Actually, the rule is fig. But it's clear why it works. Among security people, it is believed that antifraud should be such a super-secret thing with seven seals with a couple of hungry Cerberus nearby. So that no one, no one can look into the gap and find out how this antifraud works and, in general, what is inside. This adds importance to security guards, and to the anti-fraud mechanism itself - an illusory protection.
The security through obscurity principle does not work. If you google about the news in the context of "Client of bank X was hacked and stolen Y rubles", then there will always be such news. Almost every day (almost - because they don't always write about it).
Implementations of all known encryption protocols are open and available for study. All cryptographic and mathematical algorithms are also described, and in great detail. That is, sit down, stock up on coffee or energy drinks, study all this good and break it for yourself on the sly.
Therefore, a system that is considered secure only because people do not know how it works is never secure at all. But the more open such a system is, the faster the corrosive community will point with its critical finger at all the jambs in implementation. That will allow to eliminate these jambs.
I work precisely in the paradigm of the openness of protocols and systems, and in this post I want to talk about the device of a standard anti-fraud, about our work at RBK.money, why the future belongs to OpenSource, and how all this can work in an ideal world.
Which we can bring you closer.
Antifraud under the hood
Let's start with the simplest examples. Antifraud is a combination of two machines. The first one works according to some rules that you know and that you understand. The second is a black box in which magic is happening, which even a canister of energy and a volume of Nietzsche will not help to comprehend.
That is, in the first machine we have a set of rules written by a person. The rules look pretty simple and just reflect a certain set of actions that should trigger the system to recognize fraud. For example, if from such and such a card suddenly rushed to 10 payments per minute, this is not a weak reason to be on your guard. Or if the transaction on the card took place in St. Petersburg, and 5 minutes ago the owner withdrew money on it in Moscow - there is also something strange here.
I repeat, I am now very figurative, because this behavior can be in a normal situation. For example, Amazon likes to withdraw money not for your entire order of 15 positions, but for each position separately. And at different times, this is normal. And in the case of a geographical difference, the owner of the card may be in Moscow, and in St. Petersburg his mother buys something for the same card in Apple Pay. Yes, they write on the cards that they should not be passed on to third parties, and that's all, but life is usually a little more complicated.
About the second box. There is a large piece of machine learning, and here it is no longer so easy to show on the fingers in a simple structure how it relates to what for conclusions.
And from this basis, you can deduce the criteria for a good anti-fraud.
Three whales
The first is the interface for writing rules. Convenient, beautiful and understandable. This will be discussed below.
Secondly, a special language for writing these rules.
Third, fast processing of these written rules.
Why fast - because speed is really important here. Antifraud as an entity is placed in the gap of the payment system. And there are two approaches to this implementation.
1) Bypass
The priority here is the speed of payments. Business usually makes decisions in such a situation that the priority in terms of speed should not be lost, so if suddenly the antifraud takes a long time to think, analyze and generally slow down the process a little - don't care, we dance, ignore the antifraud readings and just make a payment.
2) Minimization of risks
In this situation, the business realizes that the anti-fraud, in general, was not simply put into the system, and listens to its testimony. If there is a suspicion of fraud, the business is slowed down, the situation is sorted out, and only then the payment is made. Or not.
Therefore, the anti-fraud must be fast, as fast as possible, and at the same time be adequately configured.
Inside the antifraud itself, in fact, there are quite simple columnar things, there are a lot of tasks for data aggregation. Here's what's going on in the system:
And there is a task of the kind to collapse in the window the currently moving number of payments with a specific value. For example, see right now what is being held from a certain fingerprint. Or clarify the ongoing payments for a specific card. It helps the work a lot.
By the way, it is important to understand that antifraud is not a thing in itself. It cannot be good or bad, it is a tool that needs tweaking. And if the antifraud works badly, it’s not because the antifraud is bad - it’s badly set up, the wrong rules have been entered, or a bunch of important things have not yet been taken into account.
And getting it right is important for business. Not only because all clients will run away from the bank, where the anti-fraud is worthless, but because the industry is highly regulated here. If too much fraudulent chargeback comes to the bank, this is a reason for fines and additional checks. Well, if everything is completely sad, then they will disconnect nafig from the payment system.
And it is right. If you operate with other people's money, people trust you, and you are not able to protect them - why are you in the market? Open the tire shop, for example.
Therefore, you either have a well-tuned anti-fraud, or none at all, because you were kicked out of the market and you no longer need it.
Own shirt
When we were writing our anti-fraud, we looked at all this, checked its performance, and finally installed ClickHouse.
