How anti-fraud systems calculate the risk score of a transaction?

[Mutt]

Carding is a type of fraud in which criminals use stolen credit or debit card data to make unauthorized transactions. Anti-fraud systems such as Stripe Radar and Adyen play a key role in preventing carding by analyzing transactions in real time and identifying suspicious activity. For educational purposes, I will go into detail about how such systems calculate the risk score of a transaction, with an emphasis on combating carding. The description includes key signals (GeoIP, Device Fingerprinting, user behavior, transaction history), machine learning (ML) mechanisms, data processing steps, and examples specific to carding. I will also explain how fraudsters try to bypass these systems and how anti-fraud systems adapt to such attempts.

1. Carding context​

Carding involves using stolen card data (number, expiration date, CVV, owner's name) to make online purchases, withdraw cash or transfer funds. The main carding schemes are:

• Direct carding: Purchasing goods or services using stolen data.
• Card Testing: Performing small transactions to check the validity of a card before making larger purchases.
• Chargeback fraud: Fraudsters purchase items and then initiate a chargeback, claiming the transaction was unauthorized.
• Triangulation: Creating fake stores to collect card data which is then used for carding.

Anti-fraud systems such as Stripe Radar and Adyen are designed to detect such schemes by analyzing multiple signals and assigning a risk score to transactions.

2. Key signals to identify carding​

Anti-fraud systems collect data from multiple sources to create a transaction profile and assess its risk. In the context of carding, special attention is paid to anomalies that indicate unauthorized use of the card. Let's look at the key signals:

GeoIP (geolocation by IP address)​

• What is analyzed:
  • The device's IP address is matched to its geographic location via GeoIP databases (e.g. MaxMind, IP2Location).
  • The IP location is checked to ensure it matches the region of the card issuer (country, city).
  • The use of anonymizers, VPN, proxy or Tor, which are often used by carders to hide their real location, is revealed.
  • The distance and time between transactions are analyzed: for example, it is physically impossible to make a transaction in Moscow and then 10 minutes later in New York.
• Application in carding:
  • If the card is registered in Russia and the transaction is made from an IP from Nigeria (a country with a high level of carding), the risk score increases sharply.
  • Using a VPN or proxy (e.g. IP from a data center instead of a residential address) adds points to the risk.
  • Example: A carder tries to buy electronics with an IP in Thailand using a card from the US. The anti-fraud system detects a geographic anomaly and increases the risk score by 20-30%.

Device Fingerprinting​

• What is analyzed:
  • Unique device characteristics: operating system (Windows, macOS, Linux), browser version, screen resolution, installed plugins, fonts, time zone settings.
  • Advanced techniques such as Canvas Fingerprinting (rendering graphics to create a unique identifier) and WebGL Fingerprinting are used.
  • The presence of traces of anti-detect browsers (for example, FraudFox, MultiLogin), which carders use to replace the characteristics of the device, is checked.
• Application in carding:
  • Carders often use one device to test multiple cards. If the system detects that transactions with different cards have been sent from one device in a short period of time, this indicates carding.
  • A new device that is not linked to account history increases the risk score.
  • Example: A carder uses a virtual machine with a substituted digital fingerprint to make a purchase. The anti-fraud system notices the discrepancy (for example, non-standard fonts or browser settings) and increases the risk by 15-25%.

User behavior​

• What is analyzed:
  • Patterns of interaction with the interface: speed of entering map data, cursor movement, number of clicks, time to fill out a form.
  • Transaction frequency and pattern: For example, a series of small transactions (card testing) or a large purchase in an unusual category.
  • Behavioural anomalies: for example, purchasing at night when the user is usually active during the day.
• Application in carding:
  • Carders often use automated scripts (bots) to enter card data in bulk. Anti-fraud systems detect such actions by inhuman behavior: too fast data entry or lack of natural cursor movements.
  • If a user suddenly changes the category of purchases (for example, from groceries to expensive electronics), this is considered suspicious.
  • Example: A carder enters card data in 2 seconds (inhuman speed) and tries to buy an iPhone. The system detects the anomaly and adds 10-20% to the risk score.

Transaction History​

• What is analyzed:
  • History of transactions on a card or account: average amount, frequency, purchase categories, geographic distribution.
  • Checks if there have been any previous declined transactions or chargebacks on this card.
  • The current transaction is compared with the typical behavior of the cardholder.
• Application in carding:
  • Carders often test stolen cards through small transactions (for example, $1-2). Anti-fraud systems record a series of such transactions as suspicious.
  • If the card was previously used in one region and category (for example, grocery stores in Moscow), and now jewelry is being purchased in another country, the risk score increases.
  • Example: A card normally used to pay for $5 subscriptions is suddenly used to buy a $1000 laptop. This adds 20-30% to the risk.

