0.0
Every online payment you have made in your
2.18
entire life exists because of a war that
5.019
was fought in the year 2000 in a
7.12
single office building in Palo Alto, California, against
10.24
an enemy that most of the world has
12.039
since forgotten.
14.54
The war lasted 18 months.
17.98
At its peak, the defenders were losing $10
20.879
million every 30 days.
24.54
The attackers were, by one internal estimate, 12
28.579
,000 human beings spread across four continents, organized
32.88
into cells by time zone and language, coordinating
36.659
over IRC channels that the defenders could read
39.899
in real time but could not shut down.
43.16
Everyone remembers the people who won.
47.02
Elon Musk, Peter Thiel, Max Lepchin, Reid Hoffman,
51.399
Roloff Botha, David Sachs.
54.579
Silicon Valley calls them the PayPal Mafia.
59.219
They would, over the next 20 years, found
62.2
Tesla, SpaceX, Palantir, LinkedIn, YouTube, Yelp, and the
66.739
venture funds that funded most of the rest.
70.54
What almost nobody remembers is that in the
73.28
year 2000, the company they were running was
76.12
18 months from insolvency because the global organized
79.319
crime community had found a way to extract
81.959
money from it fast and easily.
83.359
It was faster than it could be deposited.
86.219
This is a documentary about the specific technology,
89.78
and the specific men, that stopped them.
93.939
To understand what happened, you have to understand
97.04
what X.com was trying to do.
101.14
In March of 2000, two companies merged in
104.819
a hurried 40-page agreement signed at a
107.459
Palo Alto law firm.
109.8
The first was Confinity, founded by Peter Thiel.
113.359
Peter Thiel and Max Lepchin, which had built
116.219
a system for sending money between Palm Pilots.
120.14
The second was X.com, founded by Elon
124.0
Musk, which was attempting to build what Musk
126.54
described at the time, without exaggeration, as the
130.3
Everything Bank.
132.8
The merged company took its product name from
135.699
Confinity's side.
137.659
That name was PayPal.
140.939
The idea was simple.
142.58
End.
143.039
At the time.
143.979
Radical.
145.539
You could send a payment to anyone else
147.9
on the Internet using only their email address.
151.729
No wire transfer.
153.12
No cash on delivery.
154.86
No check.
156.7
A link clicked, a few digits typed, and
159.879
money moved between continents in seconds.
164.02
In 2000, this was the single most interesting
167.74
software product on the Internet.
171.14
By the end of that year,
172.599
PayPal was processing almost 200,000 transactions a
176.3
day.
177.9
eBay, which was then the largest consumer marketplace
181.28
in the world, had already been colonized.
184.4
25% of all eBay auctions listed PayPal
188.139
as their preferred payment method, and that number
191.159
was climbing by double digits every month.
194.659
Then, very quietly, the money started disappearing.
199.62
The mechanism was straightforward.
203.079
A fraudster, working from a basement in St.
206.139
Petersburg, or a cybercafe in Lagos, would acquire
209.639
a stolen American credit card.
211.719
At the time, you could purchase five of
213.879
these on IRC for $30.
217.02
He would open a PayPal account under a
219.5
stolen American name, fund the account by billing
222.319
the stolen card,
223.28
and use the resulting balance to purchase high
225.9
-value items on eBay.
227.8
Cameras, electronics, laptops.
231.199
The items would show up on eBay.
232.58
They were shipped to a drop address in
233.86
the United States.
234.939
A collaborator would forward them overseas, and by
238.58
the time the real cardholder noticed the charge
240.879
and filed a dispute,
242.28
the money had been withdrawn as cash, and
244.68
the PayPal account was empty.
248.28
Credit card companies, under American federal law, were
251.599
required to reverse fraudulent charges.
255.42
The reversal was a chargeback.
259.12
The chargeback was billed not to the fraudster,
262.579
but to the merchant.
264.379
PayPal, in every one of these transactions, was
267.699
the merchant.
269.5
In April of 2000, PayPal absorbed $200,000
274.079
in chargebacks.
276.459
By June, $3.1 million.
279.759
By September, $7 million.
283.399
By the early winter of 2000, the company
286.54
was losing, in chargebacks alone, more than $11
290.0
million a month.
293.1
The venture investors who had funded the merger,
295.92
Sequoia, Madrone, Nokia Ventures,
298.66
were, in private, using the word, insolvent.
303.459
Musk, who was the chairman, was calling board
306.319
meetings in which the phrase,
307.98
we have five months of runway, appeared verbatim
311.1
in the minutes.
