
Non-obvious indicators that a transaction might be fraudulent - teuobk
https://simility.com/device-recon-results/
======
cantrevealname
Being pegged as a fraud risk just because the user is concerned about privacy
rubs me the wrong way. Even if it is entirely legal and the statistical model
is valid.

Some years back, some law enforcement agency in the US (but I forgot which)
produced a highly-reliable indicator of drug mules on highways. The indicator
was black male, driving a late-model sedan, and traveling at exactly the speed
limit (when everyone else was traveling 10-15 mph over the limit). The police
were stopping and searching anyone who fit these indicators.

Putting aside the questions of racial profiling and whether the statistical
model was correct, do you think this is a good idea? I can't articulate my
feelings exactly, but I feel it's wrong.

~~~
cthor
If that is wrong, what is right?

Should the police instead do less efficient completely random searches? Should
the taxpayers hire more police officers to make up for this loss in
efficiency?

Should businesses accept losses from fraud to placate your feelings?

While it may not feel very good to be sending signals that associate you with
crime, that is a cost you have to accept of sending those signals.

In the case of police searches, I think attention would be better spent on
making them more humane, rather than less racist.

~~~
throwaway2048
I feel there is something deeply wrong with this sort of over-
statistically/analytically focused thought chain, allow me to try to
elaborate.

Many signals have absolutely nothing to do with wrongdoing whatsoever. Say
that hypothetically every drug dealer makes large cash deposits, and this is
marked in a database somewhere as a "very reliable indicator". Well what about
taxi drivers? Street Vendors? other occupations that deal almost exclusively
in cash, should they also be suspected?

What happens if somebody otherwise innocent of anything in particular triggers
multiple "flags" like this, do they deserve to be discriminated against?

What if the flags are stuff like being black, being poor, having a friend that
has been charged with a crime. What about living in the "wrong" neighbourhood,
how about the wrong genetic markers. How about a family history of mental
illness, what about if you dont own a cellphone? What if they are angry about
the government and have publicly protested? What if you accidentally like ISIS
on facebook, or your friend does it as a joke? are these acceptable "black
flags" too?

What about if one of your close friends trips one or more of these markers?
What if several do? Are you just as untrustworthy?

It gets much choppier when you introduce something like neural net learning
into the equation. It will form links between activity that are basically
impossible to decipher by a human at all, should we accept these utterly
opaque judgments because "on average they are pretty reliable"?, what about
the cases where they are 100% dead wrong, should they just be considered
collateral damage?

A huge class of people could end up going through life denied basic services
like a bank account because of things ENTIRELY beyond their control, or even
understanding, all they know is they managed to piss off some equation
somewhere.

It gets better, because on average people with bad scores on one system
"reliably indicate" they will be bad faith in other contexts too...

Lots of businesses will accept this as an acceptable cost to keep fraud
rates/whatever down, I don't find it acceptable, its almost the definition of
injustice, and has a grave potential to create a vast underclass of "poor
social credit score" people (who being a member of, even by association will
assuredly be another hit against your scores)

How happy would you be, if via no fault of your own you were deemed an
"unacceptable risk"?

So yes, it is inhuman, and wrong. I guess that -100 Social Credits for me.

~~~
cft
This new years, I made a large liquor store purchase (about $600) in
Manhattan, not in my normal geographical area. The transaction was declined,
but all I had to do was to answer "yes" a text that I got from the issuing
bank, and then swipe again. Was I "profiled"? Yes. Did Visa do a good job
protecting me and itself with my profiling? Yes. Try running a real business
with this purist approach. You will exceed 1% chargeback threshold in the
first year, and your payment processor will either shut you down or will
require a huge collateral.

~~~
panic
Yeah, I think this is an appropriate way to do profiling. The declined
transaction was explicitly tied to something you did, so you understood why it
happened. The bank also provided an easy way out.

Where profiling becomes dangerous is when it's tied to something you are or
something you did in the past: it can be harder to identify _why_ you're being
profiled in these cases. Most of these cases aren't resolved through a single
text, either. Profiling is a useful tool, but we have to be careful to do it
in a humane way.

------
jedberg
Ugh. The author just gave away all the good tricks.

This is one area where security by obscurity actually works (well worked,
depending on how many fraudsters read this).

Fraudsters are generally pretty dumb when it comes to technology, so even if a
lot of these seem obvious to the tech savvy HN audience, they weren't obvious
to the fraudsters till now.