Additional signals​

• Card details: Cardholder name, shipping address and billing are checked for consistency. Discrepancies (e.g. shipping to another city) increase risk.
• Transaction speed: Carders often make many transactions in a short period (card stuffing). The system registers this as an anomaly.
• External databases: Checks lists of stolen cards, fraudulent IP addresses or devices provided by third-party services (e.g. Visa, Mastercard, carder forum databases).

3. Risk score calculation process​

Anti-fraud systems such as Stripe Radar and Adyen use sophisticated machine learning algorithms to calculate a risk score that reflects the likelihood that a transaction is related to carding. The process involves the following steps:

3.1 Data collection​

• The system collects all available signals at the time of the transaction:
  • GeoIP: IP address, country, region, connection type (residential, data center, VPN).
  • Device Fingerprinting: device characteristics, browser, unique fingerprint.
  • Behavior: timestamps, input patterns, transaction structure.
  • History: previous transactions, chargebacks, rejections.
• Additionally, data from payment systems (Visa, Mastercard) and external lists of fraudulent entities are used.

3.2. Signal Processing (Feature Engineering)​

• The data is converted into numerical or categorical attributes (features), which are fed into the ML model. Examples of features:
  • GeoIP: Distance between current location and last transaction (in km), VPN usage (yes/no).
  • Device Fingerprinting: Number of unique devices in the last 24 hours, browser settings changes.
  • Behavior: Time to fill out the form (in seconds), number of attempts to enter card data.
  • History: Average transaction amount per month, number of rejected transactions.
• Carding is all about features that deal with anomalies, such as a sudden change in the transaction amount or the use of a new device.

3.3. Application of Machine Learning Models​

• Model training:
  • ML algorithms are trained on historical data, including billions of transactions, labeled as "fraudulent" and "legitimate".
  • Algorithms used include gradient boosting (XGBoost, LightGBM), neural networks, Bayesian networks, and ensemble methods.
  • Stripe Radar, for example, uses an ensemble of models to analyze over 1,000 parameters in 0.1 seconds.
• Model types:
  • Classification: Determines whether a transaction is fraudulent (yes/no).
  • Regression: Assigns a numeric risk score (0–1000).
  • Anomaly Detection: Detect deviations from normal behavior (e.g. Isolation Forest or Autoencoders algorithms).
• Features in carding:
  • The models are trained to recognize carding patterns such as card testing (multiple small transactions) or the use of stolen data in high-risk categories (electronics, jewelry).
  • Adyen uses adaptive models that update in real time to identify new carding patterns.

3.4. Application of the rules​

• Anti-fraud systems use a combination of strict and dynamic rules:
  • Hard rules: For example, blocking transactions from IP addresses associated with carding forums or cards recently added to blacklists.
  • Dynamic rules: Based on ML, e.g. blocking high-risk transactions in certain categories (electronics, digital goods).
  • Example: Stripe Radar allows businesses to set up rules such as "block transactions from IPs in a specific country if the amount exceeds $50".

3.5. Assigning a risk score​

• The ML model combines all the features, assigning a weight to each (for example, an anomaly in GeoIP might have a weight of 0.3, and a new device might have a weight of 0.2).
• The final risk score is calculated as a weighted sum:
  • Example formula (simplified):
    Risk_score = (0.3 * GeoIP_anomaly) + (0.2 * Device_anomaly) + (0.2 * Behavior_anomaly) + (0.3 * History_anomaly).
• The score is usually normalized in the range 0–1000, where:
  • 0–200: Low risk (approval).
  • 201–600: Medium risk (additional verification, e.g. 3D Secure).
  • 601–1000: High risk (block or manual review).

3.6. Decision Making​

• Green Zone (Low Risk): The transaction is approved automatically.
• Yellow zone (medium risk): Additional authentication is requested (3D Secure, biometrics, SMS code).
• Red Zone (High Risk): The transaction is blocked or sent for manual review.
• In the context of carding, most suspicious transactions fall into the yellow or red zone, as they contain multiple anomalies.

4. How antifraud systems combat carding​

4.1 Identifying typical carding patterns​

• Card testing: Carders make small transactions ($1-2) to check the validity of the card. Anti-fraud systems record such actions and block the card after several attempts.
• High-risk categories: Carders often choose electronics, digital goods, or gift cards. Systems increase the risk score for these transactions.
• Multi-accounting: Carders create multiple accounts from one device. Anti-fraud systems use Device Fingerprinting to detect such schemes.
• Chargeback Risk: If a card is associated with previous chargebacks, it is marked as high risk.