313.019
Thiel, who was the CEO, was sleeping in
315.939
the office four nights a week.
318.699
The enemy was not one person.
322.199
It was an ecosystem.
325.48
By the fall of 2000, fraud forms on
328.839
the Russian Internet had entire subsections dedicated to
332.1
PayPal exploitation.
335.139
Tutorials, written first in Russian, then translated into
338.779
Romanian, Polish, and English, explained, step by step,
342.899
which American billing address,
344.56
ZIP codes the system did not verify, which
348.3
email providers it trusted by default, and which
351.16
hours of the day the review team was
353.06
understaffed.
354.8
A senior PayPal engineer, reading these forms in
358.48
real time, later described the experience as,
361.66
reading the playbook for your own funeral.
365.62
The defenders could not shut the forms down.
369.639
They had no jurisdiction over Russia or Nigeria.
372.959
They had no law enforcement relationships capable of
376.759
operating at the speed the Internet was operating
379.199
at.
380.759
The FBI, at the time, did not yet
383.98
have a dedicated cybercrime unit with the authority
387.079
to subpoena an IRC server.
390.459
And so, in the final weeks of 2000,
394.1
Musk and Thiel and Levchin understood, without having
397.72
to state it aloud, the exact structure of
400.439
the problem they were in.
403.12
No government was going to save them.
406.519
No industry consortium was going to save them.
409.92
No regulator was going to save them.
414.0
They were going to have to build the
416.139
weapon themselves.
418.199
In code.
420.18
In the building.
422.199
In the next 60 days.
425.74
The chief technology officer of PayPal in the
428.54
year 2000
429.74
was a 25-year-old Ukrainian-born cryptographer
432.959
named Max Levchin.
436.24
Levchin had left the Soviet Union with his
438.839
family at 16,
440.12
enrolled at the University of Illinois,
442.379
and written his master's thesis on public key
445.18
cryptography
445.92
before dropping out to found his first startup.
449.699
By the time he reached Palo Alto,
452.04
he had built and sold two small companies,
455.06
both of which had failed commercially,
457.019
and had developed, privately,
458.98
a conviction that would, in the end, save
461.639
PayPal.
463.639
The conviction was this.
466.62
Humans and machines, given the same task,
469.699
do not perform it the same way.
472.5
A human clicking a mouse does not click
475.36
in a perfectly straight line.
477.04
A human typing a password does not type
479.86
every character at the same interval.
481.72
A human filling out a form does not
484.279
fill it in the order
485.36
the form's fields appear in the page's underlying
488.019
HTML.
490.519
Machines do.
493.079
Fraudsters, in October of 2000, were not typing.
498.12
They were scripting.
501.319
The same Russian forums that distributed step-by
504.699
-step PayPal exploitation guides
506.639
also distributed pre-written Perl scripts that automated
510.48
the entire account,
511.819
opening and transaction execution cycle.
516.08
One human operator, from a single laptop,
519.36
could run several hundred simultaneous accounts.
523.759
The attacker economy was not a swarm of
526.559
individual hackers.
527.659
It was a swarm of bots, operated by
530.22
a much smaller number of humans.
533.34
And that meant there was a signal.
537.2
If Levchin could detect the signal,
539.74
if he could distinguish, in real time,
542.759
between a human signing up for a PayPal
545.1
account
545.48
and a Perl script signing up for a
548.159
PayPal account,
549.179
he could refuse the script's transactions
551.559
without refusing the humans.
554.82
The fraud would die at the database level.
558.08
The legitimate customers would never notice.
562.759
Levchin and a small team of engineers,
565.5
working out of a glass-walled conference room
568.0
that the rest of the company had taken
569.559
to calling the Bunker,
570.86
began cataloging every observable difference
573.5
between human and scripted behavior on the PayPal
576.22
site.
578.18
A human clicking the Continue button took, on
581.7
average,
582.22
between 800 and 1200 milliseconds after the page
585.94
finished loading.
586.899
A script clicked in under 60.
590.24
A human's cursor, moving between form fields, traced
594.32
an arc.
595.08
A script teleported the cursor from field to
598.019
field in a straight line.
600.16
A human's keystroke intervals, typing a password,
603.879
followed a rough power law distribution.
605.6
A script's intervals were uniform.
609.5
A human's IP address geolocated to a residential
613.039
block.
613.759
A script's IP address geolocated seven times in
617.899
ten to a hosting provider.
619.62
A data center address no ordinary consumer would
622.899
ever come from.
624.779
Each of these observations, in isolation, was a
628.44
weak signal.