It works like this. We have a payment system that is actively used. Accordingly, a large number of events are generated. We merge all these events in a single stream into ClickHouse, where they are successfully aggregated and processed. And processed quickly.
Some time ago we had a vendor antifraud. Quite a solution to itself, worked by subscription, did not cause any special inconveniences. But when we came up with the criteria for the correct anti-fraud, we began to write our own. We wrote it for a total of two months, the external apishechka was described by a swagger. When they finished, they started testing, at first they started up almost all the traffic on the old one, and a small part on the new one. Well, what if something happens there.
It didn't work out. We actively debugged it, used it at the start as such an additional recommendation. And the other day we completely dragged everything onto it, it is noticeably faster than the old one, it quickly fulfills all the rules, in general - the flight is normal. But the old one is still like a spare wheel.
Antifraud is a great breeding ground for the power of machine learning. After all, at the entrance there is a base (the payments themselves), there is a certain dataset, there is a model that is easily described by the already known existing frauds. That is, you can simply take for the model and mark it on the old flow of payments - here, check it out, there was fraud, here it is, here it is. In general, there is everything for a full-fledged training of a neural network, take it and use it.
We have not yet made a cozy interface, since we are still at the stage of debugging the protocol and rules (we have 200+ of them, we write new ones every day). The system is managed by brisk curl directly from the console. And here the main task of the anti-fraud agent (yes, there is such a specially trained person who does exactly this) is to sit, carefully look at the traffic, receive chargebacks due to fraud, and adjust the rules. As you can see, the robots have not yet managed to completely shove the leather bags off their work.
In general, the new one is good now. But not really great yet. We want to cut a dry run there - this is when you wrote a rule, and then ran through it some specific payment with the note “What would happen to the payment if this rule applied to it”. This will significantly pump up his capabilities.
And I also want to build modeling interfaces. You know, like in the movies, when the brave FBI sheep are tracking a fugitive with a credit card - yeah, look, here he refueled on a credit card, bought coffee over there, and took cash in that city. And all this is linked to a map, other data, with beautiful visualization. It's a matter of time.
Ideal system
When we add our antifraud, it will be great. But the ideal, as usual, is not so easy to achieve.
Ideal, as for me, is built on absolute OpenSource. That is, an open source antifraud in an open source language and a convenient exchange of rules.
Let's take an example of such an ideal DDoS protection system.
Imagine that all the current operators of the mother's dooser got so badly that they united and began to use a single base of assholes. If DDoS starts on the resource of some small operator, he quickly looks at which deer can't sleep, adds the villain's IPs to the blacklist. Blacklist updates are distributed over a single system, and everything related to this attack is blocked at the level of client connections.
The issue of trust and reliability of such a system is decided by the blockchain.
You can work with banks in the same way. There is a general list of anti-fraud patterns, which differs across all banks. For example, the green bank was freaked out, the specials reacted and added a new set of rules to the list, the list was updated, and that's it, a specific attack using this mechanic no longer works. Not in a green jar, nor in any other bright colors.
The system is distributed, we have a blockchain, it cannot be hacked. OK, if you imagine that the antifraud itself was hacked at one bank - this is still the bank's problem. Because we only have a list of rules in common. And the anti-fraud engines themselves are different in each bank.
As it really is now. Banks are very conservative structures. Highly. Now they have a small mailing list, a letter comes to certain specialists, they say, check it out, and here is the drop map, here are the parameters. But this is a newsletter. You can forget about efficiency and engagement right away. But better than nothing at all, yes.
So banks are unlikely to master such an ideal story. Fintech is quite capable of pulling it, payment systems and startups.
Machine learning combined with OpenSource is the future of anti-fraud. whoever learns to work well with this will be able to take a good jackpot - the industry is huge, there are billions. But there is no perfect solution yet.
And since it is not there, then there are good opportunities to enter the market.
What offers
And we offer you a ready-made antifraud. He is already open source and completely free. Without any pitfalls, I am ready right now to give all the sources of our antifraud to anyone who wants to and help with its integration into any payment system.
A common open source solution allows you to jointly exchange expertise, exchange protection rules.
Not to mention the community, which together can finalize the engine, do some new things that we either did not think about or did not have time to do.
This translates the level of protection into a completely new plane. A lot of participants in the payment industry are now developing their own solutions, even more - they are buying some ready-made ones that are on the market.
Do not buy. Our solution will win any tender, at least in terms of cost - it's hard to compete with an open source solution.
Let's develop together. The repositories are open, you have the sources right now. The community is always better than doing something alone.
Presentation of Fraudbusters as a standalone product with assembly and integration manuals will be the topic of the next article and will be coming soon.
Antifraud: what is it?
