0.0
Every online payment you have made in your
2.74
entire life exists because of a war that
5.58
was fought in the year 2000 in a
7.96
single office building in Palo Alto, California, against
11.48
an enemy that most of the world has
13.679
since forgotten.
16.78
The war lasted 18 months.
20.5
At its peak, the defenders were losing $10
23.039
million every 30 days.
26.28
The attackers were, by one internal estimate, 12
29.96
,000 human beings spread across four continents, organized
34.159
into cells by time zone and language, coordinating
37.579
over IRC channels that the defenders could read
40.979
in real time but could not shut down.
45.84
Everyone remembers the people who won.
49.34
Elon Musk, Peter Thiel, Max Lebtchen, Reid Hoffman,
54.039
Rolof Botha.
55.079
David Sachs.
57.179
Silicon Valley calls them the PayPal Mafia.
62.119
They would, over the next 20 years, found
64.819
Tesla, SpaceX, Palantir, LinkedIn, YouTube, Yelp, and the
69.959
venture funds that funded most of the rest.
74.56
What almost nobody remembers is that, in the
77.799
year 2000, the company they were running was
80.7
18 months from insolvency,
82.84
because the Global Organized Crime...
85.079
...community had found a way to extract money
87.739
from it faster than it could be deposited.
93.62
This is a documentary about the specific technology
96.439
and the specific men that stopped them.
102.98
To understand what happened, you have to understand
106.06
what X.com was trying to do.
110.78
In March of 2000, two companies merged in
114.2
a hurried...
114.739
...40-page agreement signed at a Palo Alto
117.459
law firm.
119.54
The first was Confinity, founded by Peter Thiel
123.18
and Max Lebtchen, which had built a system
125.68
for sending money between Palm Pilots.
129.0
The second was X.com, founded by Elon
132.4
Musk, which was attempting to build what Musk
135.02
described at the time, without exaggeration, as...
138.439
...the Everything Bank.
142.24
The merged company took its product name...
144.719
...from Confinity's side.
147.46
That name was PayPal.
151.539
The idea was simple, and at the time,
154.5
radical.
156.52
You could send a payment to anyone else
158.439
on the internet using only their email address.
162.4
No wire transfer, no cash on delivery, no
166.439
check.
167.86
A link clicked, a few digits typed, and
170.96
money moved between continents in seconds.
175.599
In 2000, this was the single most interesting
179.419
software product on the internet.
183.379
By the end of that year, PayPal was
185.96
processing almost 200,000 transactions a day.
190.659
eBay, which was then the largest consumer marketplace
194.12
in the world, had already been colonized.
196.939
25% of all eBay auctions listed PayPal
200.5
as their preferred payment method...
202.379
...and that number was climbing by double digits.
204.719
The number of transactions was going up by
204.74
two digits every month.
207.86
Then, very quietly, the money started disappearing.
214.46
The mechanism was straightforward.
218.439
A fraudster, working from a basement in St.
221.659
Petersburg or a cybercafe in Lagos, would acquire
225.479
a stolen American credit card.
227.599
At the time, you could purchase five of
230.0
these on IRC for $30.
232.78
He would open a PayPal account under a
235.939
stolen American name, fund the account by billing
239.02
the stolen card, and use the resulting balance
241.599
to purchase high-value items on eBay...
244.219
...cameras, electronics, laptops.
248.3
The items would ship to a drop address
250.599
in the United States.
252.159
A collaborator would forward them overseas.
255.199
And by the time the real cardholder noticed
257.759
the charge and filed the dispute...
260.079
...the money had been withdrawn as cash, and
262.68
the PayPal account was empty.
266.96
Credit card companies, under American federal law, were
270.759
required to reverse fraudulent charges.
274.28
The reversal was a chargeback.
277.92
The chargeback was billed not to the fraudster,
280.939
but to the merchant.
283.16
PayPal, in every one of these transactions, was
286.3
the merchant.