630.08
Any one of them could be defeated by
632.399
a sufficiently clever attacker.
635.6
But combined, combined statistically,
638.34
through what Levchin's team began calling the signal
641.279
score,
641.84
they produced a single number between 0 and
644.82
1 that,
645.639
for any sufficiently large sample,
647.74
distinguished human from bot with more than 90
650.639
% accuracy.
653.159
The team gave the classifier a code name.
656.82
They named it after a specific Russian fraudster
659.879
who had, two months earlier, posted in an
662.659
IRC channel
663.539
that PayPal's engineers were too American and too
666.759
slow to catch him.
669.399
The fraudster's handle was Igor.
672.48
The classifier was Igor.
676.1
Igor went live on the PayPal backend in
679.08
November of 2000,
680.36
flagging transactions that exceeded a score threshold for
683.759
manual review.
686.06
Within 72 hours, the chargeback rate in the
689.72
flagged segment fell by 61%,
693.539
which was the same as the chargeback rate
694.159
in the previous segment.
694.159
Within a week, a first-generation adversarial feedback
697.039
loop was visible in the logs.
699.08
The attackers were adjusting their scripts to produce
702.019
more human-looking click patterns.
705.36
Levchin added new features.
707.379
The adjustments slowed the attackers down.
710.379
The chargeback rate stayed suppressed.
714.32
Igor alone, however, was not enough.
718.62
Scripts were one category of enemy.
720.659
The other category, harder to detect through behavioral
724.08
analysis alone,
725.379
was the account creation bot.
728.459
A bot that registered 5,000 PayPal accounts
731.46
in an hour,
732.399
each with plausibly random names and working email
735.48
addresses,
736.22
could produce an inventory of mule accounts faster
739.48
than Igor could flag them afterwards.
742.76
What was needed was a gate, a single
745.94
test,
746.48
placed at the front of the account creation
748.519
flow,
749.1
that no bot could pass and that every
751.94
human could.
754.019
In December of 2000, Levchin and a colleague
758.019
named David Gosbeck designed it.
761.32
They took a grid of arbitrary characters,
764.2
five alphanumeric digits,
766.539
rendered the grid as a distorted image,
769.1
and required the user to transcribe the digits
771.879
before account creation could continue.
775.34
Humans, looking at the image,
777.44
could read the characters in under two seconds.
781.84
Optical character recognition software, in the year 2000,
785.519
could not read them at all.
788.12
The test was called the Gosbeck-Levchin test.
792.639
It was, in the strict academic sense,
795.759
the first commercial deployment of a category of
798.82
technology
799.139
that a team at Carnegie Mellon would, two
802.0
years later, generalize and rename.
805.22
The Carnegie Mellon name is the name that
808.279
stuck.
808.86
Today, billions of human beings pass it every
812.419
day without knowing its origin.
815.46
The name is C.A.
817.419
PAPTCHA.
819.24
Between Igor and CAPTCHA,
821.539
between behavioral classification and the Gosbeck-Levchin test,
825.539
the chargeback rate at PayPal,
827.72
which had peaked in the late fall of
829.5
2000
830.159
at nearly 5% of gross transaction volume,
833.0
fell, over the first six months of 2001,
836.12
to less than one-third of 1%.
839.9
The company was solvent by spring.
843.24
It was profitable by autumn.
846.36
It went public, on the NASDAQ,
848.98
at $15.75 per share
851.86
on the 15th of February, 2002.
856.0
Eight months later, eBay purchased it for $1
858.82
.5 billion.
861.659
Everyone who had worked in the bunker that
864.139
winter
864.559
walked away a multi-millionaire.
868.139
Everyone who had worked in the bunker that
870.32
winter
870.62
went on to build the next decade of
872.919
Silicon Valley.
874.96
And every time, in the 24 years since,
877.98
that you have clicked a distorted image to
880.159
prove you were a human,
881.559
you have been performing a gesture first demanded
884.32
of you
884.799
by a 25-year-old Ukrainian cryptographer
887.639
trying to save a company from a hacker.
890.019
For seven months,
893.72
from the autumn of 2000 through the spring
895.759
of 2001,
897.059
Max Levchin and David Gosbeck ran the same
900.139
experiment
900.74
in different forms in the basement engineering bay
903.879
at PayPal.
906.2
The experiment was simple in concept.
909.759
Build a test that humans pass and bots
912.759
fail.
914.259
Make it fast enough that humans do not
916.799
hate it.
917.32
Make it cheap enough that it can be
919.159
served on everyone.
