Are fraudsters really so closely connected?
Yes! Fraudsters are part of a complex underground community, they are constantly talking and trading with each other. There are countless ‘how to’ tutorials for hacking and fraud on the dark web. Although perhaps as is to be expected, it was recently revealed that many payment fraud guides are actually defrauding would-be fraudsters with incomplete information and out-of-date techniques.
Card details can easily be faked or blocked, so fraudsters buy card details in the thousands. This means you might see multiple credit cards being added to an account to make new orders. Or you could notice the same device being used to open lots of new accounts quickly, with slight variants of the same email address.
Fraudsters often alert each other to share lucrative opportunities and cooperate with each other. We often seen fraudsters post on forums inviting people to make requests for an /order, with a prepared secure pick-up location address.
Imagine your online bookshop is being targeted by a group of fraudsters, you might see a sudden influx of new accounts making orders for a highly desirable new book. Looking closer, you see that they are all being shipped to a known hot-spot for dropping off illegal goods for distribution.
This exact scenario happened to one of our clients - our intelligence team noticed strange activity on multiple accounts shipping lots of the same item to the same place. With a little extra digging we found a forum where other fraudsters were advertising the stolen goods at heavily reduced prices in a nearby area.
How to spot a fraudy network
Networks growing bigger quickly
There are some cases of small networks of genuine users - a family sharing a device or a team using a corporate credit card. But these networks remain static and rarely grow any bigger, or if they do it happens slowly. A fast growing network is almost always due to fraud.
Lots of widely shared cards, devices or email addresses
It’s very rare for genuine customers to share a device, card or email address. We’ve seen fraud networks with over 800 accounts sharing a single payment method, and networks showing account takeover where over 10,000 customers appear to be sharing one single device.
Lots of chargebacks in the network
We allow our clients to disregard any genuine chargebacks when they upload their data to Ravelin Connect, so we use a chargeback node as an indicator of fraud. This means if there are any chargebacks in a network, all the network’s users are fraudsters.
How to stop fraudster networks using a graph database
Using Ravelin Connect, each customer is visible in full - including all the devices, addresses, payment methods and contact details associated with them.
We monitor customer’s every connection and how close they are to a known fraudster or chargeback - in other words how many edges, or degrees of separation there are between them and fraud. In Connect, we call these degrees of separation the ‘hops’ to fraud.
We use two methods which complement each other - deterministic and probabilistic.
You can choose your business’ risk level based on the number of hops to fraud you’re comfortable accepting customer payments from. For example, you can choose to block payments from customers who have five or less hops to fraud. More risk-averse businesses may choose to block customers with a higher number of hops to fraud.
On its own, this method is very effective as it shows whether a fraudster has been caught reusing the same details, or is part of a larger network of compromised credit cards.
This is where the features of a network are fed into a machine learning model to predict how likely it is that the network is fraudulent. The model can assess the network before fraud happens, based on how similar it is to past fraudulent networks. Past networks are based on the individual business, which makes this a powerful customised tool.
A simple introduction to Connect, Ravelin's graph database
Ravelin’s graph database is called Connect, it allows you to create a graph of your customers using high-cardinality data points, such as emails, phone numbers, device IDs or payment methods. These are totally unique data points which are unlikely to change. When two customers share an attribute, they will be connected in the network.
Connect can be used to detect:
- Online payment fraud
- Account takeover (ATO)
- Voucher and promotions abuse
- Refunds abuse
- Fraudulent insurance claims
Data points shown in Connect
Depending on the use case, Connect can display the below data points in the network:
The graph can be enhanced to show additional information about customers including chargebacks or manual reviews. Connect also allows you to add a tag to customers (for example VIPs), and the search for customers with specific tags.
It’s also very easy to add new unique, sharable data points, dependent on your business case - just ask us.
Example genuine customer in Connect
This is a snapshot of a genuine customer network and the numerical data behind it. The network is five years old.
The network is relatively small - there is a connection between two users in a shared card, but there are no other users. It’s also important to note that both users have several devices they use independently, rather than having few shared devices.
Using Connect to detect fraud and negative activity
Connect can be used to detect a range of fraudulent and negative user activity - here are some examples.
Online payment fraud
With typical online payment fraud, or card-not-present (CNP) fraud, fraudsters create new accounts to appear as new customers and use stolen credit card details to make purchases.
Card details can easily be blocked, so fraudsters often buy hundreds or even thousands of card details.
We commonly see:
- Users adding multiple credit cards to an account to make new orders.
- One device being used to open lots of new accounts in a short space of time.
Often fraudsters will have used the same device or email in another account previously, and so when they open a new account it will be linked to their past activity.
A steady stream of data breaches and the widespread tendency for customers to reuse passwords have led to an increase in account takeover (ATO) activity.
You can use Connect to identify ATO networks through searching for:
- Multiple existing accounts being accessed from the same device
- Multiple accounts existing accounts suddenly becoming linked by new details (address, phone number)
Connect allows you to see when an account joined a network, so that you can investigate genuine accounts so that they can be recovered for the customer quickly.
Merchants often offer vouchers, referral schemes or promotions to attract new customers, especially during expansion. Fraudsters, or even genuine customers, may abuse the voucher system by attempting to use the same voucher multiple times with new accounts.
Using Connect, we can assign each voucher an ID to enable you to:
- Set limits on the number of uses per voucher
- Configure how many vouchers within a set network distance counts as abuse
- Apply different levels of control for different voucher types
Even though this activity is not strictly fraud, it’s important that merchants can stay in control, otherwise the cost of running promotional schemes may end up being wasted on people who are already users, instead of attracting new customers.
Similar to voucher abuse, refund abuse is not technically a form of fraud, however there are still some serial offenders. Fraudsters or genuine customers can request refunds on most of their orders - sometimes up to 80%. In many cases, this means the merchant is losing money through the customer.
Connect allows you to:
- Tag customers abusing your refund policy
- At time of score, check each customers network for the tag (within a set distance)
- Offer different terms and conditions to protect yourself from abuse, or block users in refund abuse networks
A fake account network
Insurance firms can be vulnerable to claims abuse - for example car insurers. Customers either fake crashes or perform ‘crash for cash’ schemes and submit excessive claims. This activity is often repeated with the same actors, vehicles and locations involved.
Connect can help the insurance merchant to act on this by:
- Tagging customers with claims and checking a customer’s network for the tag (within a set distance)
- When a policy is requested, offer different terms and conditions, adapt the pricing, or investigate further before offering a quote