Recently I needed to top up my Elexnet wallet from an Alfa-Bank bank card - a standard procedure that I have successfully completed several times already. As usual, after logging into the wallet and entering the card details, instead of the usual success message, I received the following error:
Oops. "Anti-black list"! I forgot that this time I am abroad.
I spent some time unsuccessfully trying to pay, but alas. Out of desperation, I even tried to do this operation through Tor, but this, of course, did not help (I didn’t want to spend time trying to figure out how to quickly set output nodes only from a certain country in the Tor settings), but at least I did it a couple of times I received a second interesting error with the following text:
“User IP address country does not match BIN country”
That is, this time the dissatisfaction with the Eleksnet anti-fraud system was caused by the country of the IP address of my foreign provider not matching the country of the card issuer.
The sad thing is that the error message gives me, as the user, no choice but to try again or abandon the operation. And the window on the screen doesn’t even contain any recommendations or links - where to go, who to write to and what to do to make sure everything works out. And it will certainly kill those users who do not know English, since everything in the window is written in Russian, only the error message itself is in English.
Actually, why is all this so bad?
From the above errors, we can draw conclusions about how Elecsnet’s anti-fraud rules are structured (at least those that work on card replenishment operations):
As a result, there is a system of several simple anti-fraud rules, which, I think, are equally successful in both fighting fraud and making life difficult for normal users like me. It's all about what not to do.
Now let’s talk about how it could (and should) be done correctly.
At a minimum, these simple steps could greatly reduce the number of innocently suffering clients who had the imprudence to travel abroad, and only as a result of their geographical movement were deprived of the opportunity to use the service.
If we go further along the path of improving anti-fraud rules, we can add more complex logic, for example, take into account the speed of user movement between countries (payment from different countries every other day is much more likely than with a difference of five minutes), take into account the number of attempts to complete a transaction (including for different cards, thereby preventing enumeration of card numbers), the fact of using proxy servers or anonymizers, and so on.
It is also important to add here that when I performed further actions with the wallet, Elecsnet’s antifraud did not interfere with me: after I topped up my account with the help of a friend in Russia (I had to give him step-by-step instructions on Skype), I was easily able to withdraw money from my own wallet to an account in another Russian bank, while still abroad. And this also raises questions. Indeed, from the point of view of anti-fraud policy, it is important to stop not only suspicious attempts to use bank cards, but also, possibly, atypical manipulations with funds on the wallet itself, and above all this concerns risky payment directions, in particular, withdrawal of funds (and this is the ultimate goal any fraudster, and the sooner the better!). I can justify all this only by the small amount of the operation (within a few thousand rubles).
As a result, my chain of actions was as follows:
The moral of this story is this: people move around the world, but for their financial services this should not be a source of problems, such as: blocking of bank cards, inability to top up an electronic wallet or pay for your own Moscow mobile phone while being in another hemisphere.
Fight fraud correctly!
Oops. "Anti-black list"! I forgot that this time I am abroad.
I spent some time unsuccessfully trying to pay, but alas. Out of desperation, I even tried to do this operation through Tor, but this, of course, did not help (I didn’t want to spend time trying to figure out how to quickly set output nodes only from a certain country in the Tor settings), but at least I did it a couple of times I received a second interesting error with the following text:
“User IP address country does not match BIN country”
That is, this time the dissatisfaction with the Eleksnet anti-fraud system was caused by the country of the IP address of my foreign provider not matching the country of the card issuer.
The sad thing is that the error message gives me, as the user, no choice but to try again or abandon the operation. And the window on the screen doesn’t even contain any recommendations or links - where to go, who to write to and what to do to make sure everything works out. And it will certainly kill those users who do not know English, since everything in the window is written in Russian, only the error message itself is in English.
Actually, why is all this so bad?
From the above errors, we can draw conclusions about how Elecsnet’s anti-fraud rules are structured (at least those that work on card replenishment operations):
- There is a certain list of allowed countries, most likely these are Russia and the CIS countries. Accordingly, top-up operations are allowed only from IP addresses of these countries, all others are prohibited.
- Another rule checks whether the user's IP geography matches the issuer's country. There are possible options here: it is likely that a common geographical space has been created for Russia and the CIS (that is, it is possible to top up your account from Ukraine with a Russian card, although I have not checked this).
- It’s worse if the logic is more strict: the user’s country must necessarily coincide with the issuer’s country and nothing else. Why then did I receive the second error, but the antifraud did not swear at the “anti-black list”? This is where suspicion creeps in that at that moment the IP address of the Tor exit node may have just happened to be from an authorized country, but the country itself did not coincide with Russia (the issuer of the card). Guard!
As a result, there is a system of several simple anti-fraud rules, which, I think, are equally successful in both fighting fraud and making life difficult for normal users like me. It's all about what not to do.
