The Financial Times reports on the increasing number of MBAs working in the non-profit sector:

In the past, executives seeking qualifications that would help them in the non-profit sector headed to policy schools or took programmes in education or non-profit management. “Now a lot more people are going the MBA route,” says Mel Ochoa, who graduated from the NYU Stern MBA programme in May and heads the marketing department of Achievement First, a charter school organisation in Connecticut and Brooklyn.

Mr Ochoa says this is because of the new requirements of non-profit organisations. “They’re changing their attitude towards the people they want on staff,” he says. “They want a lot of the skills you learn in business school, such as strategy and finance – and they want those applied to their non-profits.”

Full disclosure: I got my MBA from New York University’s part-time program, which I attended over a long 4 years while working at Fractured Atlas.  It was an incredibly valuable experience, and I use what I learned there every day.  I also recruited the Chairman of our Board of Directors from the ranks of my professors.

That training has undoubtedly helped me build and run Fractured Atlas in a way that’s atypical for the non-profit sector, and that often resembles a for-profit enterprise.  And, of course, most of our programs and services are, in turn, designed to help our members function more effectively as businesses.

These days, however, there’s some controversy in the non-profit sector over whether “acting like a business” is something we should be striving for or not.  For ages the mantra was that not-for-profit organizations needed to be “more businesslike” to increase their efficiency and effectiveness.  But in recent years there’s been a backlash against this notion, as chronicled by everyone from Don’t Tell the Donor, to Grantmakers in the Arts, to (sort of) Andrew Taylor.

To some critics, “acting like a business” conjures images of Enron, Halliburton, and perhaps now IndyMac or Countrywide.  Greed.  Excess.  Fiscal recklessness.  Lack of accountability.  I’d argue, however, that guys like Ken Lay and Angelo Mozillo aren’t acting very businesslike.  They’re acting like crony capitalists or even two-bit thugs.  And, to its credit, the capitalist marketplace eventually punishes such bad actors, albeit often after they’ve done a lot of harm.

So what does it look like when someone is acting businesslike?  I believe it comes down to a few key factors:

1. Pick the right customer (and know who your real customer is)
2. Make decisions based on unsentimental, dispassionate analysis
3. Seek to build long-term value

Perhaps this is too reductionist and I’m sure I could refine or supplement these criteria if I gave it some more thought, but I’m satisfied that this is a decent starting point.  The good news is that any of these principles can be applied by any business - for-profit or not-for-profit, international conglomerate or self-employed dancer.  Taking this view not only doesn’t reduce a non-profit organization’s mission orientation, but can actually enhance its clarity of focus and capacity for action.

Let’s look at each factor and I’ll try to offer some insights into how a B-school schlub like me thinks about this stuff.

Picking the right customer and knowing who your real customer is

Any business has customers.  They’re (duh) the people who buy what you’re selling.  If you don’t have a customer, you don’t have a business.  If you can match the right product or service with the right customer, then you’ve got a great business.  Simple, right?

For most for-profit businesses this is very straightforward.  A widget-maker seeks out people who need widgets and tries to offer them at a price that is a) higher than the costs of production and distribution, and b) lower than the perceived value they will provide to the widget-needing-individual.  That sweet spot is the basis for any economic transaction.

Where this gets tricky is when the one paying for the widget isn’t the same one consuming the widget.  Consider the US health insurance system.  The patient consumes the service but the insurance company pays for it.  Doctors, therefore, provide services based on what the insurance company will pay for, rather than what the patient needs.  That’s because our inevitable tendency is to focus on the payer rather than the consumer.  This is a self-preservation instinct, since a business can’t exist without money to fund its activities.

Of course, this payer-consumer disconnect happens all the time in the non-profit world.  Traditionally, non-profits have gotten most of their funding from individual donors and/or institutional funders.  Those people are very rarely the ones being served by the non-profit’s work.  So how does the non-profit ensure that its focus remains on the constituency it’s supposed to serve, where it surely belongs?  Unfortunately, it often doesn’t.  Whether they admit it or not, the “real customers” that such organizations focus on are all too often the donors or funders who underwrite their operations.  Fulfilling a mission - creating great theatre, feeding the homeless, curing malaria - becomes a tactic for pursuing the true goal (at least subconsciously) of satisfying the people who write the checks.  As you can imagine, all sorts of dysfunctional crap comes out of organizations that fall into this trap.

So how does a non-profit keep itself pure and focused on the people who need its help?  I’d argue that, whenever possible, it should strive to align the funders and consumers of its programs.  The simplest way to accomplish that is by adopting an earned revenue model.  Fractured Atlas has a rule that we don’t start new programs or services unless they can be fundamentally self-sustaining based on earned revenue.  By relying on membership dues and program fees, we’re guaranteed instant (and potentially painful) feedback on whether our services are actually meeting the needs of the artists and arts organizations we serve.

But this doesn’t always work, because there are some mission-essential activities which are impossible to monetize through earned revenue.  For Fractured Atlas, this includes our advocacy work.  A homeless shelter or animal welfare group, meanwhile, would find it difficult or impossible directly to monetize any of their programs at all.  So does that mean we all need to steer clear of these activities and only do things where we can make a buck?  Of course not.  But it does mean that we need to be more cautious and intentional about aligning the interests and perspectives of our funders and consumers.

There are a couple of ways you can do that.  At Fractured Atlas we often conceptualize these situations as investments, the same way a for-profit might spend money on marketing or research and development.  You don’t expect to get anything back directly, but you do expect a positive return in the long-term through indirect channels.  A project like Place + Displaced provides us with an unprecedented depth of information about the way artists live and work in their communities, along with new insights into the challenges they face every day.  I don’t believe it dimishes the intrinsic mission-value of the project to say that it serves a secondary function of providing great market research into how we can better serve our constituency.

That kind of R&D / marketing model is a nice framework for artists and arts organizations.  It’s vital to be able to pursue creative or audience development opportunities even if they’re not readily grant-fundable.  (I’ll address this concept again when I talk about building long-term value.)

So what if there’s really just no way to monitize an important program through earned revenue, either in the short or long term?  Well, then you need to rely on contributed revenue and you’re stuck with separate funders and consumers of your service.  There are still practical steps you can take to ensure this doesn’t result in mission drift:

1. Strive for autonomous program design by program staff (e.g., an artistic director or a program officer).  The front-line personnel at a non-profit are often better connected to the work it does or the people it serves than are the executives, whose focus by necessity is on the bottom line.
2. When possible, develop explicit, quantifiable criteria for program success and share them with the program’s funders/donors.  That way everyone’s on the same page about what you’re trying to accomplish.
3. Be as transparent as possible with both your constituency and your financial supporters.  It’ll help keep you honest and mitigate anyone’s concerns that their needs aren’t being considered.

Making decisions based on dispassionate, unsentimental analysis

I mentioned above that I use what I learned in business school every day.  That’s true, but the actual tools, concepts, and models that I learned weren’t the most valuable part of that experience.  The truly useful part was the simple exercise of thinking, talking, and writing about businessy problems in a rigorous manner three times a week for four years.  Before that my decision making was driven by instinct and emotion.  Today, instinct and emotion still play a part, but they’re balanced by a practiced ability to be coolly rational and unsentimental about organizational problems.

When people say “business is business” they’re talking about this kind of cool, impersonal attitude.  Usually there’s also an implied profit motive, but there doesn’t have to be.  You can be just as dispassionate about humanistic concerns.  The key is to apply an analytical framework or toolset that helps prevent biases (even unconscious ones) from clouding your perspective.

For financial analysis, my favorite tool is net present value calculation.  This tool from corporate finance is used to assign a risk-adjusted value in today’s dollars of a series of future cash flows.  It’s an excellent framework for assessing the long-term financial implications of a proposed project, or for comparing multiple competing projects to see which makes the most financial sense.  The non-profit arts sector is notorious for boondoggle capital projects that destabilize or even destroy otherwise great organizations.  The managers responsible for these quixotic messes may be relying on the generosity of donors or funders to bail them out when this happens.  But how much better it would be for the sector as a whole if we could get into the habit of making better decisions in the first place!

The inverse of this is the tendency of non-profits not to invest funds in a speculative project unless they can pass the expenses off to a third-party funder.  I was in a meeting not long ago in which we discussed a potential project that would cost roughly $100,000 to carry out, but which didn’t have any good funding prospects.  Conservative back of the envelope calculations suggested that doing the project might result in $120,000/year of earned revenue, more or less in perpetuity, without any additional costs.  Even assuming a high level of risk, that cash flow stream is worth perhaps $500,000 in present value terms.  In other words, deciding to undertake this project would be like trading $100,000 for $500,000.  Kind of no-brainer, huh?

