Ok some really dumb questions if you don't mind, but how "fraud detection" works has always been one of those areas I am interested in, but not enough to seek out a practitioner and pin them down - until now !
- Any idea what the total fraud vs genuine transactions ratio is? And how that breaks down across industries? I am assuming that SaaS services don't get as much of this - i mean would people buy bingo cards with a stolen card?
- how does fraud get monetised? Once i have downloaded my millions of credit card numbers from Tor (or stolen my friends mothers wallet) I need to persuade a merchant to deliver me something - but it's always bugged me that they actually have to deliver it. to a physical address. that can presumably be traced. It all seems very low level
(Quick story, years ago, call it the year 2000, was in the UK version of BestBuy and the manager called up a service to verify that this 17 year old kid could have a laptop. The manager asked what's your name ? Ok Your address ? Ok. Date of Birth? March 1954? really? you look a bit young for fifty. It just seems a poor way to commit crime)
The question i am trying to ask is that turning credit card numbers into cash seems like a grind that farmville would be impressed by? is it just lots of low level grunts in shops and online or is there something i am missing?
- what advantages do you get as a payment processor that a merchant does not have? And how is that better / worse than the card provider? I would assume there are people trying the same card in multiple different stores at the same time, so if you spot one attempt you stop them all, whereas individual merchants could not know. But Visa probably spots that i just paid for goods on two continents which you can only spot of both merchants use you? Do you and visa share data or do sequential checks and the like?
- how much do the "obvious" checks help - highly unlikely purchases (3 iphones) timing or physical activity (I probably won't buy books on amazon, clothes on boohoo and petrol in a garage in the same five minutes) versus the more ML / secret squirrel stuff?
We've found that fraud vs. genuine closely matches the percentage of assholes and psychopaths in the general population, somewhere ~1% to 2%. And just like in meat-space these people are the cause for increased prices and frustrating checkout experiences - i.e. payment holds and refusals.
The problem is said people can do so much damage to a profit margin as they tend to hit an online store hard and quickly, racking up huge potential reversal costs. For us, being in a specialized digital space makes this especially painful as the digital items can be "used" and no longer resell-able or recoverable, so inventory and real dollar value is lost.
Visa / MC has no real incentive to stop the fraud as the merchant in most cases is liable for the reversal - Visa / MC is just a facilitator that bends towards keeping the buyer happy (same with PayPal). 3DSecure was introduced over a decade ago to alleviate some fraud based on unauthorized \ unknown but uptake has been anemic due to poor buyer experience.
As for converting stolen card to profit, purchasing and delivering high ticket physical items online and reselling is one known method.
> - how does fraud get monetised? Once i have downloaded my millions of credit card numbers from Tor (or stolen my friends mothers wallet) I need to persuade a merchant to deliver me something - but it's always bugged me that they actually have to deliver it. to a physical address. that can presumably be traced. It all seems very low level
(Disclaimer: I work for a competitor to Stripe Radar)
This is actually really interesting. An important thing to remember about fraudsters is that they're mostly professionals. Every day they wake up thinking "how do I get around anti-fraud systems." Many are located in jurisdictions that have poor enforcement for cyber crimes, so they're not necessarily worried about official action. However you're right that they do actually need to get the goods shipped without too many questions.
Two common strategies for this:
* You know all those "work from home for $100/hour" ads you see? Some are run by fraudsters who use those people as re-shippers. I.e., the website ships to some guy in the US, and that guy reships the good to the fraudster in Eastern Europe for a cut of the profit. If the fraudsters build up a nationwide network of reshippers, they'd be able to find one who lives close to the billing address of the card they're using.
* There's an even cleverer scam that goes like this: the fraudster creates a merchant account on Ebay or similar. They then select high-value goods available on other websites, say BestBuy, and list them for sale at a substantial discount. Then, when an unwitting customer buys the good from their Ebay store the fraudster places an order from BestBuy using a stolen credit card and has it shipped to the buyer. They get the money from the buyer, the buyer gets the goods, and nobody's the wiser until the chargeback comes in to BestBuy a month later.