Now let’s talk about how it could (and should) be done correctly.
- First of all, I am not a new client of Elexnet. To be more precise, I have already used this same card several times to replenish the same wallet. That is, my payment behavior pattern is very simple and transparent: about once a month I top up my wallet from the same card. To assume that the fraudster will now use my stolen card to replenish my wallet is somewhat strange. Hence the first correct step: it is necessary to remember both the card and the operations on it, and apply a strict policy only when a new card appears in the system (that is, one about which nothing is known and it is recorded for the first time). If the card does the same standard action (in this case, replenishes the wallet) for the fifth time in a row, then most likely it is the card owner who does this, and at this point it is necessary to soften the anti-fraud policy and allow a specific operation regardless of the geographical location of both the user and and the card issuer. Another option is to “dance” from the wallet and remember the history of payment behavior specifically from the point of view of the wallet (from where it is replenished, where it pays or transfers, etc.).
- You also need to remember what a wallet actually is in the Elexnet system. The wallet number is essentially the phone number of its owner. And when authorizing, you must specify a pair of phone number + password to access the wallet, issued during registration. But Elexnet is great at sending SMS for any action in the system; in my case, I receive SMS both when replenishing my wallet and when making a payment from it. So, in the case of, according to Elecsnet, a suspicious transaction, what is the cost of simply requesting its confirmation via SMS? This is a common standard practice that is used in many payment systems (enhanced or two-factor authorization, such as in Yandex.Money) and in banks (here the most obvious example is 3D Secure authorization): at the time of the transaction, the user receives an SMS with a code , who enters his payment operator on the page, thereby confirming the transaction. And what’s more, the Elexnet user provides his phone number immediately upon registration, and in the future this number is equal to the user’s wallet number, so all that remains to be done is to send the user an SMS and wait for the transaction to be confirmed.
- If there are various blacklists in the anti-fraud system (this is normal), then there must also be a flexible logic for their use, and for this you need to take into account many factors in addition to the blacklist itself. The “head-on” approach (prohibit everything for this person, allow everything for others) is inconvenient, inflexible and ruins the life of ordinary users at the first opportunity.
- And finally, if the anti-fraud rules have worked and prohibited the operation, then, of course, it is not necessary to tell the user exactly why this happened (remember that this could be a fraud). But you definitely need to tell him how to solve the problem! (since this is precisely what is important to an honest user who has fallen under the antifraud
horse). Namely, where to write or call him, what simple system settings to tweak, and so on, and all this in human language. In my case, the ideal option would be a message like: “Sorry! The operation does not work. We don't recognize you, you're probably trying to top up your wallet differently than usual. We will now send you a code via SMS, enter it in the box below so that we can make sure that you are you.”
At a minimum, these simple steps could greatly reduce the number of innocently suffering clients who had the imprudence to travel abroad, and only as a result of their geographical movement were deprived of the opportunity to use the service.
If we go further along the path of improving anti-fraud rules, we can add more complex logic, for example, take into account the speed of user movement between countries (payment from different countries every other day is much more likely than with a difference of five minutes), take into account the number of attempts to complete a transaction (including for different cards, thereby preventing enumeration of card numbers), the fact of using proxy servers or anonymizers, and so on.
It is also important to add here that when I performed further actions with the wallet, Elecsnet’s antifraud did not interfere with me: after I topped up my account with the help of a friend in Russia (I had to give him step-by-step instructions on Skype), I was easily able to withdraw money from my own wallet to an account in another Russian bank, while still abroad. And this also raises questions. Indeed, from the point of view of anti-fraud policy, it is important to stop not only suspicious attempts to use bank cards, but also, possibly, atypical manipulations with funds on the wallet itself, and above all this concerns risky payment directions, in particular, withdrawal of funds (and this is the ultimate goal any fraudster, and the sooner the better!). I can justify all this only by the small amount of the operation (within a few thousand rubles).
As a result, my chain of actions was as follows:
- I periodically top up my wallet with a bank card several times while in Moscow - no problems.
- Now I replenish my wallet from the same Russian card from abroad - several attempts and each time the replenishment is blocked by anti-fraud rules.
- I'm trying to do the same thing via Tor (obviously, the IP address could easily differ from the original country) - the same thing, the operation is impossible.
- I turn to a friend in Moscow for help and send him detailed instructions via Skype - finally the operation is going through and my wallet is replenished.
- Immediately after this, I withdraw money from the wallet to a card of another Russian bank, being geographically still in the same place, abroad, from where I was not allowed to replenish my wallet. No questions asked, the operation was successful, the money was withdrawn.
The moral of this story is this: people move around the world, but for their financial services this should not be a source of problems, such as: blocking of bank cards, inability to top up an electronic wallet or pay for your own Moscow mobile phone while being in another hemisphere.
Fight fraud correctly!
Last edited:
