[aandon]

PM from a fraud detection company here. One thing I didn't see mentioned on this thread is Device ID, which is very common on fraud detection platforms. When a user comes to your website or mobile app, you have access to hundreds of signals from their device. Some like IP address are easy to spoof. Others like whether the user has changed their phone alarm from the default settings are often ignored by fraudsters but surprisingly telling signals (fraudsters don't bother to change from default settings). We wrote an article on some interesting findings recently here: https://simility.com/device-recon-results/. A good device ID product can not only tell if the same fraudster is accessing your app repeatedly while pretending to be different users, it can detect risky user profiles when they land on your app. Before they even make a payment.

[deusofnull]

Just a thought: have you ever considered that by publishing such red flags for fraud, fraudsters will adopt these "organic" behaviors in order to appear more legitimate? I understand that the idea is to make illicit transactions more difficult and that adopting these "organic" behaviors is more difficult, but automated fraud tools (ie - what most 'script-kiddies' use) also become more sophisticated over time. Regardless, I bet you don't publish ~all~ your fraud detection vectors for that exact reason.

[duncan_bayne]

I'd be surprised if all of the published vectors are genuine, too, for the same reason :)

[joshmn]

> Device ID

It's incredibly easy to dupe and manipulate. If someone is determined enough, they can just edit the packet before it hits your server, or install another app/font/package/etc to change the fingerprint. "Well what about IMEI?" see reference to intercepting packets.

[adrr]

You can use Valve's browser fingerprinting library. Its good enough to detect basic guys who are jumping through proxies. Combine that with MaxMind's proxy detection service and its a decent starting block.

[dw23]

Interesting ... If u have a device id running on ur site , how do u tie a 'suspicious user' it flags with the orders made by that user ? I read abit about ur product and it's not clear how a web shop like candy Japan would integrate quick and dirty with this

[aandon]

Normally an order on your back-end is linked to our device ID with a session ID. However our device ID can also accept user-generated data within fields on your website/mobile app. So if your customers enter their email address during your checkout process, that email will be tied to device ID and you can then look up suspicious orders by their email address.