Mikhail Apostolov, head of the SOC Softline product line, and Mikhail Avsenev, head of the infrastructure support department of Infosecurity, a subsidiary of Softline Group, spoke about systems for automated detection of fraudulent actions and interesting facts related to their use or absence.
Softline direct: Tell us an interesting story about anti-fraud and protection against fraud. There is an opinion that only banks need antifraud ...
Mikhail Avsenev: There is an opinion. But I'll tell you a story about, attention, a network of gas stations! At first glance, what kind of connection could there be? But most of these businesses have a loyalty program or so-called cashback. In a large network of gas stations, whose name I, for obvious reasons, do not mention, at one of the gas stations the operator made all payments through his personal card with a cashback. That is, she physically took money from clients and ran it through her account, receiving cashback. The scheme was calculated in this way: in a day we looked at all the operations and it turned out that practically a whole tank of gasoline was filled on this one card. It is in such situations that an anti-fraud is needed, which will show or even freeze such transactions.
Or here's another example: cheating schemes on various game servers. For example, as was the case with the company CCP, the developer of the space multiplayer strategy EVE Online. The player obtained some not very expensive resource, an artifact, let's call it a "twig", then went out to trade on the gaming exchange, where he artificially raised prices for it, received space profits in the literal and figurative sense, and brought down the entire gaming economy. As a result, the service was almost on the verge of shutting down.
Mikhail Apostolov: Antifraud is needed not only by banks, but even by gas stations and online game developers. It is relevant in any place where online trade relations arise and money transfer transactions take place.
Mikhail Avsenev: By the way, about banks! Financial scammers come up with very interesting schemes. For example, the so-called "white plastic" is produced. This is when clones are created on legal cards, which begin to quickly purchase goods in online stores, as a rule, created by the same scammers. Do you often watch SMS messages from the bank with information on transactions and account? And for many, SMS informing is not even connected. In such cases, the client will not be able to block the card on time and will very quickly lose all the money.
We live in the age of information technology, so information that someone has succeeded is spreading very quickly. Some weak faction creates a fraudulent scheme, then sells this scheme to a stronger faction that has more resources. Therefore, the risks can be from 1000 rubles. up to several million, which can be lost literally within a few hours.
Mikhail Apostolov: In such cases, losses invariably amount to large sums that cannot be compared with the cost of antifraud such as the Fraud Detection System of Infosecurity.
Softline direct: Could you tell us from what topical threats can the Fraud Detection System service save you?
Mikhail Avsenev: Last year, targeted attacks were the most popular. Not some typical viruses, but a pre-prepared penetration into the network. In such attacks, cybercriminals find out infrastructure issues, information exchange protocols for several months, and then proceed to attack. Even with such types of penetration, fraudsters have been on the network for a long time, so they can prepare automation tools and quickly withdraw money. Our antifraud detects these threats very quickly and automatically. A human operator may miss something, not pay attention to suspicious transactions, or fail to react in time.
Thanks to the built-in profiling mechanisms, the Fraud Detection System allows you to automatically detect such attacks, money withdrawals, and atypical user behavior. For example, a person made transactions mainly from Moscow and then suddenly ended up in Vladivostok, and then again in Moscow. Identifying such anomalies will allow the operator to see suspicious transactions and prevent the withdrawal of money. The attack may take place, but the money will not be lost.
Scammers also direct their attacks to payment gateways. Specially prepared documents are formed and sent to the payment system. Our anti-fraud allows you to control the legitimacy of the payment.
Softline direct: What nodes within the bank are favorite targets for fraudsters? What do hackers most often choose?
Mikhail Avsenev: Hackers are mainly interested in those network nodes that contain information about payments, customers, or directly in access to the payment gateways themselves. First of all, this is the AWS KBR. Then there are Cyberplay payment systems, Cyberpay with RAPIDA and other ABS payment systems, information about customers and their accounts, everything that can be of value. It also includes personal and passport data, information about contracts, materials that can be used for competitive intelligence.
Mikhail Apostolov: I would like to note that among the services of the "Infosecurity" company there is a monitoring of the information space, which helps to identify possible potential or already implemented "leaks" of such information.
Softline direct: Now I would like to talk about the fight against fraud in retail and insurance. How exactly will antifraud be useful in this area?
Mikhail Avsenev: In retail, our Fraud Detection System is useful for detecting abuse in loyalty programs. At the very beginning of this interview, I already talked about fraud in the gas station network, but any additional points for the purchase of goods can also be of interest to unreliable persons.
