How not to configure antifraud rules on user geography
Recently, I had to replenish my wallet in Eleksnet with Alfa-Bank's credit card — a standard procedure that I have already successfully completed several times. As usual, after logging in to the wallet and entering the card data instead of the usual success message, I received the following error:
Oops. "Anti-black list"! I forgot that this time I am abroad.
')
I spent some time on unsuccessful attempts to pay, but alas. Out of desperation, I even tried to do this operation through Tor, but it certainly did not help (I wasted time to figure out how to quickly set up output nodes from only certain countries in Tor settings, but I didn’t want to), but I didn’t want a couple of times got a second interesting error with the following text:
"User IP address country does not match BIN country"
That is, this time the discontent of the antifraud system of Eleksnet caused a mismatch between the country of the IP address of my foreign provider and the country of the card issuer.
The saddest thing is that the error message does not give me, as a user, any choice but to try to repeat the operation or abandon it. And the window on the screen at the same time does not even contain any recommendations or references - where to run, to whom to write and what to do so that everything would work out. And surely it will finish off those users who do not know English, since everything in the window is written in Russian, only an error message in English itself.
Actually, why is it all so bad?
From the above errors, it is possible to draw conclusions about the structure of the antifraud rules of Eleksnet (at least those that work on the card replenishment operation):
As a result, there is a system of several simple antifraud-rules, which, I think, both successfully fighting fraud and complicate the lives of normal users like me. It's all about how not to do it.
Now, actually, how it was possible (and necessary) to do it right.
At a minimum, these simple steps could greatly reduce the number of innocently suffering customers who had the negligence to go abroad, and only as a result of their geographical movement were they unable to use the service.
If you go further along the path of improving antifraud rules, you can add more complex logic, for example, take into account the speed of user movement between countries (payment from different countries every other day is much more likely than five minutes apart), take into account the number of attempts to perform an operation ( including for different cards, thereby preventing the enumeration of card numbers), the fact of using proxy servers or anonymizers, and so on.
Here it is important to add that when I committed further actions with the wallet of Elefsnet’s antifraud, I didn’t interfere: after I replenished my account with a friend in Russia (I had to give him step-by-step instructions on Skype), I calmly managed to withdraw money from my wallet at the expense of another Russian bank, still being abroad. And this also raises questions. Indeed, from the point of view of the antifraud policy, it is important to stop not only suspicious attempts to use bank cards, but also, perhaps, atypical manipulations with the funds on the wallet itself, and above all it concerns risky areas of payment, in particular, cash withdrawals (and this is the ultimate goal any froder, and the sooner the better!). I can justify all this only with a small amount of operation (within a few thousand rubles).
As a result, the chain of my actions was as follows:
The moral of this story is this: people move around the world, but for their financial services this should not be a source of problems, such as blocking bank cards, the inability to replenish an electronic wallet or pay for their own Moscow mobile phone while in the other hemisphere.
Fight fraud right!
Oops. "Anti-black list"! I forgot that this time I am abroad.
')
I spent some time on unsuccessful attempts to pay, but alas. Out of desperation, I even tried to do this operation through Tor, but it certainly did not help (I wasted time to figure out how to quickly set up output nodes from only certain countries in Tor settings, but I didn’t want to), but I didn’t want a couple of times got a second interesting error with the following text:
"User IP address country does not match BIN country"
That is, this time the discontent of the antifraud system of Eleksnet caused a mismatch between the country of the IP address of my foreign provider and the country of the card issuer.
The saddest thing is that the error message does not give me, as a user, any choice but to try to repeat the operation or abandon it. And the window on the screen at the same time does not even contain any recommendations or references - where to run, to whom to write and what to do so that everything would work out. And surely it will finish off those users who do not know English, since everything in the window is written in Russian, only an error message in English itself.
Actually, why is it all so bad?
From the above errors, it is possible to draw conclusions about the structure of the antifraud rules of Eleksnet (at least those that work on the card replenishment operation):
- There is a certain list of allowed countries, most likely it is Russia and the CIS countries. Accordingly, replenishment operations are allowed only from the IP addresses of these countries, all others are prohibited.
- Another rule checks the coincidence of the user's IP geography and the country of the issuer. Here are possible options: it is likely that a common geographical space has been made for Russia and the CIS (that is, it is possible to replenish an account from Ukraine with a Russian map, although I did not check it).
- Worse, if the logic is stricter: the country of the user must necessarily coincide with the country of the issuer and nothing else. Why, then, did I get the second error, while the antifraud did not swear at the anti-black list? It is here that suspicions creep in that at this moment the IP address of the Tor output node may have just turned out to be from the allowed country, but the country itself with Russia (the card issuer) did not match. Guard!
As a result, there is a system of several simple antifraud-rules, which, I think, both successfully fighting fraud and complicate the lives of normal users like me. It's all about how not to do it.
