Payment fraud / anti-fraud shops (inside view) Part #1.

[London1826]

Introduction

It all started simply, I found an article on the forum about fraud. The guy there was disassembling the Fraud Console from a 2014 video. In the responses, I saw that many people found the information useful and would be interested to know what is going on in this Fraud system. Without thinking, I found the site, then looked at the prices... 5000$ / month. Too expensive for me... But I didn't give up, finding a few workarounds, creating a site with registration and sales of music, and registering an account for a certain Charles from facebook. I got into the most cherished console... And also got a lot of interesting PDF manuals.

But, I have no sales on the site. How else can I see the functionality, the reaction of fraud, etc. After a little digging in the console, I found a tutorial, but the tutorial is not something I want to dig for myself. After a little more searching, I found a Demo Version that will add fake purchases to my console.

I think the information will be useful at least a little bit for everyone.

Of course, it is impossible to consider all the points, because there are a lot of them, but we will touch on the most useful and interesting.

The article will be quite large, but patience is Your best friend today. = )
Panel

When you go to our console, the first thing you need to do is select what we will work with in the panel.

let's Look at all the points.



Viewing scores for

- Selection, fraud points which we will consider, for example: Payment Abuse( payment fraud), Promo Abuse (promo codes), Account Abuse (account fraud), Content Abuse (copyright/content fraud). This console has 4 types of Abuse (fraud checks). Today we will analyze the most interesting: Payment Abuse (Payment Fraud). That is, fraud points for payment / purchase of the product. Where they come from, what the system checks, and so on.

Explore

- here we will investigate our customers, who made what purchases, from what account and card. Today we will consider this part of the panel, because it is the most interesting for us.

Review

here you can build a queue (Queues). You can queue manually, either by Score (Fraud points), or by mail, or by Time Left (how long ago the order was made, for example: three minutes ago), or by Route (route) it can be Low-High Priority (Low - High priority / how fast the user wants to get the order), or by payment status (Approve/Monitor/Block/Cancel, etc.), etc.



Automate

- here you can create a rule (script). This item will be discussed in more detail. He's interesting.

For example, if the fraud score is > 60, then cancel the User Order. Naturally this is a simple example. Here you can see what solutions our system has made. The script can be configured both to work with accounts and to work with orders (orders), so there is a choice of two tables: orders/accounts.

Here is an example of a more complex rule: If fraud points > 75 and Billing/shipping do not match, and the e-Mail Domain = dot.com, then ban the account.

That is, a rule can be absolutely anything, it can contain a bunch of items, and so on. Naturally, "cool" shops have their own anti-fraud system. But in fact, it is no different. It also spelled out the rules. Another example: If fraud points > 60 and if fraud points < 80 and Billing / shipping distance > 1000 km and BIN = 525477, then send the order for human verification.



There are also formulas, they are a filter, so as not to load the system too much. If you have 1,000,000 orders a day and each will be checked by hundreds of rules, but do not forget that you are not the only one who uses anti-fraud, but another 1,000, and possibly 100,000 other shops. What do you think will happen?

The company's servers (anti-fraud companies) would have sagged significantly and your purchased anti-fraud for $ 5000 would have started to blunt. Unpleasant situation... Digressed.

The formulas are quite simple, unlike the rules.

Here are some examples: if the number of users with the same device is > 8, then ban the account. If this user has orders for the past hour > 5, then send their last order for verification. Send for verification - that is, the bot will check the order according to the created rules (scripts).

This way, we filter orders. So that everything in a row is not checked by complex rules.

Questionable orders - to check the bot, create a bunch of accounts-ban all accounts, etc.



Also, I was talking about tables, this is how the table of bot solutions for formulas for orders looks like:



It is naturally also customized, you can add a graph, for example, how many users were banned because of orders.

Finally, let's look at the table of bot decisions after checking orders using our scripts:



Here you can see what type of fraud the bot checked for, whether the order passed or failed, the description, and so on.

In our opinion, we can correct or delete incorrect decisions.

Back to the panel.

Analyze - here you can view the usual graph for different events: Transactions/Creation Of Orders/Creating accounts, etc. Select transactions for the last 30 days and use the sliders to select a more accurate period on the chart. All orders are shown - blue, Bad/Rejected-red.



Developer - connecting modules via the API to Your site.

Account - account settings.

Explore

Let's get to the most interesting part.

Select risky orders, then select the filter: Orders with Fraud > 60, consider the past week, sort by fraud points in descending order



Now at the top we are shown the most "weird" order. Let's select it and see why the system decided to give it 92 points of fraud out of 100.



Let's quickly go through the interface:

92-fraud system points.

fairy920 - login in the shop.

[email protected] - mail, also, if you have several emails linked to your account, you can see them all by clicking on the down arrow. Our "client" only has one email address.

