What behavioral metrics help to identify carding? (Analysis of data entry speed, geolocation, user sessions)

[Student]

For a deeper understanding and educational purposes, we will look at how behavioral metrics help detect carding (fraud using stolen payment card data), including analysis of data entry speed, geolocation, user sessions, and additional aspects. I will describe each metric, its meaning, technical details, examples of anomalies, and approaches to implementing the analysis to ensure a thorough understanding of the topic.

What is carding and why are behavioral metrics important?​

Carding is a type of fraud in which criminals use stolen credit or debit card data to make unauthorized transactions, purchase goods or services, or test cards for subsequent sale. Fraudsters aim to maximize profits while minimizing the likelihood of detection, so their actions often differ from the behavior of legitimate users.

Behavioral metrics are data that reflect a user’s actions on a site, in an application, or during a transaction. They help identify anomalies that indicate fraud, since carders (fraudsters who engage in carding) use automated tools, proxies, stolen data, or act in a hurry, which creates specific patterns. Analysis of these metrics allows Fraud Detection systems to classify transactions in real time as suspicious or safe.

1. Data entry speed​

Why is this important?​

The speed of data entry (e.g. card number, CVV, owner name, address) may indicate automation or pre-preparation of data, which is typical for carders. Legitimate users usually enter data manually, with natural delays, errors or corrections, while fraudsters often use scripts or copy-paste.

What to analyze?​

• Keystroke dynamics: Legitimate users have variable keystroke times (e.g. 100-300ms), while automated scripts may enter data in 10-50ms.
• Total time to fill out the form: A normal user spends 5-15 seconds to enter card details, while a script can do it in 1-2 seconds.
• Copy-paste: Detected by missing keypress events or text appearing instantly in the field.
• Input errors: Legitimate users may make typos (for example, an incorrect card number), while fraudsters enter data without errors, as they use proven combinations.

Examples of anomalies:​

• Enter a 16-digit card number in 0.5 seconds.
• No pauses between filling in fields (card number, CVV, expiration date).
• Repeated typing patterns (e.g. same amount of time between keystrokes across sessions).

Technical implementation:​

• Data Collection: Use JavaScript to track input events (onKeyDown, onKeyUp) and the time it takes to fill out forms on the checkout page.
• Tools: Behavioral Biometrics (e.g. BioCatch, SecuredTouch) analyze input dynamics to create a profile of the user's behavior.
• Analysis: Comparison with a normal distribution of input times for legitimate users (e.g. using statistical models or ML algorithms).
• Example of an alert: If form completion time is < 2 seconds or copy-paste is detected, the transaction is marked as suspicious.

2. Geolocation​

Why is this important?​

Geolocation data helps identify discrepancies between the user's location as indicated in the card data, the shipping address, and the IP address. Carders often use proxies, VPNs, or stolen cards from other countries, which creates anomalies.

What to analyze?​

• IP Geolocation: Comparison of the user's IP address with geographic map data (country, city, region).
• Address Mismatch: Difference between the billing address (shown on the card), the shipping address and the IP geolocation.
• Frequent geolocation changes: Multiple transaction attempts from different IP addresses within a short period of time (e.g. changing countries within an hour).
• Using anonymizers: Detecting VPNs, proxies or Tor by analyzing HTTP headers, ASN (Autonomous System Number) or databases like MaxMind.

Examples of anomalies:​

• The IP address is from Russia, and the card's billing address is from the USA.
• Transactions from one device, but from IP addresses from different countries within 10 minutes.
• Using public VPN servers (e.g. IP associated with NordVPN or ProtonVPN).

Technical implementation:​

• Data collection: Obtaining IP address via server headers (X-Forwarded-For if using CDN) and matching with geolocation databases (MaxMind GeoIP, IP2Location).
• Tools: Fraud Detection systems (Sift, Kount, Signifyd) integrate geolocation data for real-time analysis.
• Analysis: Checking the distance between geolocations (e.g. using the Haversine formula to calculate the distance between coordinates) or flagging high-risk transactions (e.g. IPs from "risky" countries).
• Example of a red flag: Transaction from Nigeria with a card registered in Canada or use of a known proxy server.

3. User sessions​

Why is this important?​

Session analysis can reveal anomalous behavior typical of carders, such as card testing, automated bots, or attempts to bypass security systems. Legitimate users tend to follow predictable patterns of navigation and interaction.

What to analyze?​

• Session Length: Short sessions (less than 30 seconds) that lead directly to payment may indicate automation.
• Transaction frequency: Multiple payment attempts with different cards or details in one session.
• Failed transactions: Repeated transactions rejected by the bank (e.g. due to incorrect CVV or insufficient funds).
• Navigation patterns: No product catalog view, direct access to the checkout page, or abnormal transitions (e.g. via API rather than UI).
• Device Fingerprinting: Collecting device data (browser, OS, screen resolution, language) to identify new or suspicious devices.

Examples of anomalies:​

• The user goes straight to the payment page, without having to view the products.
• 10 payment attempts with different cards in 5 minutes.
• A session with a device that has no cookies or browsing history.