Insurance is another interesting topic as it has a lot of fraudulent schemes. For example, an insurance agent takes several policies and does not register them in the accounting system. Then he tells the client about the super discount and sells the policy for less. If a client has an insured event, he will first inform the insurance agent about it. He will register the corresponding policy retroactively, and the rest will not be the same, in the end he will get a huge real benefit.
Mikhail Apostolov: If we summarize this block, where there are any transactions, there is potentially a threat of fraud, so organizations that value their name and system fault tolerance need anti-fraud.
Softline direct: How does the Fraud Detection System work?
Mikhail Avsenev: The basic element of antifraud is a transaction that enters the processing system. This system includes several filters.
The first filter is black and white lists. Whitelisting contains information on transactions that the system accepts without fail. In black - information about fraudsters, their accounts, as well as signs that allow you to identify fraudulent transactions.
After the black and white lists have worked, the transaction enters the rules system, which reveals uncharacteristic parameters. Let me give you an example: a person always paid a certain amount for utilities, and suddenly the payment increased tenfold. Our system will detect this thanks to the built-in rules engine. Another example of uncharacteristic behavior is that a person begins to withdraw money very abruptly. If his usual limit was, say, 70 thousand rubles a month, and at one point he cashes out one and a half million, this is a reason to contact him and find out if he is withdrawing money from his account.
Another example, when one account leaves payments to several places with the same amount at once. The transfer of small amounts of money to many different accounts can also be a sign of fraud. Such operations raise suspicions in the anti-fraud system. They are recorded, processed and transmitted to the operator, who receives data on who conducts transactions, to which accounts and what the purpose of the payment is. This helps in making a decision.
If the transaction went through white and black lists, as well as the rules mechanism, and the system could not decide that the transaction was legitimate, then such a controversial issue is forwarded to the operator. The operator begins to find out whether the transaction is really legitimate, whether it can be passed.
Softline direct: Who writes the rules you link to? Where do they come from?
Mikhail Avsenev: The training of the solution is based on historical data. We load the system with information about transactions that were carried out in a year or six months, and begin to train it to identify fraudulent activities. This allows you to unload the operator and ensure the least number of manual transaction reviews (about 1%).
Fraud Detection System integrates with almost any database system, including noSQL (no SQL).
Softline direct: Fraud Detection System is it a cloud solution or does it need to be installed locally?
Mikhail Avsenev: There are both options. If a client wants to use a cloud architecture, then we place at the customer only a connector to an anti-fraud, which will be connected to its internal structure and will transmit data for investigation. All the work, rules and computing power needed for an anti-fraud will be located on our site. For the client, this means a reduction in the cost of detecting fraud. But if the client wishes, we can place the entire infrastructure with him. In those cases, for example, when the customer does not want to send us his data, we can implement all the necessary infrastructure on his site. Of course, information is sent to our cloud via a secure channel: SSL encryption via VPN. The client can be sure that the data will not leak anywhere.
Softline direct: If the customer wants to host everything, how will the antifraud work?
Mikhail Avsenev: If a customer hosts a solution at home, he receives an anti-fraud core along with rules, black and white lists, a web interface for operators who will confirm or deny transactions and a communication channel through which we will monitor our system and send updates.
Softline direct: Finishing the conversation, let's summarize what are the key features of the Fraud Detection System? How is it different from other anti-fraud solutions?
Mikhail Avsenev: First, there are two modes of operation. We can work in a gap, in which the anti-fraud system itself automatically blocks transactions, or in parallel. In the latter case, the anti-fraud detects suspicious transactions and informs the operator about it, but the transaction is still performed with the ability to recall it later, which will not disrupt the functioning of the business.
Our second feature is a large number of sources from which we collect data. These are Microsoft SQL Server, Postgres SQL, MySQL, Oracle, DB2, MQ, REST API.
In addition, we have, let's call it, the "gentleman's set" of rules. The client receives this set by default when installing the solution. Then we will adapt the system to the nuances of a particular customer. The rules are subject to flexible configuration, which allows you to reduce the number of false positives. As a result, the burden on operators is reduced and they can pay more attention to the really important things.
It should also be noted the possibility of training to reduce the number of false positives. Thanks to this, our clients receive a system that automatically analyzes more than 98% of transactions. Only a little more than 1% remains for manual processing.
Mikhail Apostolov: The Infosecurity company has been on the market for a sufficient amount of time. Fraud Detection System is used in IT systems of very large clients. We can confidently assert that the main and key feature of the solution is the fast processing of a large number of transactions.
Softline direct: How is the solution developing now?
Mikhail Avsenev: Product development is moving towards non-relational databases (noSQL), since we use such databases not only in antifraud solution, but also in our SOC. This allows you to execute multiple transactions in parallel, further increases the speed of the anti-fraud and its fault tolerance. A distributed database is a much more reliable solution than a single server solution.
