Andrey Rybintsev - RBC: "There is an eternal confrontation between the shield and the sword"

Andrey Rybintsev, DIRECTOR of Avito Trust & Safety, told what has changed on the Internet in terms of security, and how users should behave,to avoid risks and not become a victim of fraud

About the expert: Andrey Rybintsev, director of Trust & Safety Avito. He has been with the company since 2015 and is responsible for ensuring the security and trust of users on the service.

Online newbies and social engineering

How safe are online transactions today? What has changed in this regard over the past year or two?

— Since the beginning of the pandemic, as we know, a lot of businesses and people have been forced to go online. Traffic to a variety of online services has skyrocketed, including ad platforms like ours.

This process has another side. Many new inexperienced users have appeared on the sites who have not encountered online before. They don't always know what is safe to do and what is not. And here everything happens as in life. There is a certain ratio of good and, let's say, not very good people in the world, and the former are always disproportionately larger. Some differ from others in their attitude to the personal property of another person, moral taboos. Of course, there have always been and will always be gullible people and those who are ready to take advantage of this. And any online platform is a digital reflection of people's behavior in everyday life. Who among us has not been scammed? Often this is beyond human consciousness, especially when it comes to psychological techniques, NLP, social engineering, manipulation.

Online platforms and banks do not stand still and react to these trends. It is extremely important at the subconscious level from a very early age to instill in a person resistance to psychological manipulation. In order for him to automatically trigger a reflex in any situation: do not call CVC, do not send an advance payment, do not tell anyone secret codes.

And this is the strength and advantage of online: here everything changes and develops much faster. Technology is now working to stay ahead of any scenario of fraudulent schemes.

Corporate security is always a huge system under the hood. For example, in Avito, the number of ads that are moderated every day exceeds 5 million. Almost 500 people work in the security and moderation system. And during the pandemic, we have more than doubled spending on security.

Industry 4.0 How Robotic Moderation Makes Online Shopping Safer

More than 80 million people make transactions on Avito every year, find work, order and offer services, sell, buy an apartment or a car. Now Avito has again received a tremendous increase in its customer base: nine transactions are made every second on the platform, and the number of ads has grown by 10%. A month ago, there were 16.5 million daily users on Avito, today there are already 22 million. Therefore, we have activated the additional protection mode.

Under the new conditions, we switched to an enhanced moderation mode to protect users from provocations and price speculation. For example, ads with inflated prices for socially significant goods that began to disappear from store shelves began to be blocked in advance. This is also a security issue for our users.

— How did the overlap of these two trends ultimately affect the security of transactions on the Internet? Have they become safer or vice versa?

“Any fight against violators is an eternal confrontation between the shield and the sword. The sites are doing something on their part, taking new measures. Violators adapt to them and try to come up with new scenarios.

But I am convinced that in general it has become better and safer. Judging by our internal data, the trend is positive. For example, during the pandemic, our company significantly increased its counteraction to fraud, and the number of complaints against unscrupulous sellers has decreased by 10 times over the past two years. 95% of our users instantly recognize suspicious behavior and report strange offers to us.

Photo: press service

— What are the main risks users face today?

— The most vulnerable link in any algorithms is human behavior and reaction. Whatever we do on our part as a service, a person is always the easiest to “hack”. This is what the scammers themselves from English say about this. scam - deception) - "Avito" cannot be hacked, but a person - yes. Scammers take advantage of people's inattention, lack of digital literacy, and sometimes just the hope that they'll get lucky. There is a certain type of people who consciously transfer an advance payment to a stranger, realizing that this is a risk, but the desire to receive the item of interest becomes stronger. And while there is a person in the scheme who does not fully understand how everything works and works, manipulators will always look for an approach to him. Therefore, on our side, we not only develop technical means of protection, but also invest a lot in training and a conscious attitude towards our safety.

Dangerous prepayment and control over communication

What mistakes most often lead people to financial losses?

— There are two main categories of dangerous situations.

The first category is prepayment. The user sends money without really understanding whether the seller can be trusted or not. In such situations, everything is built only on trust. And if a person is unfamiliar to you, then risks are inevitable. Be sure to pay attention to the seller's rating, the account registration period, the number of transactions on the platform.

The second category is when a user gives their personal data to attackers. We generally don't care much about personal information. But the problem is global. Users themselves leave their data on phishing sites, provide access to their accounts, dictate card numbers. All these stories are united by the fact that people do not understand the value of personal data.

Industry 4.0 What is phishing: how to avoid becoming a victim of hackers

The simplest example is a phone number. It would seem that they are shared with everyone in a row. But if the number falls into the wrong hands, then you can get unpleasant consequences. At a minimum, spam calls and irrelevant mailings. And we also found a way to deal with this. Therefore, we have introduced secure numbers that hide your real phone number from the possibility of parsing.

The security of our users' personal data is built into the company's business model. All information is stored in strict compliance with the legislation of the Russian Federation, is transmitted in the messenger in encrypted form, and each user can be sure of its safety.

What methods are most often used by attackers?

- To implement some kind of scheme, they need to gain control over the conversation with the interlocutor. Modern sites do not allow this. We ensure the security of user communication with each other. For example, it is impossible to send a phishing link to Avito in our messenger. And if the system determines that the user encourages interlocutors to commit unsafe actions, then we can stop this and then block it in order to prevent possible unpleasant financial consequences.

Knowing this, scammers try to take the interlocutor to some other channel that is not controlled by the sites. For example, in a regular messenger like WhatsApp, Viber, TELEGRAM. And then there are social engineering techniques. The user is under emotional pressure. Suppose they say that a queue of 20 buyers lined up for this product, and in order to buy it at a bargain price, you need to leave an advance payment right now. They use the possibilities of disappearing messages or deleting "for everyone" so that no evidence of correspondence is preserved in the future.

