Keeping up with the bad guys

Carsales is Australia’s biggest vehicle retail site, which means it has to work hard and fast to keep up with the bad guys targeting its systems in ever increasing numbers.

Dmitry Kulshitsky, development operations and security manager, Carsales

“You try to identify the fraudsters through their overseas internet protocol addresses, and they get Australian IPs; look for overseas phone numbers, and they get Australian ones - they do everything imaginable to get a foot in the door,” Dmitry Kulshitsky, Carsales’ development operations and security manager told iTnews.

Security for Carsales means more than just protecting its systems: it’s about keeping customers selling vehicles on the site safe as well. A fraud-free environment is a huge competitive advantage for Carsales.

This is not an easy task - any security measure must have exactly zero impact on legitimate Carsales customers.

To get there, Kulshitsky’s team teamed up with various anti-fraud companies using data analysis to detect fraud.

“There’s no single technology that can do all that we want, so we’re using several different ones in Carsales’ security stack,” Kulshitsky said.

The 40 or so Carsales properties are also protected by a global content delivery network, which deployed a range of security solutions to remove traffic from automated bots and scrapers used by digital miscreants.

Internal solutions to protect customers were also developed and deployed, including a 'privacy project' feature.

This allocates a virtual phone number to a real one. Customers can publish the virtual phone number on the site, and avoid risks associated with fraud attempts such as SMS phishing.

Since online fraud attempts are an industry-wide problem, Carsales and others in the same position have been co-ordinating on a solution.

“We’re also collaborating with other retail sites to share intelligence because we all have the same goal - which is to keep the bad guys away from Australia,” Kulshitsky said.

Fast reactions are important to handle the quickly shifting sands of the online threat landscape.

“We’re an agile shop, and can turn around changes and updates to sites and have them deployed in 20-30 minutes,” Kulshitsky said.

“It’s all about pace and maintaining it, and we’re quick. It’s an arms race with the bad guys, and we have to be organised to stay ahead,” he said.

He assembled a team of ten to build the current solution, which spent over six months on the first phase of the Carsales security solution. The project continues to evolve as new online threats emerge.

Analysis, fast development, testing and deployment of fixes and protection of infrastructure have paid off for Carsales. Credit card chargebacks due to fraud have been considerably curtailed, Kulshitsky said.

Ultimately, the biggest pay-off for Carsales has been the positive feedback from customers who appreciate the safe trading environment.

“As market leaders, we have to set the standard for customer protection without inconveniencing them - having customers tell you that we’re doing it right has been a great reward,” Kulshitsky said.

Carsales' anti-fraud and security solution is a finalist in the SC Benchmark awards.