290.079
In April of 2000, PayPal absorbed $200,000
294.079
in chargebacks.
296.12
By June, $3.1 million.
299.019
By September, $7 million.
301.86
By the early winter of 2000, the company
305.019
was losing, in chargebacks alone, more than $11
308.439
million a month.
312.259
The venture investors who had funded the merger...
315.48
...Sekoya, Madrone, Nokia Ventures...
318.519
...were in private, using the word insolvent.
323.379
Musk, who was the chairman, was calling board
326.0
meetings in which the phrase...
327.66
...
327.8
'We have five months of runway' appeared verbatim
330.98
in the minutes.
332.759
Thiel, who was the CEO, was sleeping in
335.6
the office four nights a week.
339.5
The enemy was not one person.
342.879
He was an ecosystem.
347.12
By the fall of 2000...
348.519
...fraud forums on the Russian Internet had entire
351.74
subsections dedicated to PayPal exploitation.
357.1
Tutorials, written first in Russian, then translated into
360.899
Romanian, Polish and English...
363.399
...explained, step by step, which American billing address,
367.699
zip codes, the system did not verify...
370.699
...which email providers it trusted by default, and
374.019
which hours of the day the review team
376.399
was understaffed.
378.879
A senior PayPal engineer, reading these forums in
382.459
real time...
383.24
...later described the experience as...
385.54
...
385.819
'Reading the playbook for your own funeral.'
390.36
The defenders could not shut the forums down.
394.08
They had no jurisdiction over Russia or Nigeria.
397.74
They had no law enforcement relationships capable of
401.199
operating at the speed the Internet was operating
403.6
at.
405.019
The FBI, at the time...
407.199
...did not yet have a data center.
408.5
They had a dedicated cybercrime unit with the
410.339
authority to subpoena an IRC server.
415.16
And so, in the final weeks of 2000...
418.56
...Musk and Thiel and Levchin understood, without having
422.579
to state it aloud...
423.839
...the exact structure of the problem they were
426.42
in.
428.759
No government was going to save them.
432.399
No industry consortium was going to save them.
435.639
No regulator was going to save them.
440.1
No government was going to save them.
440.819
They were going to have to build the
442.079
weapon themselves.
444.779
ENCODE.
446.48
In the building.
448.58
In the next 60 days.
454.16
The chief technology officer of PayPal in the
457.22
year 2000...
458.24
...was a 25-year-old Ukrainian-born cryptographer
461.48
named Max Levchin.
465.479
Levchin had left the Soviet Union with his
467.959
family at 16...
469.42
...enrolled at the University of Illinois...
471.92
...and written his master's thesis on public key
474.6
cryptography...
475.639
...before dropping out to found his first startup.
479.8
By the time he reached Palo Alto, he
482.06
had built and sold two small companies...
484.3
...both of which had failed commercially...
486.459
...and had developed, privately, a conviction that would,
489.819
in the end, save PayPal.
493.779
The conviction was this.
497.42
Humans and machines, given the same task, do
501.019
not perform it the same way.
503.68
A human clicking a mouse does not click
506.139
in a perfectly straight line.
507.779
A human typing a password does not type
510.3
every character at the same interval.
512.299
A human filling out a form does not
514.62
fill it in the order the form's fields
516.6
appear in the page's underlying HTML.
521.32
Machines do.
524.919
Fraudsters, in October of 2000, were not typing.
529.36
They were scripting.
533.86
The same Russian forums that distributed step-by
537.2
-step PayPal exploitation guides...
539.32
...also distributed pre-written Perl scripts that automated
542.879
the entire account...
544.12
...opening and transaction execution cycle.
548.379
One human operator, from a single laptop...
551.6
...could run several hundred simultaneous accounts.
555.86
The attacker economy was not a swarm of
558.759
individual hackers.
560.059
It was a swarm of bots, operated by
562.94
a much smaller number of humans.
