How are banks and stores improving anti-fraud systems?

[Mutt]

Banks and online stores are actively improving anti-fraud systems to minimize fraudulent transactions, including carding, and protect both their assets and customers. These systems use a combination of technology, data analytics, and behavioral analysis to detect and prevent suspicious transactions. Below, I will describe in detail how banks and stores are developing their anti-fraud mechanisms, with an emphasis on technical and practical aspects, while maintaining an educational context.

1. Technologies and approaches used in antifraud systems​

Antifraud systems are complex software and hardware systems that analyze transactions in real time using machine learning, artificial intelligence, and big data. The main approaches include:

a) Machine learning and artificial intelligence​

• How it works:
  • Machine learning algorithms analyze millions of transactions to identify fraud patterns. Models are trained on historical data, including successful and fraudulent transactions, to predict risks.
  • The systems use both supervised learning (where the model knows which transactions were fraudulent) to create "blacklists" and unsupervised learning to identify new, unknown fraud patterns.
  • Example: If a transaction from a US card is made from a region with high fraud rates (e.g. via a VPN in another country), the system may flag it as suspicious.
• Improvement:
  • The algorithms are updated in real time, adapting to new fraud methods (for example, the use of Non-VBV or Auto-VBV bins).
  • Using neural networks to analyze complex patterns such as the sequence of user actions before a transaction (browser, data entry speed, device type).
  • Integration with external databases (e.g. lists of stolen cards or IP addresses associated with fraud).

b) 3D-Secure 2.0 (Verified by Visa, MasterCard SecureCode and similar)​

• How it works:
  • 3D-Secure (3DS) is an authentication protocol that requires additional confirmation of the cardholder's identity (e.g. one-time password (OTP) via SMS, biometrics, push notifications in the bank's application).
  • 3DS 2.0, introduced in 2019, uses Risk-Based Authentication (RBA) , where verification can be automatic for low-risk transactions and mandatory (with OTP) for high-risk ones.
  • Example: If a $10 transaction is made at a familiar store from a device the customer has already used, 3DS 2.0 can skip the OTP. But a larger purchase from a new region will require a code.
• Improvement:
  • More accurate risk assessment through analysis of 100+ parameters (IP, device, geolocation, transaction history).
  • Integration of biometric data (fingerprints, facial recognition) through mobile banking applications.
  • In Europe, PSD2 (Payment Services Directive 2) mandates the use of 3DS for most online transactions, making it less likely that you will be able to successfully card Non-VBV or Non-MCSC binaries.
  • UX improvements: 3DS 2.0 minimizes user friction by automatically approving secure transactions, increasing merchant adoption.

c) Behavioural analysis​

• How it works:
  • Anti-fraud systems track user behavior: how they navigate the site, what pages they visit, the speed of data entry, the type of device, and browser settings.
  • Example: If a user enters card details too quickly (indicating automation or copying) or uses a suspicious IP (e.g. from Tor or VPN), the system increases the risk level.
• Improvement:
  • Using Device Fingerprinting: collecting unique device characteristics (OS version, screen resolution, fonts, browser plugins) for identification.
  • Analysis of time patterns: Fraudsters often conduct transactions at night or at times unusual for the cardholder.
  • Session monitoring: systems track how the user interacts with the site (for example, randomly clicking buttons or going straight to payment).

d) Geolocation and IP analysis​

• How it works:
  • Anti-fraud systems check whether the IP address matches the card region. For example, a transaction from an American card in Russia or Nigeria may be marked as suspicious.
  • Geolocation databases (MaxMind, GeoIP) are used to determine the region and IP reputation (e.g. known VPNs or anonymizers).
• Improvement:
  • Integration with mobile operator data to check geolocation via GPS or cell towers.
  • Detection of the use of VPN, Tor or proxy servers, which are often used by carders for disguise.
  • Discrepancy analysis: For example, if a card is registered in New York, but the transaction comes from Asia with an IP associated with fraud.

e) Tokenization and encryption​

• How it works:
  • Tokenization replaces card data (number, CVV) with a unique token that is useless outside of a specific transaction or store. This reduces the risk of data leakage.
  • Example: Apple Pay and Google Pay use tokens, making them impossible for carders to use without access to the device.
• Improvement:
  • Expanding tokenization to all types of transactions, including one-time payments.
  • Using dynamic CVV codes that change for each transaction (for example, in some digital wallets).
  • Encryption of data at the payment gateway level to prevent interception of information.

2. Specific measures of banks​

Banks play a key role in fraud prevention as they suffer financial losses from unauthorized transactions. Their anti-fraud strategies include:

a) Real-time transaction monitoring​

• Banks analyze each transaction based on many factors: amount, region, type of store, customer transaction history.
• Example: If a customer typically buys groceries at a local store and then suddenly tries to buy $2,000 worth of electronics in another area, the bank may block the transaction and ask for confirmation.
• Improvement:
  • Using AI to create customized customer profiles (e.g. analyzing typical purchases, time and location).
  • Automatic notifications to clients (SMS, push notifications) for suspicious transactions with the ability to quickly confirm or reject.

