Skip to content

Add "Help Trust and Safety mitigate crypto-abuse by storing non-identifying credit card meta data" to Engineering Allocation

Jerome Z Ng requested to merge jeromezng-master-patch-69302 into master

Proposal

Follow up from our FY22-Q3 GitLab.com Daily Standup where we recently noticed crypto-abuse spiking again.

This MR is a proposal for an Engineering Allocation to Help Trust and Safety mitigate crypto-abuse by storing non-identifying credit card meta data. This work will provide our Trust and Safety team with the ability to identify which abuse accounts were opened using the same credit card to reduce repeat abuse behavior.

Justification

In FY22-Q2, we put in place Require a valid credit card for trial and free users to run any pipelines which helped mitigate crypto-abuse.

More recently, we've noticed that crypto-abuse is once again increasing on our free tier. It seems that some dedicated miners are using the same credit card to validate many accounts which lets them efficiently bypass the credit card validation we put in place in FY22-Q2.

image

Dashboard: https://app.periscopedata.com/app/gitlab/869057/Cryptomining-abuse-dashboard

The Security and Trust and Safety teams also believe this work is important to help them combat crypto-abuse:

From Steve Manzuik (Security Team)

I would think it’s pretty important. Would allow for some additional automation - find all accounts linked to the same card and auto block. Would force the miners to change tactics and be less automated on their side if they have to worry about one bad card exposing all accounts. https://gitlab.slack.com/archives/C01PWV3E39C/p1631052464030100?thread_ts=1631033981.026100&cid=C01PWV3E39C

From Charl de Wit (Trust and Safety Team)

@WayneHaber I agree with Steve Manzuik that this is important. The success they are having will only embolden them and lack of ability to relate a CC to an account is limiting our ability to deal with this effectively. Not only by tying 1 CC back to multiple accounts using it, but also not allowing us to potentially make better use of Stripes anti-fraud tools. (aka if we use that as a datapoint in determining if an account is malicious and then blocking all related accounts) https://gitlab.slack.com/archives/C01PWV3E39C/p1631052464030100?thread_ts=1631033981.026100&cid=C01PWV3E39C

Scope of work

This engineering allocation will be limited to focus on:

  • Storing non-identifying card credit card meta data such as Last four digits of card, Date/time validated, Card type (Visa, Mastercard in GitLab.com
  • The high level estimate for this work is 1x backend engineer for 1x milestone

Resourcing plan

  • 1 Backend Engineer moved from Fulfillment:License to Fulfillment Purchase dedicated to this effort in 14.4

Exit criteria

Successful delivery of:

Timeline

  • 2021-09-09: Discuss Engineering Allocation
  • 2021-09-10: Finalize Engineering Allocation
  • 2021-09-13: Receive Approvals and Merge MR
  • 2021-09-13: Team members identified (@lulalala)
  • 2021-09-14: Fulfillment Team Announcement
  • 2021-09-18: Team members transition to Fulfillment:Purchase and begin work
  • 2021-10-17: Team members complete work
  • 2021-10-17: Team members transition back to Fulfillment:License team

Next steps

  • Define Proposal
  • Define Justification
  • Define Scope of work
  • Define Resourcing plan
  • Define Exit criteria
  • Define Timeline
  • Discuss Engineering Allocation
  • Finalize Engineering Allocation
  • Receive Approvals and Merge MR

Approvals

  • Chief Technology Officer @edjdev
  • VP of Development @clefelhocz1
  • Director of Engineering, Growth, Fulfillment, Applied ML @whaber

Informed

Edited by Wayne Haber

Merge request reports