But $100,000 is a lot of money for a small organization like Fractured Atlas, and the prospect of spending our own money in that way was pretty scary for most of the folks in the room.  The abstract fear associated with writing a six-digit check without any outside party taking the risk was overwhelming the logical appeal of the undertaking.  Non-profits, especially small ones, fall into this trap all the time.  In the long-run, being irrationally conservative is just as deadly as charging headlong into an ill-advised capital project.  Not to take on the above project would be like turning down a no-strings-attached donation of $400,000 which could be used to support or expand any of our programs and services.

I believe there’s an appropriate analytical framework for almost any category of organizational decision making.  They needn’t all come from fancy-pants financial models either.  Sometimes what you need is an ad hoc model based on your own internal, mission-based logic.

Permit me another example from Fractured Atlas.  We’re an unusually broad-based arts service organization.  Most of our peers focus on either a specific geographic region, a particular artistic discipline, or a narrow category of service.  By contrast, we’re national, multi-disciplinary, and customer-centric (i.e. rather than program or mission-centric).  That’s dangerous, because it imposes no discipline or boundaries in the program-development process.  And frankly I’m a lousy leader for such an organization, because my own instinct is always to try to do anything and everything under the sun.

Over the years we’ve developed an internal decision-tree to address this issue.  When an opportunity crops up for a new program or the expansion of an existing service, we ask a few key questions to assess whether it’s something we should do:

1. Can it be delivered nationally or is it limited by geography?
2. Is it relevant to artists from many different disciplines?
3. Is it scalable enough to reach a large audience?
4. Is anyone else in the field doing this?  If so, is there reason to believe our approach will be significantly superior/different to justify the redundancy?
5. Do we have (or can we acquire) the capacity and know how to do the work in a super high quality way?

Generally speaking, if the answer to any of those questions is “No” then we don’t do it.  When we first started using this tool, we actually cut out about half of the programs and services we were offering at the time, since they didn’t meet our criteria.  We got some complaints from our members, but we became a much more focused, “lean-and-mean” organization.  And it turned out that cutting the fat actually helped position us for a period of explosive growth over the ensuing years.

Building long-term value

Perhaps surprisingly, non-profits are often better at building long-term value than for-profits, especially publicly traded companies.  The stock market is obsessed with quarterly earnings reports and publicly traded companies are obsessed with their stock prices.  Lots of stupid decisions have been made because of those misguided short-term incentives.  But non-profits don’t have stock, which should free us up to worry about the long-term, right?  Sometimes it does indeed work that way, though not as often as it should.

Let’s consider three common traps:

Trap #1: Fear of investing in revenue-positive, mission-relevant opportunities if they can’t be funded by contributed income.

I’ve already talked about this one a little bit so I won’t belabor the point.  But this is a major pet peeve of mine so I’m having a hard time dropping the issue entirely.  I’ve had countless conversations with my counterparts at other arts service organizations in which I’ve proposed some kind of joint project.  Even when I can demonstrate the compelling positive financial return from the undertaking, I am, more often than not, met with an unwillingness to proceed unless I can bring grant funding to the table that covers their initial costs.  When that third party funder fails to materialize, we effectively flush lots of potential long-term value down the proverbial toilet.  It’s a terrible cliche, but sometimes you really do have to “spend money to make money”.

Trap #2: The superficial allure of a balanced budget.

The conventional wisdom is that non-profits should have balanced budgets.  That means they should plan for revenue and expenses to be as nearly equal as possible over the course of a fiscal year.  The ostensible reasoning here is that non-profits are mission-based, not profit-based.  A surplus would indicate that grant funds aren’t being fully spent or that program fees have been set higher than they should be.  A deficit would suggest poor financial planning and possible organizational instability.

The conventional wisdom couldn’t be more wrong, and it’s a shame that so many non-profit leaders (and worse, their funders) take this view.  I don’t think I can say it any better than non-profit consultant Jeanne Bell:

A potentially harmful habit practiced in many community nonprofits is presuming that a break-even budget is mandatory. Board members and staff may be under the influence of the false but persistent ‘nonprofits can’t make money’ myth as they develop the year’s income and expense plan…. Instead of “How can we make the budget balance?” the annual budgeting cycle should begin with the question, “What financial outcome does our organization want or need this year?” Different scenarios lead to different decisions about what the budget’s bottom line should look like:

1. We need to increase reserves or pay down debt: adopting a surplus budget. When the organization’s leaders decide that its cash and other reserves are lower than ideal, the organization can plan to generate more income than expenses, creating surplus funds that can be used in future years. A surplus may also be needed to provide funds for paying down debt or for easing cash flow….