567.339
And that meant there was a signal.
572.18
If Levchin could detect the signal...
574.759
...if he could distinguish, in real time...
577.399
...between a human signing up for a PayPal
579.559
account...
581.6
...and a script signing up for a PayPal
582.779
account...
583.519
...he could refuse the script's transactions...
586.34
...without refusing the humans.
590.279
The fraud would die at the database level.
593.44
The legitimate customers would never notice.
598.659
Levchin and a small team of engineers...
601.24
...working out of a glass-walled conference room...
603.84
...that the rest of the company had taken
605.5
to calling the Bunker...
607.22
...began cataloging every observable difference...
610.44
...between human and scripted behavior on the PayPal
613.059
site.
615.42
A human clicking the Continue button took, on
618.379
average...
618.899
...between 800 and 1200 milliseconds...
621.58
...after the page finished loading.
623.659
A script clicked in under 60.
627.16
A human's cursor moving between form fields traced
630.7
an arc.
631.539
A script teleported the cursor from field to
634.5
field in a straight line.
636.74
A human's keystroke intervals...
639.399
...typing a password...
640.779
...followed a rough power law distribution.
643.62
A script's intervals were uniform.
647.22
A human's IP address geolocated to a residential
651.679
block.
652.519
A script's IP address geolocated seven times in
656.899
ten...
657.399
...to a hosting provider.
658.899
A data center address no ordinary consumer would
662.72
ever come from.
666.1
Each of these observations, in isolation...
668.799
...was a weak signal.
671.139
Any one of them could be defeated by
673.96
a sufficiently clever attacker.
677.5
But combined, combined statistically...
680.62
...through what Levchin's team began calling the Signal
683.639
Score...
684.36
...they produced a single number between 0 and
687.36
1 that...
688.22
...for any sufficiently large sample...
690.44
...distinguished human from bot with more than 90
693.559
% accuracy.
696.919
The team gave the classifier a code name.
700.799
They named it after a specific Russian fraudster
704.1
who had...
704.919
...two months earlier posted in an IRC channel...
708.32
...that PayPal's engineers were too American and too
711.62
slow to catch him.
714.259
The fraudster's handle was Igor.
718.1
The classifier was Igor.
722.82
Igor went live on the Internet...
724.48
...on the PayPal backend in November of 2000...
727.46
...flagging transactions that exceeded a score threshold for
730.919
manual review.
733.12
Within 72 hours, the chargeback rate in the
736.779
flagged segment fell by 61%.
741.379
Within a week, a first-generation adversarial feedback
745.279
loop...
745.98
...was visible in the logs.
747.62
The attackers were adjusting their scripts to produce
750.6
more human-looking click patterns.
754.48
Levchin added new features.
756.039
The adjustments slowed the attackers down.
758.6
The chargeback rate stayed suppressed.
764.279
Igor alone, however, was not enough.
769.08
Scripts were one category of enemy.
771.399
The other category, harder to detect through behavioral
774.96
analysis alone...
776.44
...was the account creation bot.
779.68
A bot that registered 5,000 PayPal accounts
783.399
in an hour...
784.279
...each with plausibly random names and working email
787.379
addresses...
788.179
...could produce an inventory of mule accounts...
790.7
...faster than Igor could flag them afterwards.
794.639
What was needed was a gate...
796.919
...a single test placed at the front of
799.48
the account creation flow...
800.96
...that no bot could pass and that every
803.46
human could.
806.58
In December of 2000, Levchin and a colleague
810.179
named David Gozbeck designed it.
813.3
They took a grid of arbitrary characters...
816.419
...five alphanumeric digits...
818.86
...rendered the grid as a distorted image...
821.7
...and required the user to transcribe the digits
824.299
before account creation could continue.
828.379
Humans, looking at the image, could read the
831.419
characters in under two seconds.
834.86
Optical character recognition software in the year 2000
838.84
could not read them at all.
