Antifraud System tutorial for carding shops [part 1]

[Cartographer]

Introduction
It all started smiling found an article on the forum about fraud. The guy there was dismantling the Fraud Console from a 2014 video. In answers I saw that information was useful to many and it would be interesting to learn that now to be created in this Fraud system. Without hesitation, I found the site, after looking at the prices... 5000$ / month. A little expensive for me... But, I did not give up, finding a few workarounds, creating a site with registration and sale of music, as well as registering an account on a certain Charles from facebook. I got into the most cherished console... And also got a bunch of interesting PDF manuals.

But, I have the sales on site there is no. How else can you see the functionality, reaction of the fraud, etc. Long digging in the console, I found a tutorial, but training is not something you want to dig. A little more digging, I found so to speak Demo Version, which will add me fake purchases in my console.

I think that information is helpful at least a little to everyone.

All points to consider of course it is unrealistic, because there are a lot of them, but the most useful and interesting we will touch.

The article will be big enough, but patience Is your best friend today.


Panel

Going into our console, the first thing you need to choose in the panel, what we will work with.

Let's analyze all the points.



Viewing scores for

- Selection, fraud points what we will consider, for example: Payment Abuse( payment fraud), Promo Abuse (promo codes), Account Abuse( account fraud), Content Abuse (copyright / content fraud). This console has 4 types of Abuse (fraud checks). Today we will analyze the most interesting: Payment Abuse (Payment Fraud). That is, the fraud score for the payment / purchase of goods. Where do they come from, what does the system check, etc.

Explore

- here we will investigate our customers, who made what purchases, from what account and card. Today we will consider this part of the panel, because it is the most interesting for us.

Review

here you can build a queue (Queues). The queue can be built manually, either by Score (Fraud points), or by mail, or by Time Left (how long ago the order was made, for example: three minutes ago), by Route (route) it is Low-High Priority (Low - High priority / how quickly the user wants to receive the order), or by the payment status (Approve/Monitor/Block/Cancel, etc.), etc.



Automate

- here you can create a rule (script). This item we will analyze in more detail. He's interesting.

For example, if froda points > 60, then make a Cancel User Order (cancel the order). Naturally this is a simple example. Here you can see what decisions our system has made. The script can be configured to work with accounts, and to work with orders (orders) therefore, there is a choice of two tables: orders/accounts.

Here is an example of a more complex rule: if fraud points > 75 and Billing/shipping do not match and the Domain E-Mail = dot.com, then ban the account.

I. e. rule can be utterly any, it can contain together points and camping on D. Naturally have "steep" shops its grains antifrod system. But in fact, it is no different. It also spelled out the rules. Another example: If froda points > 60 and if froda points < 80 and Billing / shipping distance > 1000 km and BIN = 525477, then send the order for human verification.



There are also formulas, they are a filter, so as not to load the system much. If you have 1 000 000 orders a day and each will be checked by hundreds of rules, but do not forget that you do not use anti-fraud alone, and another 1000, and possibly 100 000 other shops. What do you think will happen?

The server of the company (anti-fraud company) would notably dipped and bought your anti-fraud for$ 5000, it began to blunt. Unpleasant situation... Digressed.

The formulas are quite simple, unlike the rules.

Here are examples: If the number of users with exactly the same device > 8, then ban the account. If this user has orders for the last hour > 5, then send his last order for verification. Send for verification-that is, the bot will check the order according to the created rules (scripts).

Thus, we filter orders. To all consecutive not tested on complex rules.

Questionable orders-to check the bot, creating a bunch of accounts-ban all accounts, etc.



Also, I talked about the table, here is the table of solutions bot formulas on orders:



It is of course also customized, you can add a graph, for example, how many users were banned because of orders.

Finally, let's look at the table of decisions of the bot after checking orders on our scripts:



Here you can see what type of fraud the bot checked for, whether or not the order passed, the description and so on.

Incorrect decisions, in our opinion, we can correct or remove altogether.

Back to the panel.

Analyze-here you can see the usual schedule for different events: Transactions/Order Creation/account Creation, etc. Select transactions for the last 30 days and sliders select a more accurate period on the chart. All orders are shown-blue, Bad / Rejected-red.



Developer-connect modules via API to Your website.

Account-account settings.

Explore

Let's move on to the most interesting.

Select risky orders (Risky Orders), then select the filter: Orders where Fraud > 60, we will consider the last week, sort by fraud points in descending order


Now the top shows us the most "dumb" order. Let's choose him and see why the system decided to give him 92 points frod out of 100.



Let's go quickly through the interface:

92-points fraud system.

fairy920 - login in the shop.

[email protected] -mail, as well, if the account is tied to several mails, you can see them all by clicking on the down arrow. Our "client" only has one mail.