2. We can’t gain ground now, but we can’t lose ground either: the break-even budget. Typically, organizations choose break-even budgets by default and the skin of their teeth. A first cut on the budget shows expenses much higher than revenue, so the staff then tries to figure out how to increase the revenue number (but still stay close to reality) and decrease the expenses (but not damage programs). The staff and the Finance Committee tack their way towards a break-even budget, and hope that their cautiously optimistic projections work out.

3. A…reason for a deficit budget is a decision to invest. For example, the organization may invest funds in strengthening its fundraising capacity, or in new programming. Leadership believes that resources from previous surplus years can be risked as investments in future programmatic or financial paybacks.

At Fractured Atlas we’ve had a couple of break-even budgets over the years, but most have projected either a surplus or a deficit.  In my experience these things are cyclical, especially for a growing organization.  When ramping up for a major expansion, we run a deficit as we make investments in infrastructure and capacity to fuel that growth.  As the expansion unfolds and those investments pay off, we shift to a surplus.  Sooner or later, it’s time for another ramp up.

It’s a bit of a rollercoaster, and I know for a fact that it makes some of our funders (and even some of our Board members) uncomfortable.  But this model has helped us create enormous long-term value.  Ten years ago our annual budget was $7,500.  Five years ago it was $100,000.  Today it is $4.2 million.  You can’t grow like that unless you invest in your own organization, and that means deficits.  Likewise, surpluses are how you build reserves to invest in future growth.

Trap #3:Treating funders like investors (the wrong kind, that is)

We’re often told to think of funders as the non-profit equivalent of investors.  It’s not a bad analogy.  Like investors, funders finance your activities and measure the return on that investment.  The return is in mission fulfillment, not financial gain, but it’s the same basic relationship.  And just as a dissatisfied investor will sell his stock, so a dissatisfied funder may pull her support.

Believe it or not, it’s actually a good thing when funders don’t simply write a check and say “have fun, see ya’ later!”  When a funder takes a serious interest in your work, enough to pay close attention to the results you’re getting and the progress you’re making, then that makes him a potentially invaluable partner.  Such allies provide money, yes, but they can also provide advice, connections, and other intangible resources.

But the kind of interest they take - the type of investor they resemble - is very important.

I mentioned before that the stock market is notoriously obsessed with quarterly earnings reports.  There are many reasons for that, but in part it’s because most shareholders aren’t really interested in the underlying business of the companies they invest in.  They need a very simple proxy for a company’s financial health and the quarterly earnings per share figure is the best they can find.  If it’s lower than they’d hoped, they sell the stock.  If it’s higher, perhaps they’ll buy more.

Because they live and die by their quarterly earnings, publicly traded companies make enormous efforts to “manage” those earnings.  Transactions might be timed specifically so that they fall into one quarter or another.  Accounting tricks are used to hide losses and exaggerate gains.

Many non-profits resort to similar shenanigans in an attempt to impress their financial supporters.  They bend over backwards to put a positive spin on program performance, sometimes to the point of de facto dishonesty.  Likewise, these organizations go to great lengths to hide their failures and shortfalls.

Then there’s private equity.  Private equity funds invest in non-public companies precisely because those companies don’t have to report their earnings quarterly and are therefore able to focus on long-term profit over short-term gains.  Private equity investors get to know the company’s management and study its business in depth.

Non-profits should cultivate “private equity-like” relationships with funders rather than relationships that resemble market investments.  Resist the temptation to keep your funders at arms-length and shield them from the ugly complexities of your operations.  Be honest and transparent about your failures as well as your successes.  Make sincere efforts to reveal and explain your organization’s internal logic.

Not all institutional funders or private donors want this kind of relationship, of course, but many do.  And keep in mind that I’m not for a minute suggesting that funders should be allowed to micromanage your program operations or policies.  The goal is for them to have a deep and accurate understanding of who you are and what you do, so that they’re in the best possible position to help you grow and develop as an organization.  Because that’s a great way to build long-term value and a strong organization.