Technical implementation:​

• Data collection: Use a JavaScript SDK (such as FingerprintJS) to create a unique device ID and track sessions via cookies or localStorage.
• Tools: Platforms like Forter, Riskified, or ThreatMetrix collect session data and analyze it in real time.
• Analysis: Building a graph of user behavior (e.g. sequence of pages, time on each) and comparing with normal patterns. Machine learning (e.g. Random Forest or neural networks) helps identify anomalies.
• Example of an alarm: A 10 second session with 5 payment attempts with different cards.

4. Additional behavioral metrics​

4.1 Transaction frequency and time​

• Why is it important? Carders often test cards with small transactions or make purchases at unusual times (for example, at night in the cardholder's time zone).
• Analysis: Check for timing patterns (e.g. transactions at 3am local card time) or abnormally high transaction frequency (more than 3 per minute).
• Example: 20 transactions of $1 to check the validity of cards.

4.2. Devices and browsers​

• Why is it important? Fraudsters may use emulators, virtual machines, or outdated browsers to hide their identity.
• Analysis: Checking User-Agent, screen resolutions, fonts, plugins. For example, a non-standard screen resolution (e.g. 1x1) may indicate a bot.
• Example: Transaction from a browser that does not support WebGL, or from a device with no browsing history.

4.3. Buying patterns​

• Why is it important? Carders often buy items that are easy to resell (electronics, gift cards) or make small test transactions.
• Analysis: Check product categories, transaction amounts and their frequency. For example, buying 5 gift cards for $50 in 10 minutes.
• Example: Order $2,000 worth of electronics with delivery to an address not associated with the card.

4.4. Mouse Movement and Navigation Analysis​

• Why is it important? Bots do not imitate natural mouse movements or page scrolling, which distinguishes them from real users.
• Analysis: Tracking cursor trajectory, scroll speed, clicks. Legitimate users move the mouse smoothly, while bots act linearly or do not use the mouse at all.
• Example: No mouse movements on the page with the payment form.

4.5. Contextual Metrics​

• Why is it important? A discrepancy between the user profile (age, gender, interests) and the card details or purchase may indicate fraud.
• Analysis: Comparison of demographic data (for example, the card is registered to a 60-year-old man, and the purchase is cosmetics for a young audience).
• Example: Email created a minute before the transaction, or using temporary email services (eg mailinator.com).

How is this implemented in Fraud Detection systems?​

1. Data collection:
   • Client side: JavaScript SDKs (FingerprintJS, BioCatch) collect behavior, device and session data.
   • Server side: Logging IP, HTTP headers, transactions via payment system API (Stripe, PayPal).
   • External sources: Geolocation databases (MaxMind), IP reputation, email/map blacklists.
2. Analysis and modeling:
   • Rules (Rule-based): For example, "if IP is from a risky country and input time < 2 seconds, then flag".
   • Machine learning: Algorithms (Random Forest, Gradient Boosting, neural networks) are trained on historical data, creating profiles of normal and abnormal behavior.
   • Scoring: Transactions are assigned a risk score (0-100), where a high score (e.g. >80) requires additional verification.
3. Reaction:
   • Automatic blocking: High risk transactions are rejected.
   • Additional verification: Request 3D-Secure, SMS code or manual verification.
   • Monitoring: Suspicious sessions are flagged for real-time analysis.

An example of a carding scenario and how metrics help to identify it​

Scenario: A fraudster uses a stolen US card to purchase an iPhone from a Russian site. He connects via VPN, copies the card details from a text file, and attempts to complete 3 transactions in 5 minutes.

Metrics that indicate fraud:

• Input speed: Card data entered in 1 second (copy-paste).
• Geolocation: IP from the Netherlands (VPN), billing address in the USA, delivery in Russia.
• Session: Direct transition to payment page, 3 attempts with different CVV, no catalog browsing.
• Device: New User-Agent with no browsing history, using an outdated browser.
• Pattern: Buying an expensive item (iPhone) with a high risk of resale.

System response: The transaction receives a risk score of 95/100, 3D-Secure is activated, after which the fraudster stops trying.

Recommendations for implementation​

1. Tools:
   • Fraud Detection platforms: Sift, Kount, Signifyd, Forter.
   • Behavioral Biometrics: BioCatch, SecuredTouch for mouse input and movement analysis.
   • Device Fingerprinting: FingerprintJS, ThreatMetrix.
   • Geolocation: MaxMind GeoIP, IP2Location.
2. Setting:
   • Set rules to flag anomalies (eg >3 transactions in 5 minutes).
   • Integrate payment system APIs to receive transaction status data.
   • Tune ML models on historical data, including cases of confirmed carding.
3. Training and updating:
   • Update your models regularly as carders adapt to new security methods.
   • A/B test your rules to minimize false positives.
4. Legal aspects:
   • Comply with data protection laws (GDPR, CCPA) when collecting behavioral metrics.
   • Store data anonymized to avoid leaks.

Conclusion​

Behavioural metrics such as data entry speed, geolocation and session analysis are powerful tools for detecting carding. They allow you to detect anomalies related to automation, location masking and suspicious patterns of behavior. Effective analysis requires the integration of modern tools (Fraud Detection platforms, Behavioural Biometrics) and machine learning, as well as constant updating of approaches to combat new fraud schemes.

If you want to go deeper into a specific aspect (e.g. setting up ML models or code samples for analysis), write and I will expand the answer!