In fact, the rule is fig. But of course, why it works. Among security guards, it is believed that antifraud should be such a top-secret contraption for seven seals with a couple of hungry Cerberus nearby. So that no one could look into the gap and find out how this antifraud works and whatās inside. This adds importance to security guards, and the antifraud mechanism itself is given an illusory defense.
The principle of security through obscurity does not work. If you go google about the news in the context of āBank X client was hacked and stolen Y rubles,ā then such news will always be. Almost every day (almost - because they do not always write about it).
Implementations of all known encryption protocols are open and available for study. All cryptographic and mathematical algorithms are also described, and in great detail. That is, sit down, stock up on coffee or energy, study all this stuff and break it yourself slowly.
Therefore, a system that is considered secure only because people do not know how it works is never protected at all. But the more open such a system, the faster the corrosive community will point out all the jambs in the implementation with its critical finger. What will allow to eliminate these jambs.
I work precisely in the paradigm of openness of protocols and systems, and in this post I want to talk about the device of the standard antifraud, about our work at RBK.money, why the future is with OpenSource, and how all this can work in an ideal world.
Which we can bring closer.
Antifraud under the hood
Let's start with the simplest examples. Antifraud is a combination of two cars. The first works according to some rules that you know and which you understand. The second is a black box in which magic is created, which even the energy canister and Nietzscheās volume will not help to comprehend.
That is, in the first car, we have a set of rules written by man. The rules look pretty simple and only reflect a certain set of actions that should trigger the system to recognize fraud. For example, if 10 payments per minute suddenly occurred from such a card, this is not a weak reason to be wary. Or if the transaction on the card took place in St. Petersburg, and 5 minutes ago the owner used it to withdraw money in Moscow, then there is also something strange.
I repeat, I am now very figuratively, because such behavior can be in a normal situation. For example, Amazon loves to withdraw money not for your entire order from 15 positions, but for each position separately. And at different times, this is normal. And in the case of a geographical difference, the owner of the card may be in Moscow, and in St. Petersburg, his mother buys something on the same card at Apple Pay. Yes, they write on the cards that they should not be passed on to third parties and thatās all, but life is usually a little more complicated.
About the second box. There lies a large chunk of machine learning, and itās concrete to show with your fingers in a simple structure how itās related to what for the conclusions, itās not so simple.
And from this basis we can derive the criteria for a good antifraud.
Three whales
The first is the rule-writing interface. Comfortable, beautiful and clear. This will be a little lower.
Secondly, a special language for writing these rules.
Thirdly, quick processing of these written rules.
Why fast - because speed is really important here. Antifraud as an entity is put in the gap of the payment system. And there are two approaches to this implementation.
1) Bypass
Here, the priority is precisely the speed of payments. Business usually in such a situation makes decisions that it is not worth losing priority in speed, so if suddenly the antifraud thinks for a long time, analyze and generally slow down the process a little - do not care, we dance, ignore the antifraud readings and just make the payment.
2) Minimization of risks
In this situation, the business understands that antifraud, in general, was not just put into the system, and listens to its indications. If there is a suspicion of fraud, then the business slows down, they understand the situation, and only then the payment is made. Or not carried out.
Therefore, the antifraud should be fast, as fast as possible, and at the same time be adequately configured.
Inside the antifraud itself, in fact, quite simple column things, there are a lot of tasks for data aggregation. Look what is going on in the system:
- ip
- fingerprint
- BIN Bank
- Merchant ID
- card token
And there is a task of the kind of collapse in the window the now moving number of payments with a specific value. For example, see right now what is being done with a specific fingerprint. Or clarify the ongoing payments on a specific card. This helps a lot.
Yes, by the way, it is important to understand that antifraud is not a thing in itself. It may not be good or bad, it is a tool that requires tuning. And if the antifraud works badly, itās not because the antifraud is bad, itās badly tuned, they wrote the wrong rules or didnāt take into account a bunch of important things.
And setting it up right is important for the business. Not only because of the bank, where the antifraud is bad, all the customers will run away, but because the industry is heavily regulated here. If too many fraud chargebacks come to the bank, this is a reason for fines and additional checks. Well, if everything is sad, then disconnect nafig from the payment system.
And it is right. If you operate on other people's money, people trust you, and you are not able to protect them - why the hell are you in the market? Open a tire fitting, for example.
Therefore, you either have a well-tuned antifraud, or none at all, because you were thrown out of the market and you no longer need it.
Own shirt
When we wrote our antifraud, we looked at all this, checked the performance, and finally installed ClickHouse.