In the early days of ecommerce, we jokingly called it 'Toners for Taliban'. They would purchase goods with a stolen card from a company that ships fast. They'd have the item shipped to a rube who answered a "Make money fast! All you need is a computer and a mail box!" advertisement. Then, the rube would resell the item on Ebay and send a cut back. The rube takes the fall, if any.
Detecting this fraud was pretty obvious when you actually had a chance to look. Someone with a billing address in Florida is shipping a video projector to an address in Arizona, from an IP address in Austria? And they always fill out the forms in ALL CAPS? And that same IP has placed orders on a dozen other accounts?
The problem back then was that humans didn't have the time to do that exercise, and ML wasn't up to snuff, yet. Things are obviously better, now. However, at the same time, the fraudsters are probably smarter, too.
> how much do the "obvious" checks help - highly unlikely purchases (3 iphones) timing or physical activity (I probably won't buy books on amazon, clothes on boohoo and petrol in a garage in the same five minutes) versus the more ML / secret squirrel stuff?
ML solutions very often are just learning to codify these 'obvious' scenarios, and as a bonus sometimes less obvious ones.
You could sit in meetings for hours/days listing all the cases the fraud detection should catch, and you'll still end up missing lots. If you're stripe, you have tons of data about fraudulent purchases that you can use to learn and codify these scenarios. Importantly, you can learn which scenarios are most prevalent in your system in particular, fraud at Stripe is very likely to look different than fraud at (say) Wells Fargo.
This raises another question i guess - how to tell the difference between a chargeback that was fraud and a chargeback that was "i don't like it" i assume they get reasons for chargebacks?
>how does fraud get monetised? Once i have downloaded my millions of credit card numbers from Tor (or stolen my friends mothers wallet) I need to persuade a merchant to deliver me something - but it's always bugged me that they actually have to deliver it. to a physical address. that can presumably be traced. It all seems very low level
Easiest way is to ship stuff to some house, then grab the package off the front porch. Best if the house isn't actually inhabited. Yeah, there's some evidence left behind, but it's usually a dead-end.
> how does fraud get monetised? Once i have downloaded my millions of credit card numbers from Tor (or stolen my friends mothers wallet) I need to persuade a merchant to deliver me something - but it's always bugged me that they actually have to deliver it. to a physical address. that can presumably be traced.
Once you get your hands on someone else's card info, you bust out by buying as many prepaid Visa cards and store gift cards as their limit allows before the card gets shut down. Then you use them or fence them for cash by selling them on Craigslist.
- Any idea what the total fraud vs genuine transactions ratio is? And how that breaks down across industries? I am assuming that SaaS services don't get as much of this - i mean would people buy bingo cards with a stolen card?
- how does fraud get monetised? Once i have downloaded my millions of credit card numbers from Tor (or stolen my friends mothers wallet) I need to persuade a merchant to deliver me something - but it's always bugged me that they actually have to deliver it. to a physical address. that can presumably be traced. It all seems very low level
(Quick story, years ago, call it the year 2000, was in the UK version of BestBuy and the manager called up a service to verify that this 17 year old kid could have a laptop. The manager asked what's your name ? Ok Your address ? Ok. Date of Birth? March 1954? really? you look a bit young for fifty. It just seems a poor way to commit crime)
The question i am trying to ask is that turning credit card numbers into cash seems like a grind that farmville would be impressed by? is it just lots of low level grunts in shops and online or is there something i am missing?
- what advantages do you get as a payment processor that a merchant does not have? And how is that better / worse than the card provider? I would assume there are people trying the same card in multiple different stores at the same time, so if you spot one attempt you stop them all, whereas individual merchants could not know. But Visa probably spots that i just paid for goods on two continents which you can only spot of both merchants use you? Do you and visa share data or do sequential checks and the like?
- how much do the "obvious" checks help - highly unlikely purchases (3 iphones) timing or physical activity (I probably won't buy books on amazon, clothes on boohoo and petrol in a garage in the same five minutes) versus the more ML / secret squirrel stuff?
cheers