Last activity 2 days ago-last activity 2 days ago.

Decision - the decision/conclusion. By clicking on this button, we can make a decision whether to skip or cancel the order



Let's choose, for example, Looks Bad.


On "Overview" Tab"
Top Payment Abuse Signals
- Here at us it is shown that most of all it was not pleasant to system for what it gave points of froda. This point us very strongly interested in, to him we will return later and will analyze his in all paints.



Custom Attributes-this panel is fully configurable by the user account.



For example, I want to see here only the bill / Ip address, delete everything, add the desired attribute and save.



Orders - the orders of our "client". Or rather all orders from the account fairy920.



You can consider each order in detail.



Each order can be either canceled or skipped. By clicking on the already familiar to us with you button.

Locations-Billing/Shipping/IP addresses.



Social Media - social networks. In this fraud system three: Facebook, LinkedIn and Google. You can manually try to find a person by mail. We are given links to this, unless of course the scan did not give results.



Identity - personal data found from orders, settings and other things.



Network tab"

Here we can look at the attributes that we have set that connects the account of our "client" with others.



I disabled all other attributes so that the page does not stretch much and chose, for example, the attribute IP address.

"Activity" Tab?

On this tab, you can see what the "customer" did in the store. And for what actions mostly routinely received frod lens.



Let's not be hasty and immediately reject the order, let's see what the criminal has made our "client". Let's start from the beginning - registration.



Our "client" gets 52 points of fraud for his E-Mail!

But, 52 is fine. This anti-fraud system, different colors represent different risks.

With flowers we will meet a little later, so remember them:

Gray is fine.

Yellow-Risky (Risky).

Red is a Very Risky (the Big risk).

Red - Extreme Risk (Extreme risk).

What's not to like in the mail? First, the domain itself. I have it blocked by ad-block. So open through Tor, get the next page



And even clicking on "Click here" produces 404. Of course, you can say, I randomized clients for the demo, so they have strange such mail. I do not think, because customers with good fraud have good mail, with domains. For example, here is one of the domains: darkwizard.com. Once even got caught domain yandex.com -on which, by the way, the anti-fraud system also swore. And this domain is marked in red.

In any case, even if the information is randomized, we will analyze what is.

That is the first reason-a strange domain.

The second reason - on this mail did not find any user in social networks.

The account it creates for a few seconds and not a minute pass!

Next ,the "client" gets to the page " Create an Account!"and closes our website. Nothing interesting, we go further.

Further ,the "client" gives the account 2 weeks to rest.



Goes on account 3 March in 10 hours morning. And also for a few hours fills Billing Address.

And know why he made pause in 2 weeks? Why didn't you fill it out? It's simple, this billing has one account before it was created, and in the same month! As well as its IP/Billing distance of 1,400 km. It's not an extreme risk, of course, but red (Very risky). And of course, for such he immediately gets 87 points anti-fraud system and is marked in red!At this stage, the account can be thrown out. For less 87 key froda he now not gets.But, our "client" is clearly not one of these.) We go further.

The "client" gives a week's rest.



After is beginning to thrash shop, that there is forces. And for 1 minute has time to make 4 orders and pay for them.

It is unclear why he was put in a billing address in the past week, then if it changed in each order. Points froda download for everywhere different billing and spike, and accordingly different Billing/Shipping Address Distance. Somewhere closer, somewhere further. And in 4 orders 8 different addresses. Interesting...



Before the first payment, he goes to the product description, for which he praises frod and reduces his points to 87. Then he makes two more payments. Fraud here is a little more, because even in the description was too lazy to go. Before the latter once again goes into the description, for which he does not receive additional points, they are as they were, this order, and remained. Plus, we are immediately notified of Extreme Risk, because in addition to everything, he also drove each order from different cards.



After the transaction, he updates each page checkout goes again to see the product description, but it will not help him and closes all tabs. We will finish with this tab.

If you specify mail with a corporate domain, it is easier, I think, to make your working site and fill it at a minimum. So he definitely was not in blacklist'e antipode. An example of the site was given above. Naturally, if these corporate mails will be chargebacks and there will be a lot of them, then the domain should be changed.

Top Payment Abuse Signals

Let's go back and now analyze the 55 main points (attributes) of payment verification. In Top Payment Abuse Signals, only 55 attributes are shown for everyone. But, do not forget, each account has its own custom panel, which he can customize for himself. And add at least all the attributes. This system has 181 attributes to check, but it is difficult to disassemble all the attributes at once. We will try to analyze them in the next article.


The icon "planet Earth" - means that the value of this attribute is in the blacklist.

Color exclamation mark mean rank of the risk. If there is no exclamation mark, the risk is neutral. That is, it does not give frod points.