The good news is that most of them don't read HN.

~~~
chipperyman573
The blog this was posted on was a company that deals with fraud detection. I'm
sure they thought about this and only posted things they already weight pretty
low in their algorithm as the evidence isn't too valuable.

------
danieltillett
My wife was seeing a lot of fraud with her business. She only takes payment
via PayPal. The fraudsters have been ordering via a local hacked computer with
a hacked PayPal account that matches. Everything looks 100% OK (physical
address matches, IP address matches, browser nice and normal, etc), but she
gets hit by a PayPal chargeback 3 to 4 weeks later for a "non authorised
payment". She now has to call each new customer to make sure that they are
real. Interestingly, when she posted that she would call all new customers the
fraud attempts went down to about 5% of the previous level.

------
recursive
What is meant by referrer "history"? As far as I know, referrer in http
headers can refer only to the one most recently visited resource.

Edit: And what's with this?

> There is another feature in browsers which is “Do Not Track”
> ([http://donottrack.us/](http://donottrack.us/)). For organic/real users the
> possible options are “Yes”, “No”, “Unspecified”;

The DNT http header has 2 values. "0" and "1".

~~~
cpeterso
There are a number of ways (some patched) for sites to guess at your browsing
history, such as the color of visited links or HSTS cache timing.

[https://zyan.scripts.mit.edu/blog/sniffly/](https://zyan.scripts.mit.edu/blog/sniffly/)

~~~
x0x0
I don't think people are doing anything sketchy.

They're asking did your browser go

    
    
       amazon.com -> search evo 850 -> evo 850 product page -> post "add to cart"
    

or did your browser do

    
    
       evo 850 product page -> post "add to cart"
    

or even

    
    
       post "add to cart"
    

those are sorted in decreasing order of naturalness. Obviously #2 can happen
if you got a link directing you to the product page, but it's still less
natural. You would often expect to see the referrer be an email domain or
similar.

------
scottm30
How do they know that fraudsters with fresh cookies and no referrer history
aren't just in private browser mode? Sounds like the server would view them as
the same in most cases.

~~~
ec109685
There are capabilities like local storage that are often disabled in private
browser mode.

~~~
ubernostrum
I've actually found a few online stores which now check for this and redirect
you to a "turn off private browsing to browse our site" message. It's
moderately annoying that they refuse to even let me see what they have for
sale until I agree to let them use my hard drive.

~~~
chopin
I wouldn't want to be customer of such a site.

Problem solved.

------
studentrob
This type of service seems like it would be really useful to smaller
merchants.

I remember reading awhile back on HN that smaller e-commerce shops were often
targeted by fraudsters. So, many use Amazon as a go-between when they'd prefer
to have their own site and payment processing.

Companies like this could empower competition of the services provided by
Amazon, eBay etc.

~~~
ntaylor
Fraud is an always-changing landscape and the only way to stay on top of it is
to rapidly and continuously adapt. Simility uses machine learning to derive
and apply models in real time, which is huge for any-sized business.

------
nodesocket
The no referrer and user-agent (non Mac) are certainly signals, but there are
some others that are interesting like caps lock on, geo-ip (obvious), and
screen-size.

------
jpeg_hero
Are all of these indicators available "over the wire" in browser
fingerprinting?

can you tell cpu from browser finger printing?

and cookie age? is he talking about cross-domain cookies from the ad networks?

~~~
gruez
>can you tell cpu from browser finger printing?

In the context they're talking about, yes! 32 on 64 bit (on firefox at least)
will have WOW64 on the header name, whereas 32 on 32 bit won't, and 64bit on
64 bit will have Win64.

~~~
profmonocle
But isn't WoW64 for running 32-bit applications on a 64-bit version of
Windows? I don't think WoW64 exists on 32-bit Windows.

That'd make sense if they were running 32-bit Firefox on 64-bit Windows, but
the article says a 32-bit OS on a 64-bit CPU. You'd think that would just look
the same as a 32-bit OS on a 32-bit CPU in the headers, unless Firefox is
going out their way to report a 32-bit OS on 64-bit hardware.

------
logicallee
I admire the research that went into collecting these signals, but I consider
it a poor idea to have published what could be used as a checklist. I believe
some of the kind of people (criminals, bad people: you should stop) who take
the technical actions listed certainly read hackernews. yet without exception
all of these are easy to modify, losing your hard-won signals. better not to
mention what they are.

that said, perhaps they did not pubish all of the signals they found.

------
statictype
Can a web server get a list of plugins installed by the client? That can't be
right, can it?

