A Little About Me
Before I dive in, let me note that I'm a software architect. I've been designing systems and writing code for almost 30 years (no, I'm not that old, I started in junior high school - if you want to get serious, I've been a professional developer since about 1990). The design of secure systems is something I know more than a little about. I'm not above admitting that in my youth I was what you'd call a hacker. Seen War Games or Hackers? It's not like that, but you get the idea. So when I see systems that have flaws, I tend to geek out on them. When those flaws affect me directly, I geek out even more. This issue has become the fingernails-on-the-chalkboard of my geek cred. I'll own that. Let me also start by saying that I met my girlfriend on Match.com, so I have no gripe with the idea of online dating and Match's business in general. Indeed, I'm a shareholder. But getting that out of the way, I need to blog about a problem the site had when I was active, and appears to still have. And I have to comment on the absolute lack of concern the site's administration seems to have regarding the problem, to the point of appearing to actively ignore it. So... what's got me all frothy?
The problem I have is with the vast number of fake accounts and fake activity, and how Match profits from this and, thus, has no incentive to remedy the situation even in the face of obvious steps that could be taken. Let's dive in. When one first signs up at Match, the activity and interactions begin. Presuming you've actually gone to the trouble to create a reasonable profile and filled out the demographics, you will begin to show up in the searches that others do. Once you start looking at other profiles and liking their photos or stating that you're interested by clicking on the checkmark of your "daily matches," you will start to interact with others. Unfortunately, many of these interactions come from fake accounts. Why fake accounts? Simple - those looking for love are vulnerable. Strike up a conversation with someone and you have a motivated target that is much more liable to fall for whatever pitch you're throwing. This avenue has a much higher success rate for the scammer than does simple spam. So if you're looking to profess love and then ask for money ("I need $500 for a plane ticket to come see you!"), plea hardship ("I'd love to come to the United States but I need $750 for a visa"), or even make a few bucks peddling porn ("I have sexy pictures, but they're on a site that requires you pay $20 to prove you're an adult."), you've got a much higher chance of success on a dating site. Scammers know this, so they make tons of fake accounts and lure people in. It's a thing.
The Analysis and Solution
The source of my angst is that it's dead simple to spot these accounts both through their content as well as activity, and Match seems to make no effort to remove them short of customer complains. After this analysis, I'll show why this policy is actually a money-maker for them and then also allows them to state that they do their best based on complaints, a position that is somewhat disingenuous. So how easy is it to spot these fake accounts? Blindingly-so. First, let's take the easy attributes. Given a decent match on these, one could filter out fake accounts based on this alone (note that I consider fake females, since that's what I see):
- The age being picked lately is 29. While fake accounts use many ages, this one is picked most often.
- The profile has one paragraph. It is comprised of a few sentences, typically picked randomly from a list of about 30 as far as I can tell.
- The profile has one picture.
- The age range of the men the profile is looking for is typically in the early 30s to 50s. This clearly gets it in the right searches for its purpose.
- The requirements for the profile's match are never filled in except the height, which is set at the maximum range. I suspect this is because the bots only fill in the first field.
But it gets even easier when you actually pattern match on the written profile. As I pointed out, they're typically just one paragraph. Given that, one could find duplicate sentences and create candidate filters based on that alone. But the real kicker comes in that all of these fake accounts have the same sentence embedded, which is a call to email. The email is split up to apparently avoid a pattern match that doesn't exist (if it did, Match would be using it on the known patterns). In all cases, the emails look like "username g mail com" or some broken variant thereof. A simple regular expression match of the known patterns would have 100% of the fake accounts identified as they are created. Here's an actual example:
Unfortunately I am unable to read messages on this site so you can emal me at nnak06 a gmal and send me a wink so I know who I'm taking to.