The security through obscurity principle does not work. If you google about the news in the context of "Client of bank X was hacked and stolen Y rubles", then there will always be such news. Almost every day (almost - because they don't always write about it).
Implementations of all known encryption protocols are open and available for study. All cryptographic and mathematical algorithms are also described, and in great detail. That is, sit down, stock up on coffee or energy drinks, study all this good and break it for yourself on the sly.
Therefore, a system that is considered secure only because people do not know how it works is never secure at all. But the more open such a system is, the faster the corrosive community will point with its critical finger at all the jambs in implementation. That will allow to eliminate these jambs.
I work precisely in the paradigm of the openness of protocols and systems, and in this post I want to talk about the device of a standard anti-fraud, about our work at RBK.money, why the future belongs to OpenSource, and how all this can work in an ideal world.
Which we can bring you closer.
Antifraud under the hood
Let's start with the simplest examples. Antifraud is a combination of two machines. The first one works according to some rules that you know and that you understand. The second is a black box in which magic is happening, which even a canister of energy and a volume of Nietzsche will not help to comprehend.
That is, in the first machine we have a set of rules written by a person. The rules look pretty simple and just reflect a certain set of actions that should trigger the system to recognize fraud. For example, if from such and such a card suddenly rushed to 10 payments per minute, this is not a weak reason to be on your guard. Or if the transaction on the card took place in St. Petersburg, and 5 minutes ago the owner withdrew money on it in Moscow - there is also something strange here.
I repeat, I am now very figurative, because this behavior can be in a normal situation. For example, Amazon likes to withdraw money not for your entire order of 15 positions, but for each position separately. And at different times, this is normal. And in the case of a geographical difference, the owner of the card may be in Moscow, and in St. Petersburg his mother buys something for the same card in Apple Pay. Yes, they write on the cards that they should not be passed on to third parties, and that's all, but life is usually a little more complicated.
About the second box. There is a large piece of machine learning, and here it is no longer so easy to show on the fingers in a simple structure how it relates to what for conclusions.
And from this basis, you can deduce the criteria for a good anti-fraud.
Three whales
The first is the interface for writing rules. Convenient, beautiful and understandable. This will be discussed below.
Secondly, a special language for writing these rules.
Third, fast processing of these written rules.
Why fast - because speed is really important here. Antifraud as an entity is placed in the gap of the payment system. And there are two approaches to this implementation.
1) Bypass
The priority here is the speed of payments. Business usually makes decisions in such a situation that the priority in terms of speed should not be lost, so if suddenly the antifraud takes a long time to think, analyze and generally slow down the process a little - don't care, we dance, ignore the antifraud readings and just make a payment.
2) Minimization of risks
In this situation, the business realizes that the anti-fraud, in general, was not simply put into the system, and listens to its testimony. If there is a suspicion of fraud, the business is slowed down, the situation is sorted out, and only then the payment is made. Or not.
Therefore, the anti-fraud must be fast, as fast as possible, and at the same time be adequately configured.
Inside the antifraud itself, in fact, there are quite simple columnar things, there are a lot of tasks for data aggregation. Here's what's going on in the system:
- ip
- fingerprint
- BIN bank
- Merchant ID
- card token
And there is a task of the kind to collapse in the window the currently moving number of payments with a specific value. For example, see right now what is being held from a certain fingerprint. Or clarify the ongoing payments for a specific card. It helps the work a lot.
By the way, it is important to understand that antifraud is not a thing in itself. It cannot be good or bad, it is a tool that needs tweaking. And if the antifraud works badly, it’s not because the antifraud is bad - it’s badly set up, the wrong rules have been entered, or a bunch of important things have not yet been taken into account.
And getting it right is important for business. Not only because all clients will run away from the bank, where the anti-fraud is worthless, but because the industry is highly regulated here. If too much fraudulent chargeback comes to the bank, this is a reason for fines and additional checks. Well, if everything is completely sad, then they will disconnect nafig from the payment system.
And it is right. If you operate with other people's money, people trust you, and you are not able to protect them - why are you in the market? Open the tire shop, for example.
Therefore, you either have a well-tuned anti-fraud, or none at all, because you were kicked out of the market and you no longer need it.
Own shirt
When we were writing our anti-fraud, we looked at all this, checked its performance, and finally installed ClickHouse.
It works like this. We have a payment system that is actively used. Accordingly, a large number of events are generated. We merge all these events in a single stream into ClickHouse, where they are successfully aggregated and processed. And processed quickly.
