
Machine learning for fraud detection - krithix
https://stripe.com/blog/fraud-reporting
======
crashoverdrive
The reality is, computers are good at some things, humans are good at others
(Remember how much effort it took google to identify cats in youtube
thumbnails? Something any four year old can do?). Computers are good at
sifting through large amounts of data. Great. Humans are good at detecting
fraud. Combining them is best.

Peter Thiel writes about how fatal machine learning for fraud detection in his
book, "Zero to One".

At Paypal, Max Levchin assembled an elite team of mathematicians to study the
fraudulent transfers in detail. Then we took what we learned and wrote
software to automatically identify and cancel bogus transactions in real time.
But it quickly became clear that this approach wouldn't would either. After an
hour or two, the thieves would catch on and change their tactics. We were
dealing with an adaptive enemy and our software couldn't adapt in response.

The fraudsters adaptive evasions fooled our automatic detection algorithms,
but we found that they didn't fool our human analysts as easily. So max and
his engineers rewrote the software to take a hybrid approach: the computer
would flag the most suspicious transactions on a well designed user interface,
and human operators would make the final judgment as to their legitimacy.

~~~
Homunculiheaded
> computers are good at some things, humans are good at others

"You insist that there is something a machine cannot do. If you will tell me
precisely what it is that a machine cannot do, then I can always make a
machine that will do just that!"

\-- J. von Neumann

Computers will continue to get better at human things as we continue to get
better at understanding how human things work. Look at the recent advances in
deep learning. This is using only the most crude approximation of human
neurons we can identify and caption images with astounding results. Google
currently claims that anything that can be done in 0.1 of a second by a human,
they can do as well.

Fraud detection relies heavily on unsupervised learning, and for all of
history up until the last few years state of the art unsupervised learning was
usually SVD + clustering or some variation on that. The current state of the
art, things like deep belief networks, are able to achieve markedly superior
results.

Additionally this article seems to imply that they are collected labeled data
from customers which should help tremendously in modeling fraud. If even if
the labels are a small sample recent advances in semi-supervised learning
using deep neural nets is even greater than the advances in unsupervised
learning.

While I don't disagree that historically it has been wise to include a human
element in fraud detection, I don't believe there is any reason to assume that
trend will continue indefinitely into the future.

~~~
graycat
> Google currently claims that anything that can be done in 0.1 of a second by
> a human, they can do as well.

Okay, on a moonless night, overcast, with no lights, a lot of fog, 200 yards
away is .... Bingo, a pretty girl, 5' 4", 34, 19, 34, blond, _really_ sweet,
wants to be great as a wife and mommy, about 18! Yup, been doing that for
years! Try that Google! My advantage: I have a dedicated, autonomous,
peripheral processor just for that task!

~~~
GFK_of_xmaspast
You know, this is a really creepy thing to write.

------
tsax
I suffered from Amex's fraud detection algorithm recently when trying to book
a discount airfare. There was 1 ticket left, I tried paying for it, and Amex
blocked the charge, and by the time I tried it again (90 seconds or so), the
ticket was gone. I was on call with many service reps, and no one was able to
cover the differential between the cheapest new flight and the discount fare
that I missed due to the 'false positive' fraud block. Why should the customer
suffer penalties for false positives? Considering that fraudulent charges
themselves do not accrue liability for the customer, why should false
positives do so?

~~~
iakh
It seems worse than that. Now there will be 2 layers of possible false
positives - your card and your merchant's payment processor. I can understand
a merchant opting in to a sift science like service, but having it built into
the processor seems like a bad idea.

Stripe has no relationship with the end user, and should not. A legitimate
buyer can't possibly be expected to call into Stripe to verify a transaction
before or after a purchase attempt like they could to their own credit card or
bank.

~~~
crazypyro
Sure they can. A low false positive rate is almost a given. Low false positive
rates are acceptable everywhere else, even in medicine, and when the "cost" is
a minor inconvenience for perhaps millions in time/energy saved, its an
acceptable business choice, even for me as a consumer.

(You note that Stripe has no business with the consumer. Well, then, this
doesn't affect your relationship with Stripe, because there is none. It
affects your relationship with your card's fraud prevention, which has and
will always be there...)

~~~
tsax
I don't mind the false positive. It's just that people should be compensated
for it, especially if the rate is low. It's just good business sense. If the
bank can eat up actual fraud charges, why should it not eat false positives?

~~~
coderdude
It would probably be abused all the time and the claims would be for larger
amounts than the difference between two similar plane tickets. There would be
people claiming they had to buy a car for $2,000 more just because they missed
some kind of window where the price was cheaper (even though that doesn't make
sense). I don't think any bank would open themselves up to that kind of
liability. Even if they would, I think they'd cap it to a low amount that was
close to the cost of eating chargebacks.

~~~
tsax
It was an actual charge for a specific route (e.g. SFO - JFK). I couldn't
later claim that it was for SFO - YYZ.

------
IndianAstronaut
I had a chance to talk to a fraud detection statistician at a large tech
company. One major area of fraud is in very small scale fraud for minute
transactions that fly under the radar. A lot of traditional machine learning
and statistical techniques don't seem to work well for that. There is a lot of
digging through literature to find statistical and signal detection methods to
identify this sort of fraud.

------
ameister14
Immediately made me think of sift science.
[https://siftscience.com](https://siftscience.com)

------
jonawesomegreen
This seems similar to what PayPal was doing in 2002. Its possible or even
likely that PayPal's techniques have become stale over time, but they were
doing some very advanced fraud detection in their time[1][2].

A really interesting book that detailed how the development of PayPals anti-
fraud system came about (among other things) is Founders at Work[3].

[1] [http://www.businessweek.com/stories/2002-09-30/max-
levchin-o...](http://www.businessweek.com/stories/2002-09-30/max-levchin-
online-fraud-buster)

[2] [http://www.quora.com/What-were-the-early-achievements-
that-d...](http://www.quora.com/What-were-the-early-achievements-that-drove-
PayPals-awesome-fraud-detection-systems?share=1)

[3] [http://www.foundersatwork.com](http://www.foundersatwork.com)

~~~
pc
As far as I know, PayPal never had the part of this that I'm most excited
about -- straightforward UI and APIs for training the models over time. (Both
so that they can be globally better and also better-adapted to each specific
business.)

~~~
icelancer
Exactly. The lack of transparency and developer openness was a huge problem
for some of us. I really enjoy the steps forward Stripe makes in that regard
across all facets of the business, to say nothing of the other reasons which I
will stick with Stripe for a long time.

------
nsx147
these are the things that will set stripe apart from the incumbents

~~~
danielweber
How do you think Visa does fraud detection?

~~~
eps
Visa is on the receiving end of chargeback fees, they have no interest in
fraud detection.

For example, it's still not possible to report clearly compromised cards to
the issuing bank, Visa has no provisions for that. Pretty much tells you all
you want to know about their stance on the card fraud.

~~~
angryasian
I would not say they have no interest I would say these are two different
cases. If I'm out and about and my card gets declined , I'm going to be
extremely upset. At home on a computer if it gets declined .. eh I use another
one. Also I think its up to the issuing bank as well. I know if I'm going out
of the country I have to notify the issuing bank of the credit card I intend
on using.