By clicking on a specific attribute, we can see which accounts have the same attribute. Also description of attribute, on description of attribute I will to do read more.

Some attributes can only differ by time: last hour/day / month.

(?)- requires additions/clarifications.



Now all attributes, in order:

Email similarity to the billing name From 0 to 1. (from 0% to 100%) As far as the E-Mail address (without domain and digits) matches the billing name.

Unique billing last 4 (past hour)-number of different last 4 digits CC for the last hour. Our "client" beat with 4 different credit cards, that's the value of 4. That is, in fact, it is the number of different credit cards entered by the user in the last hour. That is, if you pay for four orders with one credit card, the value will be 1.

Unique billing addresses (past month) - number of different billing addresses. As you remember, in the beginning, our "client" for some reason drove the billing address, which he never used. So their 5.

Email domain - domain of the mail. (what comes after "@")

Number of users with the same shipping address - number of different users who use the shipping address as our "customer".

Estimated email address age-Estimated age of the "client"mail. Perhaps it is calculated by dictionaries or mail databases. For example, now the mail: [email protected] - is unlikely to be registered, it is likely ancient. But [email protected] to register easily.

Payment method card bin-BIN card. In this case, it is a Chinese bean, so it is in the "blacklist".

Unique billing BINs (past month)-number of different BINS on this account for the last month.

User location-Location of the "client" by IP.

Browser/OS System and a browser.



Host providing this user's email service-Host providing services for the "client"mail domain.

Shipping / billing address distance - Distance between bill and ship addresses.

Changes in payment methods in the last day - number of changed payment methods for the last day.

The IP organization - Attached to the IP Internet provider.

Network - the IP network.

Payment method payment gateway - payment Method.

Unique billing postal codes (past month)-number of unique billing postal codes for the last month.

Account age - account Age.

Unique billing BINs (past day) - the Number of different BINS for the last day.

Unique billing postal codes (past hour)-number of unique billing postal codes for the last hour.



Shipping address country - the country of receipt of the package.

Purchase amount in USD - the cost of the order in USD.

Number of users with the same billing address - number of different users who use the same billing address. 59 users use the same bill [Number of different users that share this billing address] (?)

Time since previous transaction - Time between the last transaction events.

Shipping name length - the number of characters in the recipient's name.

Unique billing addresses (past day) - number of different billing addresses for the last day.

Unique Billing Names (past month) - number of different billing names for the last month.

Timezone offset-the Difference between UTC time and "client" time, in minutes, is recognized through the browser.

Number of digits in the shipping address - number of digits in the shipping address.

IP address-IP from which the "client" came.



Unique billing names (past hour) - number of different billing names for the last day.

Mx records from email domain count - the number of MX Records on the email domain.

Credit Card BIN And Last4 - BIN and last 4 digits of CC.

Unique billing BINs (past hour) - number of different BINS on this account for the last hour.

Number of digits in the billing address - number of digits in the billing address.

Digit-Normalized email address - a lowercase email Address that replaces digits with a "# " sign.

API event without page view-the user received a" non-transaction " API event. But bypassed / not has passed Javascript antifroda.

Signup to transaction time - number of days between transaction and registration.

Browser fingerprint - unique identifier of the browser.



Unique Shipping Add in Orders (Month) - number of unique shipping addresses for the last month.

Billing last name in email-whether the last word of the billing address name is Displayed in the email address.

Latest name - the Last name.

Billing address is reshipper-whether the billing address is a known forwarding/forwarding address.

IP / credit card country match-Match countries IP/CC.

Shipping name fraction vowels - Which part of the characters in the name of the shipping address are vowels.

Transaction billing last 4-the Last 4 digits of the billing transaction.

IP connection type- [Connection of the IP block the user connected from](?)

Device fingerprint - a Unique fingerprint of the device from which the user connected.

Unique Billing Names in Orders (Month)- number of unique billing names in the last month.



Latest changed password - last changed password/whether the password was changed.

Ratio of digits to address length - the ratio of digits to all characters of the shipping address.



Everything written in this article, just my guesses, on the tips and different anti-fraud directories, I do not work in such systems, so if somewhere anything is wrong or does not converge, correct me, I will edit. When writing this article, my main profession helped me-a programmer. Special thanks to her.

What will be in the second part?

We will analyze, as well as today, the behavior of the user and his attributes with a lower rating antifroda (50~60).

Perhaps, sooner or later, I will write an article where I will sort all the attributes into categories and all these 181 attributes will paint.

Depending on whether you like this article, I will decide whether to write a sequel or not.

Thanks to everyone who read to the end

[kufei007]

like it

[iSmokedutchies]

Good stuff

[c0mrade1]

good work bro