Why Focusing on Consumer Behavior Alone Leaves Fraud Detection Vacuums

Fraud detection systems ignore a major signal of attacking behavior because they waste precious cycles on processing consumer activity. I discussed that a bit in Fraud Detection Methods Create too many False Positives, and now want to look at the data resulting from behavior detection filters. I named the processing of data resulting from behavior detection as “Evasion Detection Filters”.  It is possible to examine the results from evasion detection filters, leisurely with batch processes.

The two processes, behavior detection and evasion detection filters are closely related and influence each other as illustrated in Diagram 16.

Diagram 16 Behavior Detection Evasion Detection Filter Interaction

The concept is quite simple. Attackers hide their methodology as best as they can until caught, and then they quickly abandon the newly discovered attack and seek another method. This abandonment leaves traces and if handled properly can set up natural defenses before a new type of attack begins. As the diagram suggests the results of evasion detection filters allow the creation of new behavior detection filters.

As an example of a BD/ED pair (behavior detection/evasion detection) is the old split purchase. A split purchase behavior suggests the payer and the payee collude to lower a price sent to an authorizer for approval because the behavior prevents examination of the true price of the purchase. Fraud detectors augmented the original behavior (high price purchase) with detection of the evasion i.e. the split purchase.  Once a payee realizes that split purchases receive processing scrutiny, and not wishing to stop the activity, payees may well try another stratagem such as delaying the time of initiation of the second purchase. The ED filter picks up the stratagem because analysts determined it a reasonable stratagem for the seller to pursue. Now however, a behavior detection filter detects the behavior in real time.

Another good function of the ED filter is its ability to show when a BD has ceased to function effectively because of successful evasions to it. Once stale, fraud detectors need to remove BDs because they waste cycles without meaningful returns.  

Next Blog: Unusual Properties of Accelerating Payment Flow