Some time ago we had a vendor antifraud. Quite a solution to itself, worked by subscription, did not cause any special inconveniences. But when we came up with the criteria for the correct anti-fraud, we began to write our own. We wrote it for a total of two months, the external apishechka was described by a swagger. When they finished, they started testing, at first they started up almost all the traffic on the old one, and a small part on the new one. Well, what if something happens there.
It didn't work out. We actively debugged it, used it at the start as such an additional recommendation. And the other day we completely dragged everything onto it, it is noticeably faster than the old one, it quickly fulfills all the rules, in general - the flight is normal. But the old one is still like a spare wheel.
Antifraud is a great breeding ground for the power of machine learning. After all, at the entrance there is a base (the payments themselves), there is a certain dataset, there is a model that is easily described by the already known existing frauds. That is, you can simply take for the model and mark it on the old flow of payments - here, check it out, there was fraud, here it is, here it is. In general, there is everything for a full-fledged training of a neural network, take it and use it.
We have not yet made a cozy interface, since we are still at the stage of debugging the protocol and rules (we have 200+ of them, we write new ones every day). The system is managed by brisk curl directly from the console. And here the main task of the anti-fraud agent (yes, there is such a specially trained person who does exactly this) is to sit, carefully look at the traffic, receive chargebacks due to fraud, and adjust the rules. As you can see, the robots have not yet managed to completely shove the leather bags off their work.
In general, the new one is good now. But not really great yet. We want to cut a dry run there - this is when you wrote a rule, and then ran through it some specific payment with the note “What would happen to the payment if this rule applied to it”. This will significantly pump up his capabilities.
And I also want to build modeling interfaces. You know, like in the movies, when the brave FBI sheep are tracking a fugitive with a credit card - yeah, look, here he refueled on a credit card, bought coffee over there, and took cash in that city. And all this is linked to a map, other data, with beautiful visualization. It's a matter of time.
Ideal system
When we add our antifraud, it will be great. But the ideal, as usual, is not so easy to achieve.
Ideal, as for me, is built on absolute OpenSource. That is, an open source antifraud in an open source language and a convenient exchange of rules.
Let's take an example of such an ideal DDoS protection system.
Imagine that all the current operators of the mother's dooser got so badly that they united and began to use a single base of assholes. If DDoS starts on the resource of some small operator, he quickly looks at which deer can't sleep, adds the villain's IPs to the blacklist. Blacklist updates are distributed over a single system, and everything related to this attack is blocked at the level of client connections.
The issue of trust and reliability of such a system is decided by the blockchain.
You can work with banks in the same way. There is a general list of anti-fraud patterns, which differs across all banks. For example, the green bank was freaked out, the specials reacted and added a new set of rules to the list, the list was updated, and that's it, a specific attack using this mechanic no longer works. Not in a green jar, nor in any other bright colors.
The system is distributed, we have a blockchain, it cannot be hacked. OK, if you imagine that the antifraud itself was hacked at one bank - this is still the bank's problem. Because we only have a list of rules in common. And the anti-fraud engines themselves are different in each bank.
As it really is now. Banks are very conservative structures. Highly. Now they have a small mailing list, a letter comes to certain specialists, they say, check it out, and here is the drop map, here are the parameters. But this is a newsletter. You can forget about efficiency and engagement right away. But better than nothing at all, yes.
So banks are unlikely to master such an ideal story. Fintech is quite capable of pulling it, payment systems and startups.
Machine learning combined with OpenSource is the future of anti-fraud. whoever learns to work well with this will be able to take a good jackpot - the industry is huge, there are billions. But there is no perfect solution yet.
And since it is not there, then there are good opportunities to enter the market.
What offers
And we offer you a ready-made antifraud. He is already open source and completely free. Without any pitfalls, I am ready right now to give all the sources of our antifraud to anyone who wants to and help with its integration into any payment system.
A common open source solution allows you to jointly exchange expertise, exchange protection rules.
Not to mention the community, which together can finalize the engine, do some new things that we either did not think about or did not have time to do.
This translates the level of protection into a completely new plane. A lot of participants in the payment industry are now developing their own solutions, even more - they are buying some ready-made ones that are on the market.
Do not buy. Our solution will win any tender, at least in terms of cost - it's hard to compete with an open source solution.
Let's develop together. The repositories are open, you have the sources right now. The community is always better than doing something alone.
Presentation of Fraudbusters as a standalone product with assembly and integration manuals will be the topic of the next article and will be coming soon.
Antifraud: what is it?