~~~
chipperyman573
Yup, it's part of the EFF browser fingerprinting

[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
voiper1
Whoa, thanks for that link!

I went to clean up the most revealing one: "HTTP_ACCEPT Headers" ... I turned
off least-used language in chrome://settings/languages

It was 1/1200, now it's 1/9... still says I'm unique, though.

------
DyslexicAtheist
about the #3 and DNT Null values ...

DNT wasn't proposed until 2009 (and implemented in 2010). So this would be
normal (DNT header not sent) on older OS versions. So it's the same reason as
the 32 bit OS on a 64 bit machine assuming people use IE coming with the
installation (or downloading an old browser that is still usable in 32bit).

~~~
nickcano
>or downloading an old browser that is still usable in 32bit

Are you implying newer browsers don't work with 32bit? Chrome and FireFox run
as 32-bit and all IE versions still use a 32-bit renderer. These things are
true on 64-bit and 32-bit machines, at least on Windows.

------
cpr
I assume that the bigger guys like Stripe are already doing this? Is that a
valid assumption?

~~~
voiper1
Stripe says they do flag some charges fraudulent, but it isn't their main
business.

Here they mention some tips [https://support.stripe.com/questions/avoiding-
fraud-and-disp...](https://support.stripe.com/questions/avoiding-fraud-and-
disputes) and also point to SiftScience, Signifyd or Riskified.

SiftScience seems the most similar to simility, and give pricing online (free
lite version or full for 5-6 cents) per order. Riskified and Signifyd actually
provide insurance (and then perhaps have lower approval rating since they
actually take risk?)

I'm planning on trying SiftScience in the future.

------
cheez
They call it machine learning, so did they apply unsupervised learning to
determine these factors? How did they determine these factors were relevant?

~~~
nickcano
They could have used PCA[1] on their feature set and let a human come up with
these; they claim to use machine learning, not that this checklist was
generated as a result of machine learning.

Otherwise, maybe they have an algorithm that looked at resulting
classifications from learning and flagged inputs with the largest and most
consistent variance across classes.

[1][https://en.wikipedia.org/wiki/Principal_component_analysis](https://en.wikipedia.org/wiki/Principal_component_analysis)

~~~
cheez
I'm OK with a human being involved, I'm curious how they actually figured it
out.

------
gculliss
These were reliable indicators until they were disclosed here...

------
graycat
It appears that we have a special, powerful, valuable opportunity for how to
manipulate the data in the OP.

So, the OP has "7 Leading Fraud Indicators: From Fresh Cookies to Null
Values".

Suppose for those 7 indicators, 4 of them have just two possible values and
the other three have just 4 possible values or some such. Then for one
connection to the server from a Web browser, the 7 signals have jointly just

    
    
         2^4 * 4^3 = 1,024
    

possible values. That is, there are only n = 1,024 possible _cases_ of signal
data from a Web browser from a connection to the server. And apparently we
have good data on each of the cases.

Or, to be practical, if for some case we have no data at all, then we just
assume that the reason is that the probability of that case is so low that we
can ignore that case.

The central problem here is how to detect "fraudsters". For such detection,
necessarily there are two ways to be wrong: (1) a false alarm when we say that
a connection is from fraud when it is not and (2) a missed detection when we
say that a connection is not from fraud when it is.

Our mission, and we have to accept it, is essentially to find ways of
manipulating the large amount of relevant data so that (A) from the false
alarm (1), we can specify the highest probability of a false alarm f we are
willing to tolerate, (B) get that probability of a false alarm f in practice,
and (C) from the missed detections in (2), for that probability of a false
alarm f, get the lowest probability of a missed detection (2) we can.

Or, for the false alarms we are willing to tolerate, we want to manipulate the
data to get all the detections we can.

So, for some notation:

P -- probability

n -- positive integer, number of different possible cases of data from
connections, e.g., as above, n = 1,024

B -- event, connection is bad, fraud

G -- event, connection is good, not fraud

P(B) + P(G) = P(B OR G) = 1

C -- random variable, case of connection, i = 1, 2, ..., n.