Last activity 2 days ago - last activity 2 days ago.

Decision - the decision/conclusion. By clicking this button, we can make a decision, skip or cancel the order



Let's choose, for example, Looks Bad.



"Overview" Tab
?Top Payment Abuse Signals
- Here we show what the system didn't like the most, for which it gave fraud points. This point interests us very much, we will return to it later and analyze it in all its colors.



Custom Attributes - this panel is fully configured by the user of the account.



For example, I want to see only the bill/Ip distance here, delete everything, add the necessary attribute and save it.



Orders - orders of our "client". Or rather, all orders from the fairy920 account.



You can review each order in more detail.



Each order can be either canceled or skipped. By clicking on the button that we already know.

Locations - Billing/Shipping/IP addresses.



Social Media - social networks. There are three fraud systems in this system: Facebook, LinkedIn, and Google. You can manually try to find a person by mail. We are given links to this, if of course the scan did not give results.



Identity - personal data found from orders, settings, etc.



Network Tab

?Here we can see what links our "client" account to others based on the attributes we set.



I disabled all other attributes so that the page is not stretched too much and chose, for example, the IP address attribute.

Activity Tab?

On this tab, you can see what actions the "customer" did in the store. And for what actions mostly received fraud points.



Let's not rush and immediately reject the order, let's see what our "client"committed criminal. Let's start from the beginning - registration.



Our "client" gets 52 points of fraud for their E-Mail!

But, 52 is normal. This anti-fraud system has different colors that indicate different risks.

We will meet with the flowers a little later, so remember them:

Gray - normal.

Yellow - Risky.

Red - Very Risky (High risk).


Red - Extreme Risk.

What didn't you like about the post? First, the domain itself. I have it blocked by ad-block. So I open it via Tor and get the next page



And even clicking on "Click here" produces 404. Of course, you can say that I have randomized clients for the demo, so they have strange emails like this. I don't think so, because clients with good fraud have good mail with domains. For example, here is one of the domains: darkwizard.com. I even got a domain once yandex.com - which, by the way, the anti-fraud system also swore at. And this domain is marked in red.

In any case, even if the information is randomized, we will analyze what we have.

That is the first reason-a strange domain.

The second reason is that this email did not find any users in social networks.

He also creates an account within a few seconds and a minute does not pass!

Then the "client" goes to the "Create an Account!" page and closes our site. Nothing interesting, we go on.

Next, the "client" allows the account to rest for 2 weeks.



Goes to the account on March 3 at 10 am. It also fills in the Billing Address in a few hours.

Do you know why he took a break for 2 weeks? Why didn't you fill it out right away? Everything is simple, this billing account has already been created before, and in the same month! As well as its IP/Billing distance of 1,400 km. This is not an extreme risk, of course, but red (Very risky). And of course for this he immediately gets 87 anti fraud points and is marked red!At this stage, the account can be discarded. For less than 87 points of fraud, he now will not get.But our "client" is clearly not one of them.) We go further.

"Client" gives a week's rest.



After begins to beat the shop, that there are forces. And it takes 1 minute to make 4 orders and pay for them.

It is unclear why he put up a billing address last week, if then he changed it in every order. Fraud points download because everywhere different billing and spike, and accordingly different Billing/Shipping Address Distance. Somewhere closer, somewhere further. And there are 8 different addresses in 4 orders. Interesting...



Before the first payment, he goes to the product description, for which he praises the fraud and reduces his points to 87. Then he makes two more payments. Frod here already more, for even in the description was too lazy to go. Before the last one, he goes to the description again, for which he does not get additional points, as they were 90 for this order, and they remain. Plus, we are immediately notified of Extreme Risk, because in addition to everything, he also drove each order from different cards.



After transactions, it updates each page of checkout, goes to see the product description again, but this will not help it any more and closes all tabs. This is the end of this tab.

If you specify an email address with a corporate domain, it is easier, I think, to make your working site and fill it in at a minimum. So that it doesn't end up in the anti-fraud blacklist for sure. The site example was given above. Naturally, if these corporate emails will be chargebacks and there will be a lot of them, then the domain should be changed.

Top Payment Abuse Signals


Let's go back and now analyze the 55 main points(attributes) of payment verification. In Top Payment Abuse Signals, only 55 attributes are shown for everyone. But don't forget, each account has its own custom panel, which it can customize for itself. And add at least all the attributes to it. This system has 181 attributes to check, but it is difficult to parse all the attributes at once. We will try to analyze them in the next article.



"planet Earth" Icon - indicates that the value of this attribute is in the blacklist.

Colors of the exclamation mark - indicate the risk rank. If there is no exclamation mark, the risk is neutral. That is, it does not give fraud points.