I spent the first half of this week at the Fortune Tech Conference. Usually when I go to events like this they’re totally arts-centric, so it was (mostly) refreshing to be surrounded by folks with a completely different perspective. (Note to Andrew Taylor: thanks to everyone’s obsession with VC-funding and industry gossip, this conference was optimized around informal networking.  It’s not as hard as it sounds, and largely comes down to less programming in a smaller space.)

Yesterday morning I attended a breakfast session called “Is Philanthropy Dead?”  The panelists were Charles Best of DonorsChoose.org, Premal Shah of Kiva.org, and Dan Shine of AMD’s 50×15 Initiative. Despite the deliberately provocative title, the session spent relatively little time bashing the traditional philanthropic model. Instead, most of the conversation focused on the issue of transparency in fundraising.

Best and Shah both credit the transparency of their processes as a primary factor behind their success. The most compelling story came from Best, whose organization gives individual donors the opportunity to fund classroom projects in public schools.  DonorsChoose.org guarantees that donors will receive a packet of photographs and thank you letters from the grateful recipients (and facilitates that process behind the scenes).  Apparently this works as planned 98% of the time.  In the other 2% of cases, however, the teacher reneges on his responsibility to coordinate the thank you packet.  When this happens, DonorsChoose.org preemptively contacts the donor to inform her of the error and offers to “refund” the donation by crediting it towards another project.  Well, it turns out that these “we screwed up” phone calls are the most effective fundraising appeals they ever make, with a large number of donors declining the refund and offering to fund another project.

This experience is consistent with research into consumer behavior which suggests that the most loyal customers are those for whom something went wrong but the company quickly and effectively resolved the problem.  Unfortunately, most of us in the non-profit sector are terrified about admitting failure.  It’s as if the fact that people give us money to carry out our work creates such a solemn responsibility that 100% success is the only option.  This absurd mindset has several negative consequences.  First, fear of failure makes us risk-averse to a sometimes crippling degree.  Second, when failures occur despite our cautious hedging, we’re totally unwilling to speak candidly about the experience.  This prevents us from learning from our peers and advancing understanding in the overall sector.

Transparency is about more than owning up to failures, of course.  It means disclosing information about your organization’s processes, financial performance, and business model.  And, of course, it also means sharing information about your successes in a way that lets donors feel like respected collaborators.

This last category is where Kiva.org really excels.  Kiva.org gives individuals the ability to provide 0% interest microfinance loans to small business entrepreneurs in the developing world.  Lenders receive regular progress reports and - most of the time - get their money back upon the project’s completion.  Shah described the effect of this transparency as being almost addictive.  Many lenders check their loan portfolios daily, obsessively tracking the impact of their support.

It seems to me that arts organizations are particularly lousy at these kinds of transparency.  Part of it stems from a misguided desire to maintain the mystique of the creative process.  For the most part, though, I suspect we just don’t give it any thought.

So here’s my challenge to the field: what would this kind of tranparency look like for an arts organization and how can we build it into our routine operations?

A number of our members have reported receiving disturbing emails, phone calls, or letters from Infinity Administrators over the past few days. Infinity Administrators is the company that provides the HealthFlex 2000, HealthFlex 365, and Dental Discount Plus plans which Fractured Atlas offered for several years. If you have received one of these communications, PLEASE talk to us before jumping to any conclusions.

Please be advised that there has been a severe misunderstanding between Infinity Administrators and Fractured Atlas, and it appears that things have gotten a bit messy. I’m very sorry that so many of you were dragged into this. We are working to correct the situation and you can expect further details soon.

In the meantime, I want to clear up a few facts:

1) You have never had to be a member of Fractured Atlas to enroll in any of these plans. Infinity offers all of them on an individual basis, just as any insurance company offers individual versions of their plans. HOWEVER,

2) The rates you’ve received as part of our group have always been significantly less than you’d receive on your own. For example, here are the rates that Infinity currently charges.

Note that HealthFlex + (which is identical to HealthFlex 2000) is $209/month for individuals. By comparison, Fractured Atlas members could enroll for $169/month.

HealthFlex DDS (which is identical to Dental Discount Plus) is $31.25/quarter as an individual. By comparison, enrolling through Fractured Atlas cost $28.00/quarter.

If Infinity has approached you with the same or lower rates as the ones you were paying through Fractured Atlas, that is a special offer they’re making and does not reflect anything that is publicly available.