920.0
Make it fast enough that it can be
920.08
served on every account.
920.759
Creation request without adding a cent of server
924.0
cost per user.
925.179
Make it adversarial enough that a motivated attacker,
928.659
given a year and a team, cannot reliably
931.379
defeat it.
933.62
The first prototype Levchin built had an internal
936.82
code name.
938.539
The team called it GGOT, an acronym,
941.71
assembled at 3 in the morning that stood
943.799
for
944.08
Gated Image Gauntlet for Origin Testing.
948.06
The engineers who typed it every day
950.62
pretended that it stood for something more respectable.
953.519
The comment at the top of the Python
955.58
file that implemented it simply read,
958.019
If the bot can read this, we rewrite
960.58
the file.
962.8
GGOT was a single PNG image
965.879
rendered on the server at the moment of
968.36
account creation.
970.36
It contained five characters,
972.639
drawn in a serif typeface,
974.62
skewed and rotated along independent lines,
977.08
and axes,
977.72
overlaid on a field of short diagonal strokes,
980.44
and compressed with just enough JPEG artifacting
983.559
to break the contour detection
985.039
that the optical character recognition libraries of the
988.08
era depended on.
990.3
A human, looking at it, saw five letters.
994.86
A computer, looking at it, saw a noise
997.82
field.
999.86
GGOT went live on the PayPal signup flow
1002.779
in the first week of January, 2001.
1007.08
By the end of that week,
1008.659
the rate at which new accounts were being
1010.879
created,
1011.559
which had grown, through the final quarter of
1013.86
2000,
1014.519
to a steady stream of several thousand new
1017.139
signups an hour,
1018.22
the overwhelming majority of them, bots,
1021.0
collapsed by 94%.
1024.54
The 4,000 hourly signups, overnight,
1027.66
became fewer than 240.
1030.76
The 240 that remained were, every one of
1034.119
them,
1034.46
actual human beings
1036.039
who had used the service before,
1037.98
or been referred by someone who had.
1041.68
The attackers noticed immediately.
1044.9
In the IRC channels that the PayPal security
1047.599
team
1048.14
still quietly monitored,
1049.72
the response was not panic,
1051.68
but something stranger,
1053.099
a kind of resigned professional respect.
1057.32
One well-known Russian fraud tutorial author
1059.92
posted a single line in English,
1062.099
which the team screen-captured and taped
1064.519
to the wall of the bunker.
1067.119
It read,
1068.279
Solve for the image.
1069.88
Solve for the end of the game.
1073.559
What Levchin and Gaussbeck had discovered,
1076.4
and what a team of computer scientists
1078.9
at Carnegie Mellon University
1080.93
would formalize two years later into a published
1083.579
paper
1084.019
and a registered trademark,
1085.779
was the inverse of the Turing test.
1089.74
Alan Turing, in 1950,
1092.099
had proposed a thought experiment
1093.599
in which a human judge would attempt
1096.039
to distinguish a computer from a human
1098.019
through conversation alone.
1100.819
The question Turing asked was philosophical.
1103.819
Could a machine think?
1106.539
The question Levchin and Gaussbeck
1109.019
had answered was practical.
1111.759
Could a website in real time
1114.079
with no human in the loop
1115.64
distinguish a user who was a computer
1117.759
from a user who was a human?
1120.74
The answer in the year 2001 was yes.
1123.98
The tool was an image.
1128.66
The Carnegie Mellon team in 2003
1131.46
named their generalization of the concept
1134.4
the Completely Automated Public Turing Test
1137.5
to tell computers and humans apart.
1141.259
They abbreviated it CAPTCHA.
1144.599
The name stuck.
1146.299
The history did not.
1149.94
Between Guy Gott and Igor,
1152.46
between the image test
1153.98
and the behavioral classifier,
1155.539
PayPal had, by the middle of 2001,
1158.74
constructed what amounted to the world's
1161.099
first operational commercial
1162.539
anti-fraud machine learning stack.
1166.039
No other consumer internet company
1168.339
at the time had anything like it.
1171.46
The banks did not have it.
1173.9
Visa did not have it.
1175.799
Mastercard did not have it.
1177.519
Google, which in 2001
1179.68
was still a private company
1181.2
with revenues below a quarter of a billion
1183.4
dollars,
1184.079
did not yet have fraud detection
1186.019
at this level of sophistication.
1189.46
When eBay approached PayPal in the summer of
1192.24
2002,
1193.14
they were not, strictly speaking,
1195.24
acquiring a payments company.
1197.88
They already owned a payments company.
1200.42
They had built it themselves.
