I want to explore openness wrt fraud prevention, not out of a facile rejection of "security through obscurity," but as part of Gittip's identity as an open company. It's accepted doctrine that "information asymmetry is probably your only advantage." I'm asking: can we be open about fraud prevention and prevent fraud? If we can be, we should.
What are your thoughts on the value of the social graph in spotting suspicious accounts? It seems to me that we should be able to whitelist new accounts based on a review of GitHub or Twitter profiles, and perhaps for flagged accounts we "authorize without capturing," as dangrossman suggests above.
I admire your motives, but I can't offer much encouragement.
My experience is that there is no such thing as preventing fraud in the absolute sense. It's not a binary proposition—maybe general security isn't either, but it's a hell of a lot less gray than credit card fraud. So while I think it's good for general fraud prevention techniques and information to be widely disseminated, I can't in good conscience discuss specifics of techniques that I've employed because those would be easily traceable to companies I've worked for, and thus would impose an undue cost on them. A lot of people who have worked on these issues are probably in similar position where we'd be happy to go into details over a beer but not on public record.
What are your thoughts on the value of the social graph in spotting suspicious accounts? It seems to me that we should be able to whitelist new accounts based on a review of GitHub or Twitter profiles, and perhaps for flagged accounts we "authorize without capturing," as dangrossman suggests above.