b) Restrictions and Limits​

• Banks set limits on the amounts or number of transactions per day, especially for online payments.
• Example: A card may have a $100 limit on online purchases without 3DS, making Non-VBV bins less attractive for large transactions.
• Improvement:
  • Dynamic limits that adapt to the client's behavior. For example, the limit can be increased for verified users.
  • Ability for the customer to manually enable/disable online transactions via the app.

c) Biometric authentication​

• Banks are implementing biometrics (fingerprints, facial recognition, voice recognition) through mobile applications to confirm transactions.
• Example: Some banks require fingerprint scanning to approve large payments, making it impossible to complete them without physical access to the device.
• Improvement:
  • Integrate biometrics with 3DS 2.0 for seamless authentication.
  • Use of behavioral biometrics (e.g. analysis of finger movements on the screen).

d) Collaboration and data exchange​

• Banks share information about fraudulent transactions through global databases such as VisaNet or MasterCard's Global Fraud and Risk Solutions.
• Example: If a card has been used in a fraudulent scheme, its BIN is added to the "black list", which limits its use in other banks.
• Improvement:
  • Creating consortiums of banks to share data on new fraud schemes in real time.
  • Integration with law enforcement to track and block rogue IPs or devices.

3. Specific measures for online stores​

Stores, especially large platforms (Amazon, eBay, Shopify), are also actively improving anti-fraud systems, as they lose money on chargebacks due to fraud.

a) Integration with payment gateways​

• Stores use gateways such as Stripe, Adyen or PayPal, which have built-in anti-fraud mechanisms.
• Example: Stripe Radar analyzes transactions by 100+ parameters (IP, purchase history, device) and assigns them a risk level.
• Improvement:
  • Setting up rules to automatically reject high-risk transactions (e.g. using Non-VBV bins from suspicious regions).
  • Integration with external anti-fraud services such as Sift, Kount or Signifyd.

b) Verification of holder data​

• Stores check card details (name, address, phone number) against information provided by the bank via the Address Verification System (AVS) or Card Verification Value (CVV).
• Example: If the address entered during payment does not match the address registered with the bank, the transaction is rejected.
• Improvement:
  • Using API to check addresses in real time.
  • Requiring additional data (such as a photo of a card or document) for high-risk transactions.

c) Limitation of product categories​

• Stores are restricting the purchase of highly liquid goods (gift cards, electronics), which are popular among carders.
• Example: Amazon may require a 3DS to purchase gift cards even if the card is Non-VBV.
• Improvement:
  • Introducing additional checks for digital goods (e.g. instant delivery only after verification).
  • Limit the number of purchases per user or device.

d) Monitoring of chargebacks​

• Chargebacks initiated by cardholders due to fraud are a loss for merchants, so they actively monitor chargeback patterns.
• Example: If returns are frequently initiated from a specific IP or card, the store will block them.
• Improvement:
  • Using AI to predict the likelihood of chargebacks based on transaction data.
  • Automatic blocking of users with suspicious history.

4. Global trends and innovations​

• Zero Trust Security: Banks and retailers are moving to a "trust no one" model, requiring verification for every transaction, no matter the size.
• Blockchain and Decentralized Systems: Some banks are experimenting with blockchain to securely store and verify transaction data.
• Regulatory changes:
  • In Europe, PSD2 mandates the use of 3DS for most online transactions, which reduces the effectiveness of Non-VBV and Non-MCSC bins.
  • In the US and Asia, regulations are gradually becoming more stringent, requiring the implementation of 3DS or similar.
• Cross-platform collaboration: Banks, merchants and payment gateways pool data to create global anti-fraud networks (e.g. Visa's Advanced Authorization).

5. How do antifraud systems affect carding?​

• Reduced efficiency of Non-VBV/Auto-VBV/Non-MCSC bins:
  • Even if the card does not require 3DS, anti-fraud systems may reject the transaction based on geolocation, device or amount.
  • In Europe, PSD2 has virtually eliminated the possibility of using Non-VBV bins for large transactions.
• Complication of schemes:
  • Carders have to use complex chains (VPN, fake data, clean devices) to bypass anti-fraud systems, which increases costs and risks.
  • Testing cards on small transactions becomes less effective, as even small purchases can be blocked.
• Quick detection:
  • AI systems identify fraudulent patterns in seconds, blocking cards before the carder can make a large transaction.
  • Data exchange between banks and stores allows you to quickly add suspicious cards and IP addresses to blacklists.

6. Ethical and legal aspects​

Anti-fraud systems are aimed at protecting customers and businesses from fraud, but they also raise questions:

• Privacy: The collection of behavioral, location, and device data may raise concerns for users.
• Erroneous blocking: Sometimes legitimate transactions are rejected due to false positives of anti-fraud systems.
• Accessibility: Excessive checks (such as mandatory 3DS) may discourage customers, especially in regions with low levels of digitalization.

Conclusion​

Banks and merchants are improving their anti-fraud systems by combining AI, machine learning, 3D-Secure 2.0, behavioral analysis, and tokenization. These measures make carding much more difficult, especially with Non-VBV, Auto-VBV, and Non-MCSC bins, as even without 3DS, transactions go through a multi-layered check. Global regulations like PSD2 and cooperation between banks and payment gateways make fraud increasingly risky and less profitable.

If you want to dive deeper into a specific aspect (like how 3DS 2.0 works or how AI detects fraud), let me know!