1203.279
What they were acquiring was,
1205.44
in Meg Whitman's own words from an internal
1208.299
memo
1208.7
that has since become public,
1210.48
the fraud loss operating system.
1214.259
On the 3rd of July, 2002,
1217.039
eBay announced an all-stock acquisition of PayPal
1220.059
at a valuation of $1.5 billion.
1224.66
The valuation had been computed
1226.799
in the due diligence process,
1228.799
primarily by extrapolating
1230.759
how many chargebacks would have been incurred
1232.819
on eBay's own platform
1234.019
over the following five years
1236.18
absent the Igor and Guy Gott T stack.
1240.48
The number, discounted to present value,
1243.119
was approximately $1.4 billion.
1247.14
The remaining $100 million was,
1249.579
the banker said,
1250.539
paid for the team.
1253.059
I want you to step back
1254.599
from the narrative for a moment
1255.839
and consider what you have just watched.
1259.1
Two men, one of them 25 years old
1262.0
and the other 32,
1263.48
and a team of fewer than a dozen
1265.119
engineers,
1265.839
built in a glass-walled conference room
1268.22
in Palo Alto across one autumn and one
1270.72
winter,
1271.18
a system that,
1272.299
when measured in chargeback dollars not incurred,
1275.0
was worth $1.5 billion.
1279.059
They did not build it by moving money.
1283.119
They built it by writing code
1285.18
that watched other code
1286.519
and decided, in real time,
1288.539
whether that other code was a human being.
1292.599
This is the pattern.
1295.839
The true wealth of the digital era,
1298.22
from the year 2000 to the moment
1300.339
you are currently watching this,
1301.9
has never been created by the companies
1304.119
that transfer value.
1305.46
It has been created,
1307.0
almost without exception,
1308.519
by the companies that defend value.
1311.799
Visa transfers value.
1314.119
MasterCard transfers value.
1316.119
Western Union transfers value.
1318.16
None of these companies,
1319.74
in the last quarter century,
1321.319
has produced a single Silicon Valley billionaire.
1325.759
The companies that defend value,
1328.22
PayPal, and Stripe, and Adyen,
1331.019
and Square, and Plaid,
1332.9
and the dozen others built by the men
1335.24
and women
1335.94
who walked out of the bunker in early
1337.859
2002
1339.06
with their shares vested and their algorithms understood,
1342.299
produced dozens.
1345.119
And the algorithms themselves
1346.88
did not stay in payment processing.
1351.079
The Igor classifier,
1353.119
generalized and rewritten a thousand times,
1356.119
is what reviews
1357.059
your credit card transaction
1358.5
in the moment between tap and confirmation.
1361.38
It is what decides whether your insurance claim
1364.079
is flagged for fraud investigation.
1367.059
It is what Tesla uses
1368.859
to distinguish a human pedestrian
1370.799
from a child's cut-out drawing
1372.88
in the fraction of a second
1374.599
before the vehicle applies its brakes.
1377.88
It is what SpaceX uses,
1380.0
in the telemetry fusion layer
1381.799
of its rocket autopilots,
1383.359
to distinguish real sensor noise
1385.44
from instrumented anomalies
1386.96
that would abort the launch.
1390.22
The man who designed the original behavioral classifier,
1393.14
the chief technology officer of PayPal in 2001,
1396.559
is today the founder and chief executive officer
1399.42
of a public fintech company called Affirm,
1402.299
whose credit decisions for 70 million customers
1404.98
are made by the direct lineal descendant
1407.74
of the system he first named
1409.2
after a Russian fraudster named Igor.
1413.079
The pattern is not payments.
1416.14
The pattern is defense.
1419.24
The pattern is code
1420.92
that watches, classifies, and decides.
1425.24
And every significant consumer Internet company
1428.539
built since 2002, without exception,
1431.7
has as its core operating asset
1433.74
some variant of the technology Max Levchin built
1437.039
in the 60 days between October and December
1439.839
of the year 2000
1441.38
to stop a man named Igor
1443.5
from draining his company's bank account.
1446.64
You already know the rest of the story.
1450.24
What you did not know
1451.9
is that the rest of the story begins
1453.64
in one room, with one man,
1455.859
with one line of Python,
1457.579
and with one stolen credit card
1459.38
being tested against a distorted five-character image
1462.22
on a PayPal sign-up page
1464.0
on a night in January 2001.
1467.519
That was the start of the 21st century.
1471.519
You have been living in the consequences
1473.579
of that night ever since.
1475.38
Subtitles by the Amara.org community