It works like this. We have a payment system that is actively used. Accordingly, a large number of events are generated. We merge all these events into a single stream in ClickHouse, where they are successfully aggregated and processed. And processed quickly.
Some time ago we had a vendor antifraud. It was quite a solution, it worked on a subscription basis, it did not cause any particular inconvenience. But when we deduced for ourselves the criteria for the right antifraud, we began to write our own. We wrote it for a total of two months, the external cookie is described by swagger. When they finished, they began to test, at first they started up almost all the traffic to the old one, and a small part to the new one. Well, what if something comes up there.
I didnāt. We actively debugged it, used it at the start as such an additional recommendation. And the other day, we completely dragged everything to him, he is noticeably faster than the old one, quickly fulfills all the rules, in general - the flight is normal. But the old one still lies like a spare.
Antifraud is a great place to take advantage of machine learning. Indeed, at the entrance there is a base (payments themselves), there is a certain dataset, there is a model that is easily described by the already known frauds. That is, you can simply take for the model and note on the old stream of payments - check it out, there was fraud, its at, at. In general, for a full-fledged training of the neural network, there is everything, take it and use it.
We have not yet made a comfortable interface, because while we are at the stage of debugging the protocol and rules (we have 200+ of them, we write new ones daily). The system is controlled by a peppy curl directly from the console. And here the main task of the antifrader is already (yes, there is such a specially trained person who does this) - to sit, look carefully at the traffic, receive chargebacks because of fraud, and adjust the rules. As you can see, the robots have not yet been able to completely push the leather bags off.
In general, the new one is good now. But so far not directly excellent-excellent. We want to push dry run there - this is when you wrote a rule, and then ran some specific payment through it with the note āWhat would happen to the payment if this rule applied to itā. This will significantly pump its capabilities.
And I also want to build modeling interfaces. Well, you know, in movies, when brave FBI sheep track a fugitive by credit card - yeah, look, here he refueled for a credit card, bought coffee there, and took cash in that city. And all this with reference to the map, other data, with beautiful visualization. A matter of time.
Perfect system
When we add our antifraud, it will be great. But the ideal, as usual, is not so easily achieved.
The ideal, as for me, is built on an absolute OpenSource. That is, open-source antifraud in open-source language and a convenient exchange of rules.
Let's take an example about a similar ideal DDoS protection system.
Imagine that all the current operators of the mother of the Dudoser got so hard that they came together and began to use a single database of assholes. If DDoS starts on the resource of a small operator, he quickly looks at which deer cannot sleep, adds IP villains to the blacklist. Blacklist update differs on a single system, and everything related to this attack is blocked at the client connection level.
The question of trust and reliability of such a system is decided by the blockchain.
You can work with banks in the same way. There is a general list of antifraud patterns, which diverges across all banks. They zafrodili, for example, a green bank, the specialists reacted and added a new set of rules to the list, the list was updated, and thatās all, a specific attack on this mechanism no longer works. Neither in a green jar, nor in other bright colors.
The system is distributed, but we have a blockchain, you canāt crack it. OK, if you imagine that the antifraud itself was hacked at one bank - this is still a bank problem. Because we have only a list of rules in common. And the antifraud engines themselves have their own banks.
As a matter of fact now. Banks are very conservative structures. Highly. Now they have a small mailing list, a letter comes to certain specialists, they say, check it out, and here is the drop card, here are the parameters. But this is a newsletter. You can generally forget about efficiency and engagement right away. But better than nothing at all, yes.
So banks are unlikely to master such an ideal story. Fintech can quite pull itself, namely payment systems and startups.
Machine learning, coupled with OpenSource, is the future of antifraud. those who learn to work well with this will be able to take a good jackpot - the industry is huge, there are billions. But there is no perfect solution yet.
And since it is not there - that is, good opportunities to enter the market.
What does RBKmoney offer?
And we offer you a ready-made antifraud. He is already in the open source and completely free. Without any pitfalls, right now I am ready to give all the sources of our antifraud to anyone who wants and help with its integration into any payment system.
A common open source solution allows you to jointly exchange expertise, share protection rules.
Not to mention the community, which together can finish the engine, do some new things about which we either did not think or did not have time to do.
This takes the level of protection to a whole new plane. Many participants in the payment industry are now developing their own solutions, and even more are buying some ready-made ones on the market.
Do not buy. Our solution will win any tender at least in cost - it is difficult to compete with an open source solution.
Let's work out together. Repositories are open, you have the source code now. The community is always better than doing something alone.
Introducing RBKmoney Fraudbusters as a standalone product, with assembly and integration manuals will be the topic of the next article and it will be soon.