A deeper look at Connect – Ravelin's graph network for fraud link analysis

Industry-leading link analysis tool Connect is the graph network element of Ravelin that we use to identify significant yet hidden connections in our clients’ customer bases.

We've discussed the basics of graph network database Connect before. Today, it's time to dive into the history of how and why it exists, as well as look at some examples of how it's used.

Simply put, Connect uses link analysis on a merchant's data to show which customers are using the same cards, devices, IP addresses and more – expanding out to show more and more of a customer's network.

The images are often beautiful, so much so that we have framed them for clients to hang on their walls.

But these graph networks are not art; they are science. And as we have pushed and pushed at the applications and use cases for this approach to fraud detection, we have realized that we have built something not just unique but uniquely powerful in the world of fraud detection; powerful not just on its own – which it certainly can be – but also powerful in combination with Ravelin’s core machine learning fraud detection models.

Ravelin Connect: A sophisticated graph network tool for fraud detection

Ravelin has built a prediction engine that uses machine learning at its core to score transactions on their likelihood to be fraudulent. This works extremely well for scanning transactions that are actively progressing through a payment flow, comparing signals to previous experiences of fraud to produce a score.

But early on in our product development we realized that this only provides a partial picture of the fraud risk for a merchant. The network that a fraudster creates is just as relevant to making a fraud assessment as who they are or what they do or how they try to pay.

From the outset we determined that we would need a way that allowed us both to consume the network information provided by our clients and present it back to them in a way that made sense.

So we invested in a graph network tool to test this out. Initially, we anticipated using an open source tool or buying something off the shelf but quickly realized that latency, flexibility and other issues meant it would be more effective for Ravelin to build it ourselves. Doing this required some brilliant engineering, design and coding – something that the Ravelin Connect project has continuously benefited from over its lifecycle. Hence Connect was born and we trialed with some early customers.

The result? They loved it. Passionately. All the suspected ill behavior, fake accounts, and fraud rings were suddenly visible in rich technicolour. Whole networks of suspicious accounts could be closed in an instant. With our clients we located and ended accounts responsible for millions of dollars of fraud.

Wow.

But this was only the beginning.

Connect as a fraud investigation tool

Off-the-shelf graph networks will impressively but passively map connections in a database. But without any underlying data on the importance of these connections there is a priori problem: Basically, an analyst needs to know what they are looking for before they can find it.

This is actually still useful. Imagine the use case where an analyst is looking into suspicious transactions which were approved but Ravelin had nominated to be manually reviewed. Take David Riley in this example.

We can take a look at David’s profile and see a lot of contributors to his relatively high score of 64. In this case the Network contribution is 18 – meaning that the information we've gathered about his network added 18% to his likelihood of being a fraudster. This is part of Ravelin's explainable machine learning model scoring.

Let’s take a closer look at David’s network.

Oh dear. To use the technical terminology we use in Ravelin, David is "well at it".

If we zoom closer, we can see that David is sharing a phone number with “AR”. This is highly suspicious as AR has a chargeback so far.

Discovering networks

This is where we start to move from Ravelin’s ML models flagging fraudsters and highlighting their networks, to promoting networks that are likely to contain bad actors.

Note: For simplicity, we are considering fraudsters here to be accounts created to use stolen third party credentials. As we will see, Ravelin Connect can be used for a number of purposes better described as account security.

Let’s consider the Networks machine learning features first. We can look at both the fastest growing networks or the largest networks.

These are of interest because networks aree grown by virtue of some shared attribute – be it a card, a device, a phone number or an email. There has to be a reason for those connections. Eliminating any obvious explanation, which would show limited links anyway (e.g. family members sharing a device) means we are left with usually suspicious reasons for the connections.

Let’s look at the network with 155 nodes for example.

Drilling in here, we can see a suspicious network grow. Initially, we see in this case a device with a single user.

But as we expand out, we see more connections as we stretch out from the core user.

We soon realize that there are 59 people connected within this network.

Note that nobody in this network has been reviewed as a fraudster, nor has any chargeback been associated with this network. So it is unlikely to have been prompted for investigation.

But it is very large, and highly suspicious. Why are so many people using a single device?

Searching on suspicious entities

So, we searched on a network that was promoted by its sheer size or the velocity with which it was growing.

But we are also likely to be interested in the nodes or entities themselves. In this case we are referring to the phone numbers, email addresses, devices, customers, or cards that might have unusually high counts in the network.

Let’s take a look at Cards. I click into the network where I see two cards. I again uncover a suspicious network. Why would two cards be significant?

Card details ("fullz") that are compromised in a data hack are sold more than one time on the dark web.

Therefore, they can be used unwittingly by different fraudsters – who will then find themselves connected in the same network, despite having no other connections and not working together. This might be what this network is showing us.

Confidence levels: Assessing the power of connections

How sure can we be sure that members of a network are "at it" indeed? The number of hops between nodes can be an indicator of the likelihood of an account being fraudulent.

For instance, if AC shares a device with BD, and BD is a confirmed fraudster, then you can be fairly certain that AC is too. But what about the person who shares a card with AC but has no connection to BD directly? In our experience just being in this network is not a good sign, but there are some plausible reasons why, and the rest of these people have technically not done anything wrong.

However, investigations into these networks are very valuable. The outcome of those investigations is usually that even a seemingly large number of hops still means the account is nefarious.

Networks as a feature: Contributing to the machine learning score

So far, we have been discussing largely the deterministic use of networks. That is to say, we determine by membership of a network that the user is a fraudster.

But how do we do this probabilistically? How do we determine that some network properties probably indicate a level of fraud risk? The great advantage of doing it this way is that the probabilistic attributes can be calculated numerically – it can be fed into an algorithm.

Perhaps an example will help.

David has a score of 64. If you look closely, 18 of that score was contributed by Network. Logically you might think that this is because of David’s specific network, which we looked at earlier.

But investigating a network as we did is difficult for a machine to do. What’s easy for a machine is to look at what a network looks like and how that compares to historical networks.

So David’s network has a bunch of nodes, some chargebacks, and some other properties that look like previously fraudulent networks, to some degree. Not enormously – it only scores 18 so unlikely to be enough on its own to prevent a transaction. But as a contribution to an overall score it is significant – accounting for 28% of the score in this particular example.

Even more use cases

This ability to extract network ML features from a graph network is unique to Ravelin and in many scenarios, it's also uniquely powerful.

What’s more, our Connect API offers the ability to extract those network features to feed into your own tools, rule systems or models if you wish. Passing in a customer’s details, you can retrieve features such as the number of hops to a chargeback or reviewed fraudster, the number of each type of node, and the count of connections each node type has.

Summing up

Ravelin Connect really is a powerful means to visualize and thus bring to life the stories that your data is there to tell you.

Perhaps the most exciting part is that as our clients get to explore the connections in data that are often relevant but hard to see without a tool like Connect.

Our merchants' analysts are defining for themselves the boundaries of this product, by eagerly adopting it.