Now, actually, how it was possible (and necessary) to do it right.
- First of all, I am not a new customer of Eleksnet. More precisely, I have already used the same card several times to replenish the same wallet. That is, my pattern of payment behavior is very simple and transparent: about once a month I replenish my wallet from the same card. It is somewhat strange to suppose that Froder will now replenish my wallet from my stolen card. Hence, the first correct step: it is necessary to memorize both the map and operations on it, and apply strict policies only when a new map appears in the system (that is, one about which nothing is known and it is fixed for the first time). If the card does the same typical action (in this case replenishes the wallet) for the fifth time in a row, then most likely it is the cardholder who does this and needs to soften the anti-fraud policy and allow the specific operation regardless of geographic location. and card issuer. Another option is to “dance” from the wallet and memorize the history of payment behavior from the point of view of the wallet (from where it replenishes, where it pays or transfers, etc.).
- You also need to remember what the wallet in the Eleksnet system is. The wallet number is essentially the phone number of its owner. And during authorization, you must specify a pair of phone number + password to access the wallet issued during registration. But after all, Eleksnet perfectly knows how to send SMS on any action in the system, in my case I receive SMS both when replenishing the wallet and when paying with it. So what is the case, in the opinion of Eleksnet, of a suspicious operation, simply to request its confirmation via SMS? This is a common standard practice that is used in a variety of payment systems (enhanced, or two-factor authorization, such as Yandex.Money) and in banks (the most obvious example here is 3D Secure authorization): at the time of the operation, the user receives an SMS with code , which enters on the page of its payment operator, thereby confirming the transaction. And what's more, the user of Eleksnet informs his phone number immediately upon registration and later this number is equal to the number of the user's wallet, so all that remains to be done is to send the SMS to the user and wait for the confirmation of the operation.
- If various blacklists are present in the antifraud system (this is normal), then there must also be a flexible logic for their use, and for this, many factors must be taken in addition to the blacklist itself. The approach "in the forehead" (to prohibit everything, to allow everything to others) is inconvenient, inflexible, and ruins the lives of ordinary users at the first opportunity.
- And finally, if the anti-fraud rules worked and banned the operation, then of course it is not necessary to tell the user why this happened (remember that this could be a froder). But be sure to tell you how to solve the problem! (since this is what is important for an honest user who has fallen under the
horseantifraud). Namely, where to write or call him, what simple system settings to tweak and so on, and all this in human language. In my case, the ideal option would be a message like: “Sorry! The operation fails. We do not recognize you, probably, you are trying to replenish the wallet differently than usual. We will now send you the code via SMS, enter it in the box below, so that we can make sure that you are you . ”
At a minimum, these simple steps could greatly reduce the number of innocently suffering customers who had the negligence to go abroad, and only as a result of their geographical movement were they unable to use the service.
If you go further along the path of improving antifraud rules, you can add more complex logic, for example, take into account the speed of user movement between countries (payment from different countries every other day is much more likely than five minutes apart), take into account the number of attempts to perform an operation ( including for different cards, thereby preventing the enumeration of card numbers), the fact of using proxy servers or anonymizers, and so on.
Here it is important to add that when I committed further actions with the wallet of Elefsnet’s antifraud, I didn’t interfere: after I replenished my account with a friend in Russia (I had to give him step-by-step instructions on Skype), I calmly managed to withdraw money from my wallet at the expense of another Russian bank, still being abroad. And this also raises questions. Indeed, from the point of view of the antifraud policy, it is important to stop not only suspicious attempts to use bank cards, but also, perhaps, atypical manipulations with the funds on the wallet itself, and above all it concerns risky areas of payment, in particular, cash withdrawals (and this is the ultimate goal any froder, and the sooner the better!). I can justify all this only with a small amount of operation (within a few thousand rubles).
As a result, the chain of my actions was as follows:
- Several times I replenish my wallet from a bank card from time to time, while in Moscow - no problems.
- Now I am replenishing my wallet from the same Russian card from abroad - several attempts and each time the replenishment is blocked by anti-fraud rules.
- I'm trying to do the same through Tor (obviously, the IP address could easily be different from the original country) - the same thing, the operation is impossible.
- I appeal to a friend in Moscow for help and send him detailed instructions via Skype - finally the operation is over and the wallet is replenished.
- Immediately after that, I withdraw money from my wallet to a card of another Russian bank, geographically being still there, abroad, from where I could not replenish my wallet. No questions, the operation was successful, the money withdrawn.
The moral of this story is this: people move around the world, but for their financial services this should not be a source of problems, such as blocking bank cards, the inability to replenish an electronic wallet or pay for their own Moscow mobile phone while in the other hemisphere.
Fight fraud right!
Source: https://habr.com/ru/post/252967/
All Articles