843.0
The test was called the Gozbeck-Levchin test.
847.779
It was, in the strict academic sense, the
851.019
first commercial deployment of a category of technology...
854.159
...that a team at Carnegie Mellon would, two
856.659
years later, generalize and rename.
860.539
The Carnegie Mellon name is the name that
863.379
stuck.
864.039
Today, billions of human beings pass it every
867.179
day without knowing its origin.
869.98
The name is C.A.
872.08
Pappin.
875.679
The company was founded in 1935.
876.399
Between Igor and CAPTCHA...
878.259
...between behavioral classification and the Gozbeck-Levchin test...
882.799
...the chargeback rate at PayPal, which had peaked
885.94
in the late fall of 2000...
887.639
...at nearly 5% of gross transaction volume...
890.98
...fell, over the first six months of 2001,
894.399
to less than one-third of 1%.
899.279
The company was solvent by spring.
902.6
It was profitable by autumn.
906.08
It went public on the NASDAQ at $15
909.259
.75 per share on the 15th of February
912.879
2002.
915.639
Eight months later, eBay purchased it for $1
918.779
.5 billion.
923.2
Everyone who had worked in the bunker that
925.559
winter walked away a multimillionaire.
929.199
Everyone who had worked in the bunker that
931.399
winter went on to build the next decade
933.58
of Silicon Valley.
937.179
And every time, in the 24 years since,
940.32
that you have clicked a distorted image to
942.6
prove you were a human...
943.94
...you have been performing a gesture first demanded
946.72
of you by a 25-year-old Ukrainian
949.22
cryptographer...
950.179
...trying to save a company from a hacker
952.32
named Igor.
956.7
For seven months, the company was in the
957.96
limelight.
957.96
For six months, from the autumn of 2000
959.519
through the spring of 2001...
961.879
...Max Levchin and David Gaussbeck ran the same
965.039
experiment, in different forms...
967.059
...in the basement engineering bay at PayPal.
971.919
The experiment was simple in concept.
975.75
Build a test that humans pass and bots
978.019
fail.
980.179
Make it fast enough that humans do not
982.679
hate it.
983.299
Make it cheap enough that it can be
985.24
served on every account...
986.82
...creation requests without adding a cent of server
989.98
cost per user.
991.279
Make it adversarial enough that a motivated attacker,
994.72
given a year and a team, cannot reliably
997.379
defeat it.
1000.82
The first prototype Levchin built had an internal
1004.08
code name.
1006.0
The team called it GIGOT, an acronym, assembled
1010.24
at 3 in the morning...
1011.559
...that stood for Gated Image Gauntlet for Origin
1014.899
Testing.
1017.319
The engineers who typed it every day pretended
1020.34
that it stood for something more respectable.
1022.98
The comment at the top of the Python
1024.92
file that implemented it simply read...
1027.64
...if the bot can read this, we rewrite
1030.319
the file.
1034.059
GIGOT was a single PNG image rendered on
1037.519
the server at the moment of account creation.
1040.779
It contained five characters, drawn in a serif
1044.579
typeface...
1045.299
...skewed and rotated along independent axes...
1048.68
...overlaid on a field of short diagonal strokes...
1051.96
...and compressed with just enough JPEG artifacting to
1055.64
break the contour detection...
1057.359
...that the optical character recognition libraries of the
1060.299
era depended on.
1064.039
A human, looking at it, saw five letters.
1067.92
A computer, looking at it, saw a noise
1070.759
field.
1074.099
GIGOT went live on the PayPal signup flow
1077.339
in the first week of January 2001.
1081.579
By the end of that week, the rate
1083.72
at which new accounts were being created...
1085.74
...which had grown, through the final quarter of
1088.099
2000...
1088.92
...to a steady stream of several thousand new
1091.619
signups an hour...
1092.799
...the overwhelming majority of them bots, collapsed by
1096.72
94%.
