By Andrew Swensen

Here are some of the ways the crime happens: A manager in a large company purchases gift cards for staff bonuses and bills them to the company expense account. But instead of actually passing the gift cards out, he takes them home. Or a business buys gift cards from itself to skew sales numbers and reduce not only the ratio of sales to product returns but the apparent rate of dissatisfied customers.

Or someone steals your credit-card numbers through an illegally placed card reader or an online interception of those 16 digits. (for example, the recent hacking into Target accounts). Then the thief uses your account to buy gift cards, converting the credit-card value into purchasing power that’s as fast as the Internet.

Welcome to the world of gift-card fraud.

But where there is fraud, there is also opportunity—even on the right side of the law. Last year, a popular gift-card Web site turned to Carnegie Mellon’s Institute for Software Research (ISR) within the School of Computer Science. The company was interested in a corporate outreach program where a student team of aspiring engineers would work on a problem the company is facing., based in Pittsburgh, is among the biggest players in the gift-card marketplace. The company has become savvy in the ways of its business model—and in the ways it can be manipulated for unethical and even criminal intent.

“We see a lot of fraud attempts,” says Mike Tchirkow, Fraud Manager. His company sells millions of gift cards, which puts Tchirkow front and center when it comes to rooting out cases of gift card misuse. Tchirkow is a good-natured person who’s very good at his job. The simple fact is he just doesn’t like the liars who practice fraud. He wants to put a stop to their practices. He knows it’s not enough to uncover instances of fraud that have already taken place. He wants the company to lead the way in preventing fraud-related attacks from happening in the first place.’s sponsorship of an ISR team is a win-win. The company gets a fresh perspective on processes that can screen for high-risk activity. ISR students, some of whom may end up working in the financial services industry, get to learn by experience.

In our modern era, human capacity for deception manages to stay current with emerging technology and trends. We digitize money with credit and debit cards, PayPal, online banking, and gift cards. Buying and selling online, or “e-commerce,” is approaching 10% of our total transactions. In this new world, some behavior starts as questionable and slides into unethical. Someone buys his own book on so he can write a glowing review, for example, or a company pays an employee to travel the Internet and write favorable product experiences via social media. Technology has made gift cards more convenient and more accessible. We are buying them to the point where it has become a $100 billion industry, turning our time-honored traditions of generosity into 21st-century convenience.

Gift cards are interesting because they represent sales to companies, and become spending power for whoever holds them. In other words, they are both product and currency. Businesses want favorable sales, and everyone wants buying power—unfortunately, some are willing to use criminal deception to gain them.

Some gift-card fraud comes in ways that are familiar. A hacker acquires a credit-card number and converts it into gift-card value, for example, digital theft. However, some schemes are more convoluted. The example of the company manager charging gift cards is an actual case of fraud that Tchirkow encountered. The manager was using gift cards to conceal corporate embezzlement.

Another attempted scheme involves the manipulation of “chargeback” rates. A chargeback is the return of a purchase made on a credit card. Chargebacks reduce the commissions to the credit-card companies. So, of course, credit-card companies do not like businesses to have elevated rates of chargebacks—that is, abnormally high numbers of customers making returns. If a retailer’s chargeback percentage gets too high, a credit-card company could choose to discontinue service. This is where gift-card fraud comes in. A business owner can buy gift cards and proceed to use them at his own business (usually in $1 increments) to inflate sales numbers, thereby diluting the chargeback rate and deceiving the credit card company.

V11n2 4 2

To combat fraud, Tchirkow and his colleagues monitor thousands of transactions per day. That quickly adds up to a sea of data over time. They seek patterns in the activity and have grown skilled in identifying what patterns might suggest unscrupulous activity. Yet the sheer volume of transactions challenges human hands and eyes. So wants leading-edge fraud-prevention technology to support human observation and respond to 21st-century criminals who dream up what Tchirkow calls a “constant onslaught of different schemes.”

The situation has inherent challenges. The system will have to adapt to changing patterns of fraud. It will have to work for non-technical and technical staff alike. It will need to dovetail human observation and judgment in an automated program that tracks and analyzes millions of data points. That’s where ISR comes in.

The institute offers graduate studies combining advanced classroom curriculum with hands-on experience. Students register for core courses as would any master’s degree candidate, but they also sign up for a client project. The students divide into teams, led by a professional mentor. Each team engages with a client as would professional software engineers.