By clicking on a specific attribute, we can see which accounts have the same attribute. Also a description of the attribute. I will use the attribute description to translate it.

Some attributes may differ only in time: for the last hour/day/month.

(?)- requires additions/explanations.



Now all the attributes, in order:

Email similarity to billing name - from 0 to 1. (from 0% to 100%) As far as the E-Mail address (without domain and digits) matches the billing name.

Unique billing last 4 (past hour) - the number of different last 4 digits of CC for the last hour. Our "client" beat with 4 different credit cards, that's the value of 4. That is, in fact, this is the number of different credit cards entered by the user in the last hour. That is, if you pay for four orders with one credit card, the value is equal to 1.

Unique billing addresses (past month) - number of different billing addresses. As you remember, in the beginning, our "client" for some reason entered the billing address, which he never used. So there are 5 of them.

Email domain - mail domain. (what comes after"@")

Number of users with the same shipping address - the number of different users who use the delivery address as our "client".

Estimated email address age - the Approximate age of the "client" mail. It may be calculated from dictionaries or mail databases. For example, now email: [email protected] - it is unlikely to register, it is most likely ancient. But [email protected] registration is easy.

Payment method card bin - the card's BIN. In this case, it is a Chinese bin, so it is in the "blacklist".

Unique billing BINs (past month) - the number of different BINS on this account over the past month.

User location - Location of the "client" by IP.

Browser/OS - System and browser.



Host providing this user's email service - Host providing services for the "client" mail domain.

Shipping/billing address distance - Distance between bill and ship addresses.

Changes in payment methods in the last day - the number of changed payment methods for the last day.

IP organization - IP-Linked Internet provider.

Network - IP network.

Payment method payment gateway - payment Method.

Unique billing postal codes (past month) - number of unique billing postal codes for the last month.

Account age - account Age.

Unique billing BINs (past day) - the Number of different BINS for the last day.

Unique billing postal codes (past hour) - number of unique billing postal codes for the last hour.



Shipping address country - country of receipt of the package.

Purchase amount in USD - order Cost in USD.

Number of users with the same billing address - number of different users who use the same billing address. 59 users use the same bill [Number of different users that share this billing address](?)

Time since previous transaction - Time between the last transaction events.

Shipping name length - the Number of characters in the recipient's name.

Unique billing addresses (past day) - number of different billing addresses for the last day.

Unique Billing Names (past month) - number of different billing names for the last month.

Timezone offset - The difference between UTC time and the "client" time, in minutes, is found out through the browser.

Number of digits in the shipping address - number of digits in the shipping address.

IP address - the IP from which the "client"came in.



Unique billing names (past hour) - number of different billing names for the last day.

Mx records from email domain count - the Number of MX Records on the email domain.

Credit Card BIN And Last4 - BIN and the last 4 digits of CC.

Unique billing BINs (past hour) - the number of different BINS on this account for the last hour.

Number of digits in the billing address- number of digits in the billing address.

Digit-Normalized email address - lowercase email Address that replaces digits with the "#"sign.

API event without page view - the user received a" non-transaction " API event. But the anti-fraud Javascript was bypassed/failed.

Signup to transaction time- number of days between the transaction and registration.

Browser fingerprint- the Unique ID of the browser.



Unique Shipping Add in Orders (Month) - number of unique shipping addresses for the last month.

Billing last name in email - whether the last word of the billing address name is Displayed in the email address.

Latest name- Last name.

Billing address is reshipper - whether the billing address is a known forwarding/intermediary address.

IP/credit card country match - country Match IP / CC.

Shipping name fraction vowels - Which part of the characters in the shipping address name are vowels.

Transaction billing last 4- the Last 4 digits of the billing transaction.

IP connection type- [Connection of the IP block the user connected from](?)

Device fingerprint - the Unique fingerprint of the device that the user connected from.

Unique Billing Names in Orders (Month) - number of unique billing names for the last month.



Latest changed password - Last changed password/whether the password was changed.

Ratio of digits to address length - the ratio of digits to all characters of the shipping address.



Everything written in this article is just my guess, based on hints and various anti-fraud directories, I do not work in such systems, so if something is wrong or does not converge, correct me, I will edit it. When writing this article, my main profession - a programmer-helped me. Special thanks to her.)

What will happen in the second part?

We will analyze the user's behavior and attributes with a lower anti-fraud rating (50~60), just like today.

Perhaps, sooner or later, I will write an article where I will sort all the attributes by category and write all of these 181 attributes.

Depending on whether you like this article, I will decide whether to write a sequel or not.

Thank you to everyone who read to the end

[jamesbolin]

NICE TUT

[Z00mer]

useful thanks

[biwin79462]

thanks

[London1826]

thanks useful