1098.899
The 4,000 hourly signups were a total
1101.059
of...
1101.059
...3,000 signups overnight, became fewer than 240.
1105.699
The 240 that remained were, every one of
1108.48
them...
1108.779
...actual human beings who had used the service
1111.519
before...
1112.16
...or been referred by someone who had.
1116.18
The attackers noticed immediately.
1120.019
In the IRC channels that the PayPal security
1123.18
team still quietly monitored...
1125.48
...the response was not panic, but something stranger...
1129.14
...a kind of resigned perfection.
1131.059
A professional respect.
1133.059
One well-known Russian fraud tutorial author posted
1136.72
a single line in English...
1138.24
...which the team screen-captured and taped to
1141.2
the wall of the bunker.
1143.519
It read, solve for the image, solve for
1146.72
the end of the game.
1150.74
What Levchin and Gaussbeck had discovered...
1153.7
...and what a team of computer scientists at
1156.38
Carnegie Mellon University...
1157.859
...would formalize two years later...
1159.64
...into a published paper and a registered trademark...
1162.74
...was the inverse of the Turing test.
1166.88
Alan Turing in 1950 had proposed a thought
1170.42
experiment...
1171.22
...in which a human judge would attempt to
1173.319
distinguish...
1173.799
...a computer from a human through conversation alone.
1177.9
The question Turing asked was philosophical.
1181.22
Could a machine think?
1185.259
The question Levchin and Gaussbeck had answered was
1188.88
practical.
1190.419
Could a website in real time, with no
1193.2
human in the loop...
1194.299
...distinguish a user who was a computer from
1196.96
a user who was a human?
1200.099
The answer in the year 2001 was yes.
1204.44
The tool was an image.
1208.799
The Carnegie Mellon team in 2003...
1211.92
...named their generalization of the concept...
1214.64
...the completely automated public Turing test...
1217.859
...to tell computers and humans apart.
1221.98
They abbreviated it C.A.
1224.46
Pacha.
1225.9
The name stuck.
1227.519
The history did not.
1231.92
Between Gigot and Igor...
1234.319
...between the image test and the behavioral classifier...
1237.72
...PayPal had, by the middle of 2001...
1240.899
...constructed what amounted to the world's first...
1243.279
...operational, commercial, anti-fraud machine learning stack.
1248.78
No other consumer internet company at the time...
1251.619
...had anything like it.
1253.74
The banks did not have it.
1255.9
Visa did not have it.
1258.039
Mastercard did not have it.
1259.759
Google, which in 2001 was still a private
1263.119
company...
1263.759
...with revenues below a quarter of a billion
1265.859
dollars...
1266.5
...did not yet have fraud detection at this
1269.0
level of sophistication.
1272.759
When eBay approached PayPal in the summer of
1275.599
2002...
1276.64
...they were not, in fact, the same.
1277.859
They were not, strictly speaking, acquiring a payments
1280.019
company.
1281.519
They already owned a payments company.
1283.839
They had built it themselves.
1286.94
What they were acquiring was, in Meg Whitman's
1289.92
own words...
1290.559
...from an internal memo that has since become
1292.519
public...
1293.18
...the Fraud Loss Operating System.
1297.759
On the 3rd of July, 2002...
1300.42
...Ebay announced an all-stock acquisition of PayPal...
1303.64
...at a valuation of $1.5 billion.
1308.299
The valuation had been computed...
1310.72
...in the due diligence process...
1312.68
...primarily by extrapolating how many chargebacks...
1315.66
...would have been incurred on eBay's own platform...
1318.18
...over the following five years...
1319.94
...absent the Igor and Jigo T stack.
1324.46
The number, discounted to present value...
1327.559
...was approximately $1.4 billion.
1331.24
The remaining $100 million was, the bankers said...
1334.64
...paid for the team.
1338.479
I want you to step back from the
1340.64
narrative for a moment...