“It’s a unique program,” says Philip Bianco, an ISR mentor who works in applied research at CMU’s Software Engineering Institute. “They get to do a real project. They allow you to apply what you are learning.” Matthew Bass, assistant teaching professor and associate director of Software Engineering Professional Programs, calls the graduate program a “learn-by-doing approach” that trains students to be working professionals. Teams begin their engagement by gathering information through client interviews. In fact, the first hurdle for any team is the learning curve. They must understand a business that is new to them before they can translate a client’s needs into a software solution.

V11n2 4 1

The greatest challenges—and the greatest learning opportunities, according to Bianco—are not necessarily the technical issues. In the world of software design and application, systems still have to respond to human needs. Software engineers have to design for the level of experience of end users. The ISR on-site projects require students to combine their classroom software training with the “soft” skills of communication. Success requires the ability to listen well to client needs, present proposed fixes to the client, and refine the solution based on feedback. Ultimately, it requires what Bianco says is often the most demanding task—getting people to agree, within the team as well as between the team and client.

The project fits well with ISR. It puts students at the leading edge of business trends and provides a tremendous opportunity for students to conceive technical solutions while collaborating with a company’s non-technical staff. Fraud has patterns, says Tchirkow. Make no mistake about it. But detecting those patterns requires human observation and experience. fraud professionals monitor how the cards are purchased and how they are spent. However, the search for patterns is a labor-intensive, manual process of transaction review. People do not have as long or as perfect a memory as computers—no matter how hard they try. Even professionals may not see patterns that a software program might detect over the long run. Also, unlike computers and the software running on them, humans are subject to fatigue. A person’s observation may not be as sharp at the end of the day as it was at the beginning.

The goal for the ISR team is an automated system that complements trained fraud-detection professionals. The system needs to be flexible and adaptable—it must allow staff to continue adding rules to the program. Bianco, a get-things-done kind of fellow, assembles a team of four students to work on the project. He takes his role as a mentor very seriously. He will be direct and earnest when coaching the students—Shankar Narayan, Venkatesh Sakamuri, Siddharth Teotia, and Vaishnavi Venkatesan— without ever telling them outright how to solve a problem.

As the team begins work, they recognize the breadth of the challenges. They need to understand the nature of fraud and how fraud managers detect it. With gift cards specifically, it’s difficult to track a single card to a single individual.

They begin by dividing fraud into two sets, the known and the unknown. The known set includes types of fraud described by the staff. But even though they call it the known set, identifying it still often depends on fraud professionals developing an intuition for suspicious activity. The design task for the students, then, is translating that human intuition into a software program.

If the task of creating an intuitive system is not challenge enough, they also have to build a system that will be able to learn and accommodate new rules for observation when necessary. In other words, they have to prepare for the unknown. “To achieve this,” observes team member Venkatesan, “the team decided to develop a rule-based system for the known set and a self-learning system for the unknown set.”

After months of work, they arrive at a solution. Tchirkow characterizes the outcome as the difference between seeing in three dimensions versus two. The old way of detection sees an individual transaction and forces a fraud manager to evaluate it by itself. The new way, what Tchirkow now calls “the Carnegie Mellon way,” locates fraud with more consistency by placing a single transaction in context with historical information. The software can then follow the entire history of a single card.

From all perspectives, the project is considered an absolute success by the team members Sakamuri is grateful for how the ISR program and faculty encourage students to get out into the world. His experience, he says, is now preamble to his next step after Carnegie Mellon—a position at Oracle. Venkatesan appreciates how she was able to translate classroom principles from algorithms to a problem like fraud. Echoing the ISR emphasis on the human element within software engineering, Teotia underscores skills that can be learned only by doing—“customer management, project management, teamwork, and time management.” And Narayan adds, “the graduate program has given all of us real-life experience dealing with the challenges of translating what the client thinks into a technological solution.”

Bianco and Bass speak of how well the project has gone on a number of levels. They praise because the company recognized and celebrated the project as both a professional engagement and educational endeavor. “This was a good match,” says Bianco. Students were able to engage in the trial-and-error process of refinement to arrive at effective results. He emphasizes that it was the students’ project, and its problems were theirs to solve. They had the latitude to propose solutions and even to make a few mistakes along the way. As Sakamuri gratefully acknowledges, the students were always able to express their own ideas and were encouraged to explore them.

As for, the fraud team now has a new powerful tool. “We were all very impressed by the team,” says Tchirkow. “We are very happy with the results.” The system allows for information to be analyzed more quickly and permits a longer view of analysis over time, he says, adding that the system will assist ongoing efforts to stay ahead of the curve with the ever-changing face of fraud.

“What they are trying to do is always changing,” Tchirkow says. “The world has fraudsters that are trying to cheat us, cheat the system.” But thanks to the ISR Team of Four, more of those unlawful efforts will result in failure