Mikhail Apostolov, head of the SOC Softline product line, and Mikhail Avsenev, head of the infrastructure support department of Infosecurity, a subsidiary of Softline Group, spoke about systems for automated detection of fraudulent actions and interesting facts related to their use or absence.
Softline direct: Tell us an interesting story about anti-fraud and protection against fraud. There is an opinion that only banks need antifraud ...
Mikhail Avsenev: There is an opinion. But I'll tell you a story about, attention, a network of gas stations! At first glance, what kind of connection could there be? But most of these businesses have a loyalty program or so-called cashback. In a large network of gas stations, whose name I, for obvious reasons, do not mention, at one of the gas stations the operator made all payments through his personal card with a cashback. That is, she physically took money from clients and ran it through her account, receiving cashback. The scheme was calculated in this way: in a day we looked at all the operations and it turned out that practically a whole tank of gasoline was filled on this one card. It is in such situations that an anti-fraud is needed, which will show or even freeze such transactions.
Or here's another example: cheating schemes on various game servers. For example, as was the case with the company CCP, the developer of the space multiplayer strategy EVE Online. The player obtained some not very expensive resource, an artifact, let's call it a "twig", then went out to trade on the gaming exchange, where he artificially raised prices for it, received space profits in the literal and figurative sense, and brought down the entire gaming economy. As a result, the service was almost on the verge of shutting down.
Mikhail Apostolov: Antifraud is needed not only by banks, but even by gas stations and online game developers. It is relevant in any place where online trade relations arise and money transfer transactions take place.
Mikhail Avsenev: By the way, about banks! Financial scammers come up with very interesting schemes. For example, the so-called "white plastic" is produced. This is when clones are created on legal cards, which begin to quickly purchase goods in online stores, as a rule, created by the same scammers. Do you often watch SMS messages from the bank with information on transactions and account? And for many, SMS informing is not even connected. In such cases, the client will not be able to block the card on time and will very quickly lose all the money.
We live in the age of information technology, so information that someone has succeeded is spreading very quickly. Some weak faction creates a fraudulent scheme, then sells this scheme to a stronger faction that has more resources. Therefore, the risks can be from 1000 rubles. up to several million, which can be lost literally within a few hours.
Mikhail Apostolov: In such cases, losses invariably amount to large sums that cannot be compared with the cost of antifraud such as the Fraud Detection System of Infosecurity.
Softline direct: Could you tell us from what topical threats can the Fraud Detection System service save you?
Mikhail Avsenev: Last year, targeted attacks were the most popular. Not some typical viruses, but a pre-prepared penetration into the network. In such attacks, cybercriminals find out infrastructure issues, information exchange protocols for several months, and then proceed to attack. Even with such types of penetration, fraudsters have been on the network for a long time, so they can prepare automation tools and quickly withdraw money. Our antifraud detects these threats very quickly and automatically. A human operator may miss something, not pay attention to suspicious transactions, or fail to react in time.
Thanks to the built-in profiling mechanisms, the Fraud Detection System allows you to automatically detect such attacks, money withdrawals, and atypical user behavior. For example, a person made transactions mainly from Moscow and then suddenly ended up in Vladivostok, and then again in Moscow. Identifying such anomalies will allow the operator to see suspicious transactions and prevent the withdrawal of money. The attack may take place, but the money will not be lost.
Scammers also direct their attacks to payment gateways. Specially prepared documents are formed and sent to the payment system. Our anti-fraud allows you to control the legitimacy of the payment.
Softline direct: What nodes within the bank are favorite targets for fraudsters? What do hackers most often choose?
Mikhail Avsenev: Hackers are mainly interested in those network nodes that contain information about payments, customers, or directly in access to the payment gateways themselves. First of all, this is the AWS KBR. Then there are Cyberplay payment systems, Cyberpay with RAPIDA and other ABS payment systems, information about customers and their accounts, everything that can be of value. It also includes personal and passport data, information about contracts, materials that can be used for competitive intelligence.
Mikhail Apostolov: I would like to note that among the services of the "Infosecurity" company there is a monitoring of the information space, which helps to identify possible potential or already implemented "leaks" of such information.
Softline direct: Now I would like to talk about the fight against fraud in retail and insurance. How exactly will antifraud be useful in this area?
Mikhail Avsenev: In retail, our Fraud Detection System is useful for detecting abuse in loyalty programs. At the very beginning of this interview, I already talked about fraud in the gas station network, but any additional points for the purchase of goods can also be of interest to unreliable persons.
Insurance is another interesting topic as it has a lot of fraudulent schemes. For example, an insurance agent takes several policies and does not register them in the accounting system. Then he tells the client about the super discount and sells the policy for less. If a client has an insured event, he will first inform the insurance agent about it. He will register the corresponding policy retroactively, and the rest will not be the same, in the end he will get a huge real benefit.