But if all communication during the transaction takes place on our platform, then the criminals have zero chances - we completely control the situation and literally lead the user by the hand in the transaction process. The main thing is that he trusts us.

Photo: press service

Bad - blocking, good - badges

- Due to what do you stop attempts of manipulation and pressure on users?

“We rely on artificial intelligence and machine learning algorithms. We analyze behavior by a variety of signs: what a person places on the site, how he behaves, whether he uses some scripts or does everything manually, how he responds to users. Based on the results of this analysis, we conditionally divide accounts into “good”, “bad” and “suspicious” ones. For suspicious ones, we conduct additional checks. In fact, there are incredibly more gradations, a whole team of detectives is working on this, and each case is always individual.

At the same time, we, as a platform, act from two sides at once. In addition to searching and blocking intruders, we are developing secure options that allow users to avoid risky situations at all.

— What security tools are most important and in demand today?

There is no universal silver bullet here. All tools are important in the complex. We are building a safe path to eliminate risks for the user at all stages - from registering an account to the moment he receives the goods.

When a user first comes to the site and creates an account, we ask you to verify the phone. In some cases, we additionally ask you to confirm the phone not only via SMS, but also by calling. To ensure the safety of accounts, we suggest enabling two-factor authentication.

Industry 4.0 What is two-factor authentication and why is it important to use it

At the stage of placing an ad, we try to suggest how not to violate the rules of the site. We have a whole system of hints. For example, we show the user who is who on the site using digital badges. Private sellers and craftsmen can pass the document check and receive the “Documents Checked” badge. Employers who post their vacancies with us are checked by TIN - if the company has no tax debts, it is not in a state of bankruptcy and has no complaints from our users, it receives the “Company Verified” mark. We screen car dealers through face-to-face visits. Those who work honestly receive the Trusted Partner badge. There are ways to check for realtors and private homeowners.

Recently, an anti-harassment tool has been launched in the Avito chat. On our platform, everyone should feel not only safe, but also emotionally comfortable.

We are developing the messenger on the platform so that almost all stages of the transaction can be carried out in it. So the communication between the seller and the buyer goes inside a secure channel. At the same time, the buyer's personal data is hidden, and artificial intelligence warns of the possibility of unsafe actions and blocks phishing links.

We have implemented additional protection for our users through the Avito Delivery secure transaction mechanism. Thanks to him, users can be sure of the safety of the goods and money: the cost of the goods is frozen on a secure account until the receipt is confirmed by the buyer. And we are responsible for the safety of the goods upon delivery.

The sharing economy Absolute delivery: how to receive and send packages safely

In particularly difficult cases, we ask you to go through video verification and take a standard video selfie, which helps us understand that we are facing a real person. This procedure has been working for a long time, for example, in carsharing, where account security is as important a priority as it is for us. So far, some users are perplexed: “Why are you asking me to confirm my data or set up protection for logging into my account? I just want to post an ad!" But we do not protect ourselves by this (there are other “invisible” algorithms for this), but the person himself. Because behind each account is a history of its transactions and relationships with other users.

Digital literacy and positivity with Agutin

— The site can inform users, give hints and offer safe tools, but cannot force them to use. Is the audience ready to use them and generally behave responsibly?

- Yes and no. Voluntary options connect not all. Those who do not understand the value of checks and security tools will not take “extra” steps.

Therefore, the use of tools that we consider critical, we make it a prerequisite for using the platform. For example, be sure to enable number protection. The user's real phone number is always hidden. Because, in our opinion, it is an important element of personal data.

We try to give some advantages to responsible users. The same badges about passing voluntary checks can increase the credibility of the profile and increase the number of potential buyers.

“Literally everyone is now teaching digital literacy and safe online behavior. But this is not always clear and digestible for ordinary users. How, in your opinion, to make such training effective?

- Building communication on intimidation is not our method, we try to teach through positive. Not to scare people, but to tell them how to behave safely: do this, and everything will be fine.

We have reached agreements and are holding joint press conferences, live broadcasts and master classes on security with the regional Ministry of Internal Affairs and administrations. We are developing projects with banks, public organizations and cybersecurity companies that help educate the population.

We recently shot a video about safety rules with the participation of Leonid Agutin. Using examples of how people take care of each other in the family circle, Leonid tells how you can take care of the security of your data.

Financial security rules from Leonid Agutin

After each launched campaign, we analyze the level of satisfaction with our service and platform security, and it is important that these indicators grow. Therefore, we are ready to invest in safety technology training as much as necessary.

- How will tools and approaches to ensure security at Avito and other similar sites develop in the next few years?

— Both we and other socially responsible companies are trying to create the most secure environment and close the interaction of users within our system. All security issues that we face along the way are global, and all giants are working with similar challenges. Here you need to be very fast and flexible, we were even approached by international colleagues with a request to help with questions on strengthening the protection of users.

We want the user to be able to fully solve their problem within the site and using our services. Then he simply will not be in a situation where he can become a victim of social engineering.

The development of security tools should lead to the fact that fraudulent schemes will not be economically viable. The more reliable the protection tools, the more expensive it is to try to bypass them. And if an attacker needs to spend more money on logging into someone else's account than he can earn on it, he will simply stop making such attempts.

This is what we are striving for - so that there is simply no point for attackers to come to us. And each of their attempts to circumvent the system and the person would cost them dearly. And when their economy does not converge, they are powerless on Avito.