So let's presume for sake of argument that Match decided to get serious and implemented a solution based on my above observations. As a developer, I can tell you that I could code this up in a weekend. That's not hyperbole. And that's not an idle note - Match? I'll come into your San Francisco offices any weekend you like and do it. Free. So let's imagine that Match did this and the fake account folk got wise. That means they'd have to have humans mixing it up, which is more work than they want to do. But let's further presume that they did. What then? Simple - Any account that doesn't fill out all the fields, or at least go through the clicks to choose a "decline to answer" with appropriate human-necessary interaction (use the ReCaptcha x/y algorithm, guys) can't send winks or likes until they do. They can do everything else. They can even receive interactions, so in the rare case that they're a real person, that creates more incentive to finish their profile or even pay for a subscription. One other clear solution would be to throttle notifications. Many times a member will receive an email telling them that they got a wink or a like, only to find, when clicking through, that the profile no longer exists. Match did, indeed, remove it after the abuse happened. But why wait until after? (I answer this, below). When the account sends a lot of winks and likes (and thus gets reported in a spike of activity), it is removed. So why not just throttle those notifications for a small period of time and trigger a warning when an account goes over a threshold. Watching the activity would clearly identify an automated system as opposed to a human looking at profiles and liking lots of them. If this pattern is seen, the account is suspended and flagged for further scrutiny.
The Smoking Gun: Top Spot
Another metric is sheer site activity. Match has a feature called "top spot" that artificially places a profile in the top search results. You pay for this, of course. I was curious when I was using Match last year, so I paid for a couple tries at it to see how it worked. Sure enough, the views on my profile went way up and, with that, so did the activity from fake accounts. One benefit of "top spot" is that it shows you who has viewed your profile in an interesting real-time timeline. The difference here is that whereas you usually see who has viewed you in a grid of accounts, in the case of "top spot," you see the timeline which includes duplicate views. So if someone clicks to view you and then does it again 30 seconds later, you see them twice. Sure enough, fake accounts come up ten, twenty or even thirty times in a few-minute span. Clearly it's automated, scraping the search results multiple times per second. When you pay for the top spot, you artificially show up at the top and these automated scripts pick you up each time. If I, as a customer, can see this, Match's code could see it even better. There is simply no way that Match cannot see, based on usage metrics, when automated scripts are being used. It's just not possible that they don't know that this goes on and could prevent it if they chose.
Yes, I wrote Match about this. I even went as far as to state, specifically, that I would like my mail sent to senior management and not handled by a customer service representative. Of course that was ignored and I got a canned response, including (apparently to pacify me?) an offer of free subscription time. As you can see, my concern was not addressed at all, but the hand-waving is pretty good:
I appreciate the time you've taken to contact Match about your general concerns with the site. Please be assured, Match.com does not send members misleading notifications, e-mails or winks professing romantic interest. We have too much respect for our members to ever compromise their trust. I can assure you that we are absolutely interested in pursuing any situation involving those who attempt to use our site in dishonest ways. We have a dedicated team that works diligently to identify and remove these kinds of members. Unfortunately, though, some of them still manage to get a few emails out, which is why we appreciate it so much when you take the time to let us know about the situations you see that we may not have caught. In the future, you're welcome to streamline your reports by using the "Report a Concern" link on the member's profile. This will send your report directly to our security team that can open a case immediately and take the right action. Unfortunately, privacy policies stop us from being able to share with you what actions we take, but this really is the fastest way to ensure that the situation is addressed appropriately. Thank you so much for what you are doing to help us in this area. For more information, feel free to review our Online Dating Safety Tips.
I didn't expect otherwise, frankly. For all the protestations to the contrary, Match doesn't really seem to care or listen to their paying customers.
So why, if this problem is so easy to solve, does it persist? The reason is likely clear - metrics and activity and, ultimately, paying subscribers. These fake accounts still increase the number of members. From a sheer numbers game, Match can say, "Hey, we remove them when we can, so don't worry about it." Indeed, I've gotten this response from them when I've brought it up. The point remains that these fake accounts artificially increase the membership numbers. But the real heft comes when you realize that these fake accounts are sending winks and likes and even emails. Why is this important if they're clearly fake? Because if you don't pay for Match, the notification you get tells you that "She is interested!" and asks you to subscribe (read: pay) to see who she is. You plunk down your $60 for three months of subscription and find that the love of your life is a fake. You complain. Match sends a canned response saying that they're removing fake accounts as they find them, and hey, check out these other profiles. But the bottom line is that you paid. They have your money and you're now a customer.
The fake accounts generate revenue for Match. It's that simple. They have no incentive to remove them, and thus, they never will.