Mikhail Apostolov: If we summarize this block, where there are any transactions, there is potentially a threat of fraud, so organizations that value their name and system fault tolerance need anti-fraud.
Softline direct: How does the Fraud Detection System work?
Mikhail Avsenev: The basic element of antifraud is a transaction that enters the processing system. This system includes several filters.
The first filter is black and white lists. Whitelisting contains information on transactions that the system accepts without fail. In black - information about fraudsters, their accounts, as well as signs that allow you to identify fraudulent transactions.
After the black and white lists have worked, the transaction enters the rules system, which reveals uncharacteristic parameters. Let me give you an example: a person always paid a certain amount for utilities, and suddenly the payment increased tenfold. Our system will detect this thanks to the built-in rules engine. Another example of uncharacteristic behavior is that a person begins to withdraw money very abruptly. If his usual limit was, say, 70 thousand rubles a month, and at one point he cashes out one and a half million, this is a reason to contact him and find out if he is withdrawing money from his account.
Another example, when one account leaves payments to several places with the same amount at once. The transfer of small amounts of money to many different accounts can also be a sign of fraud. Such operations raise suspicions in the anti-fraud system. They are recorded, processed and transmitted to the operator, who receives data on who conducts transactions, to which accounts and what the purpose of the payment is. This helps in making a decision.
If the transaction went through white and black lists, as well as the rules mechanism, and the system could not decide that the transaction was legitimate, then such a controversial issue is forwarded to the operator. The operator begins to find out whether the transaction is really legitimate, whether it can be passed.
Softline direct: Who writes the rules you link to? Where do they come from?
Mikhail Avsenev: The training of the solution is based on historical data. We load the system with information about transactions that were carried out in a year or six months, and begin to train it to identify fraudulent activities. This allows you to unload the operator and ensure the least number of manual transaction reviews (about 1%).
Fraud Detection System integrates with almost any database system, including noSQL (no SQL).
Softline direct: Fraud Detection System is it a cloud solution or does it need to be installed locally?
Mikhail Avsenev: There are both options. If a client wants to use a cloud architecture, then we place at the customer only a connector to an anti-fraud, which will be connected to its internal structure and will transmit data for investigation. All the work, rules and computing power needed for an anti-fraud will be located on our site. For the client, this means a reduction in the cost of detecting fraud. But if the client wishes, we can place the entire infrastructure with him. In those cases, for example, when the customer does not want to send us his data, we can implement all the necessary infrastructure on his site. Of course, information is sent to our cloud via a secure channel: SSL encryption via VPN. The client can be sure that the data will not leak anywhere.
Softline direct: If the customer wants to host everything, how will the antifraud work?
Mikhail Avsenev: If a customer hosts a solution at home, he receives an anti-fraud core along with rules, black and white lists, a web interface for operators who will confirm or deny transactions and a communication channel through which we will monitor our system and send updates.
Softline direct: Finishing the conversation, let's summarize what are the key features of the Fraud Detection System? How is it different from other anti-fraud solutions?
Mikhail Avsenev: First, there are two modes of operation. We can work in a gap, in which the anti-fraud system itself automatically blocks transactions, or in parallel. In the latter case, the anti-fraud detects suspicious transactions and informs the operator about it, but the transaction is still performed with the ability to recall it later, which will not disrupt the functioning of the business.
Our second feature is a large number of sources from which we collect data. These are Microsoft SQL Server, Postgres SQL, MySQL, Oracle, DB2, MQ, REST API.
In addition, we have, let's call it, the "gentleman's set" of rules. The client receives this set by default when installing the solution. Then we will adapt the system to the nuances of a particular customer. The rules are subject to flexible configuration, which allows you to reduce the number of false positives. As a result, the burden on operators is reduced and they can pay more attention to the really important things.
It should also be noted the possibility of training to reduce the number of false positives. Thanks to this, our clients receive a system that automatically analyzes more than 98% of transactions. Only a little more than 1% remains for manual processing.
Mikhail Apostolov: The Infosecurity company has been on the market for a sufficient amount of time. Fraud Detection System is used in IT systems of very large clients. We can confidently assert that the main and key feature of the solution is the fast processing of a large number of transactions.
Softline direct: How is the solution developing now?
Mikhail Avsenev: Product development is moving towards non-relational databases (noSQL), since we use such databases not only in antifraud solution, but also in our SOC. This allows you to execute multiple transactions in parallel, further increases the speed of the anti-fraud and its fault tolerance. A distributed database is a much more reliable solution than a single server solution.
