How do anti-fraud systems (e.g. Kount, Sift, Riskified) work? (Algorithms, machine learning, user behavior analysis)

[Student]

Anti-fraud systems like Kount, Sift, and Riskified play a key role in combating carding, a type of fraud in which criminals use stolen credit card data to make unauthorized transactions. For educational purposes, I will go into detail about how these systems work in the context of carding, including algorithms, machine learning, user behavior analysis, and specific protection mechanisms.

1. What is carding and why is it difficult to detect?​

Carding is a fraudulent scheme in which criminals use stolen card data (number, CVV, owner's name, expiration date) to purchase goods or services, most often in online stores. The main difficulties in combating carding:

• Disguise as legitimate users: Fraudsters use proxies, VPNs, device emulation to imitate the behavior of real buyers.
• Scale and automation: Carders often use bots to conduct mass card testing or make transactions.
• Attack speed: Transactions are carried out quickly, which requires an immediate response from anti-fraud systems.
• Evolution of methods: Fraudsters are adapting by using new technologies such as virtual machines or stolen accounts.

Anti-fraud systems address these issues through a multi-layered approach that includes data collection, analysis, modeling and real-time decision making.

2. Collecting data to combat carding​

Antifraud systems collect and analyze data to identify signs of carding. The data is divided into several categories:

a) Transactional data​

• Transaction characteristics: Amount, currency, time, type of product (e.g. electronics are a common target for carders).
• Transaction patterns: Multiple payment attempts with different cards, small test transactions (card testing), unusually high amount.
• Transaction History: Compare the current transaction with the user's purchase history (if the account exists).

b) Device Fingerprinting​

• Device identifiers: Hardware characteristics (device type, screen resolution, fonts, browser plugins).
• Network data: IP address, VPN/proxy usage, IP reputation (e.g. whether it is blacklisted).
• Anomalies: Frequent change of devices, use of emulators or virtual machines.

c) Behavioral data​

• Interaction patterns: How a user navigates a site, click rate, time between actions, page sequence.
• Behavioral biometrics: Typing speed, mouse movements, touch gestures on mobile devices.
• Behavioral anomalies: For example, a user suddenly buys an expensive product, although previously he only bought cheap ones.

d) Contextual data​

• Geolocation: Matching the location of the IP address, device, and delivery. For example, a transaction from Nigeria with a card registered in the US raises suspicions.
• Data reputation: Checking email, phone number or address in scammer databases (for example, email like test123@gmail.com is often used by carders).
• Social Connections: Analyze relationships between devices, accounts, and transactions through relationship graphs.

e) External sources​

• Blacklists: Databases of stolen cards, suspicious IPs, devices or emails.
• Shared networks: Platforms like Kount use global data networks (such as the Identity Trust Global Network) that aggregate information from thousands of businesses to identify repeating fraud patterns.

3. Algorithms and methods of analysis​

Anti-fraud systems use a combination of rules, machine learning and behavioral analysis to detect carding.

a) Rule-based approach​

Rules are pre-set conditions that signal potential fraud. Examples in the context of carding:

• Multiple transaction attempts: When multiple transactions are made from the same device or IP address in a short period of time using different cards.
• Geolocation mismatch: For example, the IP address is from one country, but the card is registered in another.
• High-Risk Items: Buying electronics, gift cards, or digital items that can be easily resold.
• Test transactions: Small amounts (eg $1) used to check the validity of a card.

The rules can be:

• Static: Manually set by experts (e.g. "reject transactions over $1000 from certain countries").
• Dynamic: Automatically updated based on new data and patterns.

Disadvantage: The rules are vulnerable to new types of attacks as carders adapt to bypass known patterns.

b) Machine learning (ML)​

Machine learning allows systems to identify complex patterns and adapt to new types of carding. The following approaches are used:

i) Supervised Learning​

• Training data: Historical transactions labeled as either "fraudulent" or "legitimate".
• Algorithms:
  • Logistic regression for estimating the probability of fraud.
  • Decision trees and ensembles (Random Forest, Gradient Boosting, XGBoost, LightGBM) for handling complex dependencies.
  • Neural networks for analyzing large amounts of data.
• Example: The model is trained on data where fraudulent transactions are associated with VPN usage, fast payment attempts, and geolocation mismatches. The model produces a risk score (e.g. 85/100) indicating the likelihood of carding.

ii) Unsupervised Learning​

• Used to detect anomalies when labels are missing.
• Methods:
  • Clustering (k-means, DBSCAN): Groups transactions by similar characteristics. Anomalous clusters (e.g. transactions with unusual time or device) are marked as suspicious.
  • Autoencoders: Neural networks that detect deviations from normal behavior.
• Example: The system notices that the device makes purchases from multiple accounts in a short period of time, which is not typical for legitimate users.

iii) Deep Learning​

• Used to analyze complex sequences, such as time series of user actions.
• Example: Recurrent neural networks (RNN) or transformers analyze the sequence of clicks and transitions on the site. If the carder uses a bot, the system may notice unnaturally fast or monotonous actions.

iv) Risk scoring​

• ML models assign a risk score (from 0 to 100) to each transaction.
• Actions based on speed:
  • Low Risk (<20): Transaction is approved.
  • Medium risk (20–60): Additional verification is requested (e.g. 3D-Secure or OTP).
  • High Risk (>60): Transaction is rejected or sent for manual review.

c) Analysis of user behavior​

• Profiling: Systems create a profile of user behavior based on the history of their actions (e.g. average purchase amount, preferred product categories, time of purchase).
• Anomalies: Any deviation from the profile raises suspicion. For example:
  • A user who usually buys clothes for $50 suddenly orders a laptop for $2000.
  • The device connects via Tor or VPN, which was not the case before.
• Behavior biometrics: Analysis of mouse movements, typing speed, device tilt angle. Carders using bots often give themselves away through mechanical actions.
• Connection graphs: Anti-fraud systems build graphs that link devices, IP addresses, emails, and cards. If one device is linked to multiple cards or accounts, this may indicate carding.

d) Real time and automation​

• Anti-fraud systems process data in milliseconds so as not to slow down the payment process.
• Technologies such as Apache Kafka for streaming data processing and Redis for fast access to blacklists are used.

