How Ravelin detects online fraud networks

That fraudsters often collude is well-known. If a merchant has poor security, that information is shared at rapid speed; making a small problem very large indeed. And fraudsters will often operate across a number of merchants taking whatever goods they can, with as large a value as they can. Therefore having access to data across a number of merchants should be invaluable for detecting fraud: as you stop a fraudster for one merchant, you can stop them for all. Right?

Well, it is certainly a compelling idea but as someone who has built their own graph network not once but twice – at a merchant and now at Ravelin – I am not so sure a cross-merchant network is as useful as it appears at first pass - read more about this here.

Detecting a network using graph theory

For Ravelin, a network is made up of user accounts linked by shared characteristics. These links may have differing strengths, from the tentative (shared temporal behaviour), to the intermediate (shared locations, similar email patterns, shared ip addresses), to the strong (shared cards, shared devices).

How we use networks at Ravelin

We love networks and have developed networks as part of our fraud detection technologies from the outset. Used correctly and with consideration to the network’s limitations, graphing a network is an unequivocally powerful technique, melding the best of computer processing (linking millions of data points and displaying patterns), with human processing (visually detecting and judging meaningful patterns).

Once we have identified a clear network, we test each node in the network for fraudulent patterns. Many networks display collective fraudulent attributes distributed across many or several nodes – a clear indication of fraud. In such cases we move swiftly to disable or suspend that network, which may or may not be apparent to the members, depending on the strategy we deploy.

Some networks may appear to contain only a few fraudulent nodes, the rest appearing to be normal customers. In such cases we can put the entire network on an alert list and monitor the collective behaviour closely until the tolerance threshold is breached.

We have found on many occasions that networks of accounts linked by various characteristics (shared credit cards, shared locations, shared behaviour) are actually describing real groups of people who know each other in real life. This is not surprising – criminal activity is frequently social and credit card fraud even more so. We have uncovered networks of criminals in Toronto, London, Singapore, Dublin and elsewhere, in which credit card fraud was just a small part of the criminality – yet still detectable by this technique. It is always a thrill to discover a real group of people using data science!

Single-merchant networks – the most effective dataset

In uncovering these networks, the counterintuitive conclusion we have reached is that the best dataset is often a single merchant’s own network. The simple reason for this is that fraudsters often return to a merchant to exploit a weakness they’re now familiar with. Also the weakness itself is a pattern that we can quickly detect and stop as it is shared throughout a fraud network. So we can stop a repeat offender and we can stop fraudsters connected to that user. It’s the 21st century version of the aphorism that the thief always returns to the scene of the crime!

Why extending these techniques across merchants is problematic

You would think therefore that extending this capability across merchants should be incredibly effective. The truth is that it can be but there are significant caveats.

Firstly, it assumes that a fraudster with one merchant will be a fraudster with all others. This is possibly (although not completely) accurate for a certain type of criminal fraudster – the one who actively buys stolen card data to make online purchases. However is It is equally possible (and common), that some fraudsters conduct some business with stolen cards, while making legitimate purchases with their own. One may argue that such people should be denied all rights to online purchasing but this casts merchants and fraud providers into an uncomfortable position of labelling someone as a criminal even when they are not in the act of committing a crime.

A second, more troubling problem with this approach is that it can potentially lead to blacklisting the wrong person, i.e. the victim of the fraud, rather than the perpetrator. This can be mitigated to some extent by use of techniques such as device and behavioural fingerprinting. However you need to be very confident of having the right tools in place to detect this and even then, the risk of false positives is higher than many of our growth-focused clients would like to bear.

A third flaw in unfettered network effect fraud detection is that it is inadequate to address the complexities surrounding first-party (or “friendly”) fraud. This is an interesting mix of the two scenarios outlined above. Rather than mitigated by device fingerprinting, the problem is compounded by it, because there is no third party, and the fingerprinting describes the actual customer. Moreover, we are again cast in the role of ethical judge – should we block Customer A with Client X because Customer A charged back some transactions with Client Y, citing fraud?

Right tools, right place for the right result

In summary, network analysis is a fantastic technique that delivers results. However, it is not a panacea and across networks it has a very high potential for false positives and for weak connections to be mistaken for strong. It’s easier to recommend within a single merchant’s network where it provides astonishing insight into their data by matching the best of computing power with human insight, resulting in a fantastic fraud detection strategy.

To learn more about link analysis visit our insights page.