiting our ability to deal with this effectively. Not only by tying 1 CC back to multiple accounts using it, but also not allowing us to potentially make better use of Stripes anti-fraud tools. (aka if we use that as a datapoint in determining if an account is malicious and then blocking all related accounts) https://gitlab.slack.com/archives/C01PWV3E39C/p1631052464030100?thread_ts=1631033981.026100&cid=C01PWV3E39C
Scope of work
This engineering allocation will be limited to focus on:
- Storing non-identifying card credit card meta data such as Last four digits of card, Date/time validated, Card type (Visa, Mastercard in GitLab.com
- The high level estimate for this work is 1x backend engineer for 1x milestone
Resourcing plan
- 1 Backend Engineer moved from Fulfillment:License to Fulfillment Purchase dedicated to this effort in 14.4
Exit criteria
Successful delivery of:
- Store non-identifying credit card meta data at validation for CI pipelines
- Providing Trust and Safety team the ability to recognize when the same credit card has been used across many accounts
Timeline
- 2021-09-09: Discuss Engineering Allocation
- 2021-09-10: Finalize Engineering Allocation
- 2021-09-13: Receive Approvals and Merge MR
- 2021-09-13: Team members identified (@lulalala)
- 2021-09-14: Fulfillment Team Announcement
- 2021-09-18: Team members transition to Fulfillment:Purchase and begin work
- 2021-10-17: Team members complete work
- 2021-10-17: Team members transition back to Fulfillment:License team
Next steps
-
Define Proposal -
Define Justification -
Define Scope of work -
Define Resourcing plan -
Define Exit criteria -
Define Timeline -
Discuss Engineering Allocation -
Finalize Engineering Allocation -
Receive Approvals and Merge MR
Approvals
-
Chief Technology Officer @edjdev -
VP of Development @clefelhocz1 -
Director of Engineering, Growth, Fulfillment, Applied ML @whaber
Informed
-
Chief Product Officer @sfwgitlab -
VP of Product Management @adawar -
Director of Product Management, Fulfillment @justinfarris -
Principal Product Manager, Fulfillment:Purchase @tgolubeva -
Senior Product Manager, Fulfillment:License @teresatison -
Engineering Manager, Fulfillment:Purchase @chris_baus -
Engineering Manager, Fulfillment:License @jameslopez -
Director of Engineering, Ops @sgoldstein