3) Although we no longer offer these plans to our membership, we were proud to do so for 6 years. Our decision to remove the plans from our website and stop accepting new enrollments should not be interpreted as a criticism of Infinity or the plans themselves. It was simply time for us to move the healthcare program in a new direction, which we’re continuing to do.

Please contact us at support@fracturedatlas.org or (212) 277-8020 with questions.

Over the holiday weekend I got an email from Dianne, the Program Associate for our fiscal sponsorship program. Since I’m an evil slave driver of a boss, it’s not entirely unusual for me to receive weekend emails from my staff. This one, however, warranted an unusual amount of attention. Dianne had noticed a barrage of suspicious donations made through our website. They all came within about an hour, they were all for either $5 or $10, and they were all made in behalf of various sponsored projects. Each of the lucky projects began with the letter ‘A’ or with a character like ‘”‘ that appears at the very top of alphabetized lists.

This was a situation I’d encountered a few times before, albeit on a smaller scale. I first discovered the phenomenon about 6 years ago, shortly after Fractured Atlas first started accepting donations through our website. Here it is, in a nutshell:

When someone (a waiter, a hacker, whoever) has stolen a bunch of credit cards he needs some way to find out which ones are legit and which ones have already been canceled or reported stolen. From the thief’s perspective, the ideal testing mechanism:

1. Is online and anonymous
2. Is fast and easy (i.e. doesn’t require an elaborate shopping cart system)
3. Allows for posting transactions of any arbitrary dollar amount

Charities that offer online donation systems fit the bill perfectly. It’s happened to us 2 or 3 times over the past 6 years. As far as I can tell, someone’s got a list of credit card numbers and they’re looking to run down the list as fast as possible. Based on this weekend’s performance, it’s possible to “test” about 50 stolen cards in 15 minutes using Fractured Atlas’s online donation form. It would probably take an hour to do that on Amazon.com, which is why they use us instead.

On a practical level, this is mainly an irritation rather than a real problem. After all, none of our security systems have been breached and none of our customers’ information has been stolen. We catch the issue quickly, refund all of the transactions, notify the relevant authorities, and apologize to the sponsored members for the inconvenience. Still, it’s a pain in the butt and a distraction for my staff.

In the spirit of transparency and in the hopes that this might be useful for other folks having the same experience, I’ll briefly describe our response and attempt to mitigate this exposure going forward. I’ll also try to update this post if and when we find out whether our tactics have worked. (If you’re not at least a little bit of a nerd, you may want to stop reading now.)

The very first course of action, of course, is exactly what I described above. Dianne refunded all of the transactions and notified all of the sponsees this morning. I notified our merchant account provider and our gateway processor to be on the lookout for any future transactions that match this pattern.

After that, I got my geek on. Our IT systems administrator and I started combing through server logs from the weekend to identify the IP addresses of the offending computers. Of the 250 bogus transactions, it’s safe to say few fit the profile of the average Fractured Atlas donor:

~50% were from Jakarta
~30% were from China
~20% were from a small town in the U.K.

There’s no way of knowing whether these were three different individuals or one culprit using various proxy servers. Either way, this is a slam dunk case for a more aggressive firewall policy. As of this afternoon we’ve blocked:

1) An entire ISP in Jakarta
2) An internet cafe in China
3) A small town in the U.K.

Is there some possibility that legitimate visitors to the site will get trapped in the net? Sure, but it’s not especially likely. Eventually we’ll probably scale back on the rules anyway; the important thing is to make this enough of a pain that the bad guys find some other website to use for their testing.

We’ve also tightened the address verification settings on our credit card processing system. The most interesting thing about this latest batch of transactions was that, in each and every case, the “donor” was able to provide an accurate CVC for the stolen card. It’s illegal for merchants to store those, which means that the credit cards themselves must have been physically stolen (i.e. as opposed to stolen from some online merchant’s database). Stricter address verification should help provide an additional line of defense. (Unfortunately, we’ve already seen a rise in legitimate transactions getting trapped in the filter because someone’s address doesn’t match perfectly, but this may be the price we have to pay, at least temporarily.)

And that brings me up to the moment. Hopefully this has been educational, or at least not mind-numbingly boring. Again, I’ll try to to update this post if and when there are further developments.

To all of our sponsees who’ve been getting phony donation notices, I apologize for the inconvenience. I wish I could tell you that you’ve somehow become overnight fundraising superstars in Jakarta. Alas, for the moment, you should probably hold off on plans for any Indonesian bookings.