4. Specific mechanisms of protection against carding​

Antifraud systems use the following technologies to combat carding:

a) Device Fingerprinting​

• Creates a unique "fingerprint" of the device based on hundreds of parameters (browser, fonts, screen resolution, HTTP headers).
• If one device is linked to multiple cards or accounts, this indicates carding.
• Example: Kount uses Persona technology , which tracks devices through their unique characteristics.

b) Geolocation check​

• Comparison of IP address, map data and shipping address.
• Example: If the card is registered in the USA, the IP is from Russia, and the delivery is indicated to Nigeria, the transaction is marked as suspicious.

c) Velocity Checks​

• Transaction frequency analysis:
  • Multiple payment attempts with different cards in a short period of time.
  • Test transactions for small amounts (card testing).
• Example: Sift may block a device if it makes more than 5 transactions per minute.

d) Reputation bases​

• Checking email, IP, phone number or card in fraudsters' databases.
• Example: Riskified uses global data to identify cards previously associated with chargebacks.

e) 3D-Secure and additional verification​

• If the risk score is high, the system may request additional authentication (for example, a code from an SMS or push notification).
• This reduces the likelihood of successful carding, since the fraudster usually does not have access to the card owner's phone.

f) Analysis of connection graphs​

• Systems build graphs that link devices, accounts, maps, and IP addresses.
• Example: If one IP address is associated with hundreds of transactions with different cards, this indicates an organized carding scheme.

5. Features of specific systems​

Each system has unique features adapted to combat carding:

a) Count​

• Identity Trust Global Network: Combines data from thousands of businesses to identify repeating fraud patterns.
• AI-driven approach: Uses ML to adapt to new types of attacks.
• Integration: Easily integrates with payment gateways (Stripe, PayPal) and e-commerce platforms (Shopify, Magento).
• Anti-carding example: Kount may block a transaction if the device has previously been associated with test transactions.

b) Sift​

• Digital Trust & Safety: Focused on minimizing false positives to avoid alienating legitimate customers.
• Adaptive ML: Models are trained on business-specific data, which improves accuracy.
• An example of carding protection: Sift analyzes user behavior in real time and blocks the account if he suddenly starts using new cards.

c) Riskified​

• Chargeback Guarantee: Riskified takes the financial risk if a fraudulent transaction goes through (chargeback guarantee).
• E-commerce focus: Specializes in online stores where carding is most common.
• Anti-carding example: Riskified uses connection graphs to identify networks of carders using the same devices or IPs.

6. Problems and challenges in the fight against carding​

• False Positives: Rules that are too strict may reject legitimate transactions, which reduces conversion. For example, a user traveling abroad may be flagged as a carder due to a change in IP.
• Carder adaptation: Fraudsters use complex schemes such as:
  • Account Takeover (ATO): Hacking accounts to disguise themselves as legitimate users.
  • Synthetic Identities: Create fake profiles with real data.
  • Card Testing: Testing cards with small amounts to bypass limits.
• Balancing UX and security: Complex checks (such as CAPTCHA or 3D-Secure) can be annoying for users.
• Privacy: Data collection must comply with laws (GDPR, CCPA), which limits the amount of information collected.
• Scale: Carders can attack thousands of stores at once, requiring global databases and coordination.

7. Example of carding scenario and system response​

Scenario:

• Scammer uses stolen card to buy $1,000 iPhone.
• It connects via VPN to hide its real location.
• Uses a new account with email test123@gmail.com .
• Before this, he makes a test transaction of $1.

Anti-fraud system reaction:

1. Data collection: The system records IP (linked to VPN), device (new, no history), email (suspicious), amount ($1000, high risk).
2. Rules: The "geolocation mismatch" rule (IP from Russia, map from the USA) and "test transaction" are triggered.
3. ML analysis: The model assigns a risk score of 92/100 based on anomalous behavior and IP reputation.
4. Relationship graphs: The system notices that the IP has previously been used for other suspicious transactions.
5. Solution: Transaction is rejected, account is blocked, data is added to blacklist.

8. The future of anti-fraud systems in the context of carding​

• Improving ML: More complex models (e.g. transformers) for sequence and context analysis.
• Biometrics: Increased use of behavioral biometrics (e.g. gait analysis via a phone's accelerometer).
• Blockchain: Using decentralized databases to share fraud data between businesses.
• Regulation: Increased privacy requirements (GDPR, CCPA) are forcing systems to optimize data collection.

9. Conclusion​

Anti-fraud systems such as Kount, Sift and Riskified effectively combat carding thanks to a multi-layered approach:

• Data collection (transactions, devices, behavior, geolocation).
• Algorithms (rules, ML, anomaly analysis).
• Technologies (Device Fingerprinting, relationship graphs, risk scoring).
• Real time and adaptation to new threats.

They minimize risks by analyzing hundreds of parameters and identifying anomalies typical for carding (test transactions, geolocation mismatches, suspicious devices). However, success depends on the balance between security and user experience, as well as the ability to adapt to new fraudster tactics.

If you want to go deeper into a specific aspect (for example, setting up rules, ML algorithms, or code samples for data analysis), write and I will continue!