Exchange Fraud Prevention Should Be Simple: Sellers, State Your Name

andrewcasale"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Andrew Casale, vice president of strategy at Casale Media Inc.

In spite of a flourishing programmatic marketplace, with all the benefits it provides buyers for targeting key audiences with the figurative push of a button, there’s one pervasive, very expensive problem: fraud.

I’m talking about counterfeit websites and bogus traffic that lurks within open exchanges. It has given rise to an entire cottage industry for its prevention and sent a few folks packing – GroupM just announced it would exit the open exchange at the end of the year (although it appears to have pulled back somewhat on that stance).

The brass ring on this unregulated, risky ride is a solution within the pipes themselves that hampers fraud without throwing up more barriers, technologically or monetarily, for either buyers or sellers. And because we haven’t heard of such an obvious solution as of yet, the industry is dragging its heels on a very important – and, in the long run, much more costly – problem.

We hear all the time that the only way to curb industrywide fraud is to “follow the money.” The problem is, we haven’t taken a single step toward actually following the money. Bad actors on the supply side are surviving and thriving, with few repercussions when they’re outed. People compare fraud detection to a game of Whac-A-Mole for good reason. Bad actors are aggressive and can be very difficult to track. And even when you root them out, it’s far too easy for these people to set up shop again, this time a little wiser and better at their craft.

In one case, you have a cookie-cutter website with high-traffic volume, nearly all of which comes from bots. Another theme is mislabeled impressions. Domain names can be spoofed easily – for example, a piracy site might fly under the radar with the domain of a reputable newspaper, bypassing the value of whitelisting. To solve for the first variety of fraud, we add sites to blacklists. For the second, we strike sites from whitelists. But in either case, if you find 100 of these sites and clamp down on them, 100 more will pop up tomorrow. Worse, legitimate sites may get blacklisted because of a high incidence of fraud, not because of their own impressions but because impressions bearing their name were spoofed, harming the reputation of the innocent.

The simple solution for fraud is an updated model whereby, in order for an impression to be placed for bid by an exchange, the exchange should be required to expose not just the domain name connected to it, but also the name that’s actually going to be on the seller’s paycheck. The introduction of this simple criterion would address and curtail fraud before, not after, the buy.

The industry has focused far too much energy on blacklisting or whitelisting domains, both of which can and are continuing to be easily gamed. Being that these are the strongest defenses for buying media across the open market, and both methods can be circumvented, fraud is effectively undermining the entire protocol. A far more efficient way to stop fraud is to blacklist suspicious sellers themselves. Think of the way these actors operate: The payee behind a faked impression can probably be traced to a faked impression. The payee behind a bogus website with bot-ridden traffic can probably be linked to 100 other bogus websites. If you call out the payee, you call out the entire counterfeit network around them. That’s how we can actually start to follow the money – via a payee ID.

Unlike the Whac-A-Mole method of hacking away at bogus sites and audiences as they become known, identifying payee names within the exchanges will give bad actors pause and hamper their spread. It raises the barrier of entry to a far more inconvenient height for anyone that today is gaming the system with domains. It’s very easy to set up a domain. It’s also proving all too easy to spoof a domain. It’s much harder to accept payments under different names and gain access to exchanges under alternate identities. Compare the ad exchanges to the stock exchange: It’s very hard to counterfeit a stock. It’s too easy to counterfeit a domain.

The ad marketplace needs some other means of providing the same transparency. The bid request and response transaction between exchange and DSP is a binding deal. Doesn’t the buyer deserve to know where their money is going?

The barriers to adding payee ID to the information listed in the exchange are negligible. On a technical level from the exchange perspective, adding an addition criterion to the 30 we already submit to DSPs today is trivial. Sellers might object, citing confidentiality privilege. But in this case, they don’t hold the trump card: Certain buyers can just as easily refuse to make a buy from a seller that won’t reveal the name on the check.

For legitimate publishers, payee ID will only help them. Publishers only stand to lose by indirectly protecting the identity of bad actors. Dropping the veil of secrecy in the exchanges will create a new sense of trust from the buy side – and the benefits will be immense.

The current paradigm today in the open market is buyer beware. The domain may be, but payment may not actually go to Google. This shouldn’t be buyers’ problem to figure out.

GroupM has given exchanges six months’ notice. Let’s do something before we run out of time.

Follow Casale Media (@casalemedia) and AdExchanger (@adexchanger) on Twitter.


  1. It should be the ultimate payee, and see through the intermediaries - so while you are doing that why not expose all the intermediate revshares? And can you do this in 30ms? I think the real problem is brokers and networks lining up like publishers. Your solution today would run into ad networks sitting between the publisher and exchange buyers.

    • Andrew Casale

      You're absolutely right. But, there are two ways to look at that potential issue.

      One way is that we can try to enforce that it is the ultimate payee, which I believe is the correct way to look at it. The terminating end recipient of the media dollar.

      In a case where that is not respected, the solution does still get us further ahead than we are today. If you've got coming in tied to the payee Google, and coming in tied to some network/intermediary (a) you should know better than to bid on it and (b) you might want to look at what other domains that network/intermediary is peddling.

  2. I couldn't agree more. One important group you missed was the toolbar/adware crowd. These guys are generating billions of impressions on sites they aren't authorized to run on. They will insert ads on the Wall Street Journal and sell those on the exchanges, effectively diluting the real Wall Street Journal impressions. Using some sort of payerid buyers would be able to only buy authorized WSJ impressions instead of buying from toolbar companies and other adware companies.

    The problem comes in when networks start to launder these impressions - which already takes place. A legit network with a good payerid would launder the fraudulent impressions. I think in addition to a payerid it would be interesting to look at some sort of public/private key solution where a domain owner would authorize an impression to be served on their domain. Thus giving publishers the power they deserve.

    • Andrew Casale

      What's worse is over and above dilution, may find itself on a blacklist because of a false measure of fraud connected to traffic that it is not even generating. As crazy as that sounds, most blacklisting is automatic, and an algorithm wouldn't know better.

      That's a really interesting thought. There could be a registry, perhaps maintained by the IAB, where publishers declare their domains, and authorized payeeIDs. Would be a very significant step forward.

  3. Justin Kennedy

    Interesting idea Andrew. Can you share what steps Casale has taken to require this of their supply sources?


Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>