UPDATE (1/23/08): Zillions of members have had their legitimate billing information rejected by the new, tighter address verification scheme. I feared this might happen. It’s really hard to verify billing addresses in a reliable way, since “St.” and “Street” and “STREET” are all considered different and the credit card companies have no standardized format. We’ll try tinkering with the verification settings and see if we can find the right balance between fraud-protection and usability.

UPDATE (2/21/08): Well, we managed to come up with a less aggressive address verification scheme that resulted in fewer failed membership dues rebills. For a few weeks there I thought we were home free. But then yesterday, the bastards were back with a vengeance…

Previously it appeared we were dealing with one (maybe 2-3 tops) individual credit card thieves, who were manually testing stolen cards with our donation processing system. Yesterday afternoon we were targeted by a far more sophisticated operation. Forensic analysis led to the inescapable conclusion that we were “attacked” by a botnet. This is much more difficult to defend against, since the zombie computers that were performing the test transactions were all over the world and coming from places that we couldn’t just block (e.g. Verizon DSL customers in NJ). They were also ruthlessly efficient. Each “bot” would test roughly one new card every 2-3 seconds. They appeared to have a scarily good database of stolen information, too, since even with address verification and card security code checks, they were successfully charging perhaps 1 of every 10 credit cards. This resulted in perhaps 50 “donations” for $0.25 each within a 20 minute period.

My systems administrator and I immediately fought back. We began monitoring server traffic in real-time. Each time a suspicious computer would start posting rapid-fire donation attempts, we’d block the IP address. Within 2 minutes, however, another bot with a different IP address would take over and resume the assault. It quickly became clear that this was not a fight we could win, at least not this way.

Last night at around 6pm, I took down the online donation page on the Fractured Atlas website. This page has been up and running for 7 years now, so this was a disappointing development. However it was a necessary temporary move while we developed a more sophisticated defense. Fortunately, I was able to put something together that I think will be pretty effective, and the donation page went back up around 8:45pm. On the remote chance that one of the bad guys is reading this, I won’t disclose all the gory details. Suffice it to say that our donation processing system now tracks the frequency of donation attempts in real-time and automatically blocks suspicious IP addresses.

This will almost certainly not be a 100% effective solution, but there’s no such thing as perfect security. The goal is to make it annoying enough to mess with you that the bad guys decide to bother someone else (some easier target) instead. Hopefully we’ve done that.

UPDATE (5/5/08): I alternate between hating these jerks and half respecting the challenge they’re throwing at me. The real-time fraud monitoring algorithm worked beautifully for a couple of months. Then in last few days it started to break down. The bad guys must be using a botnet which uses an actual web browser to perform the bogus transactions (since they’re getting past our cookie and javascript based defenses) and which is able to switch to a new attacking machine every hour or so. They’re definitely not breaking through with the kind of frequency that they once did, but over the weekend about 5 phony donations passed through.

Today we put up a CAPTCHA. Trust me, I find these as annoying as you do, so I really resisted taking this step. Of all the options available to us at this point, however, this is almost surely the least annoying and the least likely to deter or frustrate legitimate donors. As always, I’ll keep you posted.

My morning coffee-philanthropy-blog-graze yielded this post on the Donor Power Blog about the furor dusted up when the Holden Karnofsky, the head of GiveWell (an online charity evaluator) committed the cardinal sin of posting an “anonymous” question on Metafilter’s boards about how to evaluate charitable orgs, then answering it with a plug of GiveWell’s services. He was ripped a new one for it, even though I’m sure it’s something that goes on more than anyone is aware.

If you maintain a blog or a discussion board, I suppose you can’t police every bogus post (nor would you want to waste your time on it) so the lesson for those who read them is do your own research, even on the organizations that profess to provide research. I don’t discount the hideousness or sad irony of a watchdog organization that preaches transparency while violating its own tenets. And I’m glad to see that the folks at Metafilter are savvy enough to check IP addresses against one another and examine other characteristics like user profiles and posting history, to detect bogus plugs.

My overall feelings about this are mixed: over the years I’ve developed a healthy cynicism about the veracity of anything on the web, and even a more fluid definition of what “truth” itself can mean. It’s still disappointing, though, to realize that the web – a tool with so much potential to empower donors and drive charitable giving – is still a venue for snowjobs and empty self-promotion.

I am curious to hear what others - within the philanthropy community and beyond - think of all this.