So random variable C takes values in the set {1, 2, ..., n}.

p(i) = P(C = i)

b(i) = P(B | C = i) = P(B AND C = i)/P(C = i)

= P(B AND C = i)/p(i)

g(i) = P(G | C = i) = P(G AND C = i)/P(C = i)

= P(G AND C = i)/p(i)

B = U_i {B AND C = i}

P(B) = Sum_i P(B AND C = i)

= Sum_i p(i) P(B | C = i)

= Sum_i p(i) b(i)

P(G) = Sum_i p(i) g(i)

b(i) + g(i) = P(B | C = i) + P(G | C = i)

= P(B AND C = i)/P(C = i) + P(G AND C = i)/P(C = i)

= ( P(B AND C = i) + P(G AND C = i) )/P(C = i)

= P( (B AND C = i) OR (G AND C = i) )/P(C = i)

= P(C = i)/P(C = i) = 1

M -- event, a missed detection of a bad connection, fraud

D -- event, detection of a bad connection, fraud

F -- event, false alarm

 _Detection Rule:_

Suppose for some set I a subset of {1, 2, ..., n} we raise an alarm of a
detection of a bad connection, that is, fraud, when C in I.

With this detection rule, probability of a false alarm is

P(F) = Sum_{C in i} P(G AND C = i)

= Sum_{C in i} P(G | C = i) p(i)

= Sum_{C in i} g(i) p(i)

the probability of a detection is

P(D) = Sum_{i in I} P(B AND C = i)

= Sum_{i in I} P(B | C = i) p(i)

= Sum_{i in I} b(i) p(i)

and the probability of a missed detection is

P(M) = P(B AND C not in I)

= Sum_{j not in I} P(B AND C = j)

= Sum_{j not in I} P(B | C = j) p(j)

= Sum_j P(B | C = j) p(j)

\- Sum_{i in I} p(B | C = i) p(i)

= Sum_j P(B | C = j) p(j) - P(D)

= Sum_j P(B AND C = j) - P(D)

= P(B) - P(D)

So, to minimize the probability of a missed detection P(M) we want to maximize
the probability of a detection P(D). We guessed this intuitively.

To maximize the probability of a detection P(D), suppose we have sorted our
data on the n cases so that the ratios b(i)/g(i) are in descending order, that
is, so that

b(1)/g(1) >= b(2)/g(2) >= ... >= b(n)/g(n)

Suppose we pick k in {1, 2, ..., n} and let I = {1, 2, ..., k}.

Then for our detection rule with this k and I, the probability of a false
alarm is

P(F) = Sum_{i in I} g(i) p(i)

So, note that here really we are just summing i = 1, 2, ..., k where, as just
above,

b(1)/g(1) >= b(2)/g(2) >= ... >= b(n)/g(n)

So, we just sort these ratios and then sum the products g(i) p(i) on i until
we get our selected probability of false alarms f.

As we will prove below, this is just the thing we should do.

If we pick k too large, then our probability of false alarms will be larger
than our selected value f. If we pick k too small, then our probability of
detection will be smaller than we want.

Also for our detection rule with this k and I, the probability of a detection,
what we want to maximize, is

P(D) = Sum_{i in I} b(i) p(i)

So, suppose we pick k just large enough that P(F) = f (or close enough for
government work).

Claim: With this selection of k and I, we get, as in (1), the probability of a
false alarm f we selected and, for that probability of a false alarm f, get
the probability of a detection P(D) the largest possible and, as in (2) the
probability of a missed detection the smallest possible.

To see this claim, we want to select x_1, x_2, ..., x_n to solve the
_operations research applied mathematics resource allocation optimization
problem_

Problem 1:

max z = P(D) = Sum_i x_i b(i) p(i)

subject to

P(F) = Sum_i x_i g(i) p(i) <= f

x_i = 0, 1

Yes, from the x_i, I = {i | x_i = 1}.

Problem 2:

Suppose for some L >= 0, x = (x_i) solves

max z = Sum_i x_i b(i) p(i)

\- L ( Sum_i x_i g(i) p(i) - f )

subject to

x_i = 0, 1

Then since x = (x_i) solves Problem 2, we have that for any y = (y_i) that
satisfies the constraints of Problem 1, that is

Sum_i y_i g(i) p(i) <= f

and

y_i = 0, 1

we have that

Sum_i x_i b(i) p(i)

= Sum_i x_i b(i) p(i)

\- L ( Sum_i x_i g(i) p(i) - f )

>= Sum_i y_i b(i) p(i)

\- L ( Sum_i y_i g(i) p(i) - f )

>= Sum_i y_i b(i) p(i)

so that x = (x_i) solves Problem 1.