4.2 Using 3D Secure​

• The 3D Secure protocol (Verified by Visa, Mastercard SecureCode) requires additional authentication (for example, entering a code from an SMS or biometrics).
• Carders often do not have access to the cardholder's phone or account, making 3D Secure an effective barrier.
• Stripe Radar and Adyen dynamically apply 3D Secure for moderate-risk transactions.

4.3. Blacklists and global databases​

• Anti-fraud systems integrate with databases such as lists of stolen cards from Visa and Mastercard or blacklists of IP addresses.
• Example: If a card was marked as stolen on a carding forum, the system automatically blocks the transaction.

4.4. Adaptation to new schemes​

• Carders are constantly developing new methods, such as using anti-detection browsers or purchasing "clean" IP addresses.
• Anti-fraud systems use self-learning models that update in real time, analyzing new fraud patterns.
• Adyen, for example, uses RevenueProtect technology to track global carding trends.

5. How carders try to bypass anti-fraud systems​

Carders use a variety of techniques to bypass anti-fraud systems, and understanding these methods helps us understand how systems adapt:

• Anti-detect browsers: Tools such as FraudFox or MultiLogin spoof device and browser characteristics to create a "clean" digital fingerprint.
  • Countermeasures: Anti-fraud systems detect unnatural parameters (for example, lack of standard fonts or non-standard WebGL settings).
• Using VPN and Proxies: Carders mask the IP address to match the region of the card.
  • Countermeasures: Systems check whether the IP address is residential or belongs to a data center and use VPN/proxy databases.
• Behavior Emulation: Carders can imitate the behavior of a legitimate user by slowly filling out forms or using scripts to emulate cursor movements.
  • Countermeasures: Anti-fraud systems analyze micropatterns (such as unnatural movement precision) to identify bots.
• Purchasing "clean" data: Carders purchase data from a "full package" (fullz), including address, phone number and purchase history.
  • Countermeasures: Systems compare data with the historical profile and identify inconsistencies (e.g. new delivery address).

6. Example of calculating risk score in the context of carding​

Let's consider a scenario where a carder tries to buy a smartphone for $800 with a stolen card:

• GeoIP: IP address from Vietnam, while the card is issued in Russia. This adds 30% to the risk score.
• Device Fingerprinting: Device is a virtual machine with an anti-detect browser, not linked to the account history. Adds 25% to the risk.
• Behavior: Card data entered in 1.5 seconds, without cursor movement (bot). Adds 20% to risk.
• Transaction history: The card was previously used for small transactions ($1-2), and the current purchase is for $800. Adds 25% to the risk.
• Final risk score: 900 out of 1000 (high risk). The transaction is blocked or sent for 3D Secure verification.

7. Features of Stripe Radar and Adyen in the fight against carding​

Stripe Radar​

• Technologies: Uses ML to analyze over 1000 parameters including GeoIP, Device Fingerprinting and behavioral signals.
• Flexibility: Businesses can set rules, such as blocking transactions from certain countries or when using new devices.
• Chargeback protection: Radar predicts the likelihood of a chargeback, helping prevent losses from carding.
• Speed: Analysis in 0.1 seconds, which is critical to prevent quick attacks from carders.

Adyen (RevenueProtect)​

• Cross-channel analysis: Considers transactions across different channels (online, offline, mobile apps) to create a holistic profile.
• Global Database: Uses billions of transaction data to identify carding patterns.
• Dynamic Adaptation: Models are updated in real time to respond to new patterns such as mass card testing.
• 3D Secure Support: Automatically applies 3D Secure to suspicious transactions.

8. Problems and limitations​

• False Positives: Legitimate users using a VPN or a new device may be falsely flagged as carders.
• Difficulty of bypassing: Advanced carders use complex schemes (for example, buying "clean" IPs or emulating behavior), which requires constant updating of models.
• Verification Delays: Manual verification or 3D Secure may slow down the process for legitimate users.
• Evolution of carding: New methods, such as the use of cryptocurrencies or social attacks, complicate the task of anti-fraud systems.

9. Conclusion​

Anti-fraud systems like Stripe Radar and Adyen effectively combat carding by analyzing multiple signals (GeoIP, Device Fingerprinting, behavior, transaction history) and using machine learning to calculate a risk score. They identify anomalies typical for carding, such as card testing, VPN use, or unnatural behavior, and apply measures (blocking, 3D Secure, manual verification) to prevent fraud. Despite carders’ attempts to bypass the systems using anti-detect browsers and other techniques, anti-fraud systems adapt by updating models and using global databases. This process demonstrates the complex interaction of technology, data, and algorithms aimed at protecting businesses and customers from financial losses.

If you have additional questions or want to delve into a specific aspect (e.g. ML math or code examples), let me know!