1341.88
...and consider what you have just watched.
1346.68
Two men, one of them 25 years old
1349.72
and the other 32...
1351.14
...and a team of fewer than a dozen
1353.24
engineers...
1354.039
...built, in a glass-walled conference room in
1356.98
Palo Alto...
1357.859
...across one autumn and one winter...
1360.359
...a system that, when measured in chargeback dollars...
1363.539
...not incurred, was worth $1.5 billion.
1366.88
The only thing that was worth...
1369.639
...the money was the money.
1370.279
They did not build it by moving money.
1373.66
They built it by writing code that watched
1376.18
other code...
1377.019
...and decided, in real time...
1379.18
...whether that other code was a human being.
1384.539
This is the pattern.
1388.579
The true wealth of the digital era...
1391.039
...from the year 2000 to the moment you
1393.4
are currently watching this...
1395.019
...has never been created by the companies...
1397.339
...that transfer value.
1398.97
It has been created, almost without exception...
1402.099
...by the companies that defend value.
1405.84
Visa transfers value.
1408.359
MasterCard transfers value.
1410.559
Western Union transfers value.
1413.039
None of these companies, in the last quarter
1415.599
century...
1416.339
...has produced a single Silicon Valley billionaire.
1422.009
The companies that defend value...
1424.38
...PayPal and Stripe...
1426.48
...and Audion...
1427.44
...and Square...
1428.44
...and Plaid...
1429.44
...and the dozen others built by the men
1431.5
and women...
1432.059
...who walked out of the bunker in early
1433.859
2002...
1434.94
...with their shares vested...
1436.4
...and their algorithms understood...
1438.24
...produced dozens.
1442.5
And the algorithms themselves...
1444.5
...did not stay in payment processing.
1448.74
The Igor Classifier...
1450.859
...generalized and rewritten a thousand times...
1453.74
...is what reviews your credit card transactions...
1456.279
...in the moment between tap and confirmation.
1459.7
It is what decides whether your insurance claim...
1462.779
...is flagged for fraud investigation.
1465.819
It is what Tesla uses...
1467.94
...to distinguish a human pedestrian...
1470.2
...from a child's cut-out drawing...
1472.14
...in the fraction of a second...
1473.72
...before the vehicle applies its brakes.
1477.46
It is what SpaceX uses...
1480.0
...in the telemetry fusion layer of its rocket
1482.559
autopilots...
1483.519
...to distinguish real sensor noise...
1485.72
...from instrumented anomalies...
1487.4
...that would abort the launch.
1491.38
The man who designed the original behavioral classifier...
1495.619
...the chief technology officer of PayPal in 2001...
1499.599
...is today the founder and chief executive officer...
1502.859
...of a public fintech company called Affirm...
1506.119
...whose credit decisions for 70 million customers...
1509.299
...are made by the direct lineal descendant of
1511.96
the system...
1512.7
...he first named after a Russian fraudster...
1515.0
...named Igor.
1518.819
The pattern is not payments.
1521.7
The pattern is defense.
1524.74
The pattern is code that watches...
1527.839
...classifies and decides.
1531.819
And every significant consumer internet company...
1535.099
...built since 2002 without exception...
1538.099
...has as its core operating asset...
1541.059
...some variant of the technology Max Levchin built...
1544.2
...in the 60 days between October and December
1547.0
of the year 2000...
1548.599
...to stop a man named Igor...
1550.559
...from draining his company's bank account.
1554.94
You already know the rest of the story.
1558.48
What you did not know is that the
1560.599
rest of the story...
1561.46
...begins in one room...
1562.96
...with one man, with one line of Python...
1565.799
...and with one stolen credit card being tested...
1568.72
...against a distorted five-character image...
1571.16
...on a PayPal sign-up page...
1572.819
...on a night in January 2001.
1578.539
That was the start of the 21st century.
1583.859
You have been living in the consequences...
1586.019
...of that night ever since.