For more, in Problem 2, we have

max z = Sum_i x_i b(i) p(i)

\- L ( Sum_i x_i g(i) p(i) - f )

= Sum_i ( x_i b(i) p(i) - L x_i g(i) p(i) )

\- L f

= Sum_i ( x_i ( b(i) p(i) - L g(i) p(i) ) )

\- L f

so that x_i = 1 if and only if

x_i ( b(i) p(i) - L g(i) p(i) ) >= 0

and

b(i)/g(i) >= L

So, the way to solve Problem 1 is to pick k = 1, 2, ..., n, set I = {1, 2,
..., k}, and set x_i = 1 for i in I and x_i = 0 otherwise so that

Sum_{i in I} x_i g(i) p(i) = f

In particular,

L = b(k)/g(l)

That is, intuitively, we are making investments in real estate, our
probability of a false alarm

P(F) = Sum_i x_i g(i) p(i) = f

is like money.

We get to invest the money in cases i = 1, 2, ..., n. For case i,

b(i)/g(i) = (b(i)p(i))/(g(i)p(i))

is our return on investment, that is, at investment i, the probability of
detection we get for the probability of false alarms we are willing to
tolerate.

So, we sort so that the ratios

b(1)/g(1) >= b(2)/g(2) >= ... >= b(n)/g(n)

and make investments in the order i = 1, 2, ... until we have spent all our
money.

Then, for the money we have spent, that is the best return on our investment
we can get.

Thanks to J. Lagrange, K. Pearson, J. Neyman, and H. Everett.

~~~
graycat
Errata:

Change

L = b(k)/g(l)

to

L = b(k)/g(k)

------
brightball
This would have been such a huge help to me a couple of years ago. Good read
and good looking service.

------
eveningcoffee
Or big FY to privacy conscious users. Does not mean that these are not a
strong indicators of a possible fraud, but when applied fiercely would really
hurt legitimate users.

------
danharaj
These are not useful statistics at all the way they're presented. Base rate
fallacy or something? Idk. There's issues.

~~~
Houshalter
I don't see why not. Any feature that correlates with fraud is useful. Some of
these correlate pretty strongly. And then combining multiple weak features can
rapidly increase the certainty that a user is or is not fraudulent.

~~~
danharaj
You can't tell how well these features correlate without knowing what the
population of non-fraudsters is that satisfy each feature.

~~~
Houshalter
Presumably they have that data. That's how they found these correlations.

~~~
throwaway2048
that is not something that should be presumed, this kind of error is super
common, especially with people that are otherwise not statistically well
grounded.

if 1% of transactions are fraudulent, and these indicators have only a 1%
false positive rate (which it has nowhere close to), and it will match the
fingerprint of every fraudulent transaction (which it wont) you get an
absolutely titanic false overall positive rate, somewhere around >50% false
positive.

This is not some trivial pedantic thing, its a very important aspect of
statistical models that must be explicitly stated to be accounted for. It is
not enough to say "every y has characteristic X" if no other information about
X is provided.

~~~
Houshalter
Yes I understand Bayes Rule. Nowhere in the article did they make any such
fallacy. They are just stating what features happen to be predictive of fraud.

Anyone actually using this would use a proper statistical model and real data,
not random figures they found on a blog. But this post does give useful advice
of what features to test.

In any case, if there is only a 50% chance that a user is a fraudster, it
still might be worth rejecting them.

Anyway, using your assumption of 1% fraud, and using all of the features
listed in the article (and presumably there would be other features too, but
let's just use the ones they talked about), I do the following calculation:

1% = 1:99 x 8:1 (32 bit OS) x 9:1 (fresh cookies) x ? (Null values doesn't
give a number, or suggests that 100% of null values are from fraudsters and
never appear organically, so I will exclude it) x 5:1 (referrer history) x
96:70 (Windows) x ? (Number for plugins not given, but it seems to be a low
correlation) x ? (No number given for incognito, but it's probably low.)

= 5:1 or 83% probability they are fraudulent, excluding the missing values,
which would raise it further.

