develop some fraud review guidelines

[chadwhitacre]

Reticketing from #1913.

[chadwhitacre]

@bruceadams @zwn @chrisdev @clone1018 Picking up ...

The real problem is the $100 transfer from one of them to the other.

That in itself isn't a problem to me. What if someone wants to test out Gittip?

More importantly, imagine the frustration of being one of these users and being marked suspicious. What notification do they receive? What process do we give them for for proving themselves trustworthy after all?

Of course, publishing our algorithm for earning trust gives malefactors a leg up. How do we balance our commitment to openness with our need to maintain trust? That's the challenge we've set ourselves.

[bruceadams]

Test out Gittip? With $100? Why go with the maximum amount? Doesn't one dollar or even ten sound more like testing?

It's hard for me to imagine something more suspicious than this scenario. Problems:

1. New, unused Twitter account
2. New, unused GitHub account
3. dollar amount at our maximum limit
4. transfer only between these two new

Turning this around the other way. Suppose I have stolen credit card information and I want a low risk way to get some cash out of it. I discover that Gittip provides a service for anonymously transferring money. Nice! I'll setup accounts on two different social networks, to reduce the chances of seeing a tie between the two. I'll transfer as much money as I can, since I may not get a second chance (due to the credit card getting cancelled). I wonder if Gittip is able to retract money from my receiving bank account if the credit card charge gets reversed later? Only one way to find out.

We could've been more energetic about reaching out to these people on their social networks. @clone1018 did ping the GitHub account, although that was only a few hours ago. No one appears to have attempted to reach the Twitter account.

[bruceadams]

Is this a dup of #1088?

[chadwhitacre]

Good find, @bruceadams. Closing this one, will pick up over there ...