How not to configure antifraud rules according to user geography

Recently, I needed to replenish my wallet in Eleksnet with a Alfa-Bank credit card - a standard procedure that I have successfully done several times already. As usual, after authorizing in the wallet and entering the card data, instead of the usual success message, I received the following error:

Oops. "Anti-black list"! I forgot that this time I am abroad.

I spent some time on unsuccessful attempts to pay, but alas. In desperation, I even tried to do this operation through Tor, but it certainly didn’t help (I didn’t want to take the time to figure out how to quickly set the output nodes from a specific country in Tor settings), but I didn’t want to do it a couple of times received a second interesting error with the following text:

"User IP address country does not match BIN country"

That is, this time the dissatisfaction of the Elektnet antifraud system caused the country of the IP address of my foreign provider to not coincide with the country of the card issuer.

The saddest thing is that the error message does not provide me as a user with any choice but to try to repeat the operation or refuse it. And the window on the screen does not even contain any recommendations or links - where to run, whom to write and what to do, so that everything will turn out well. And certainly it will kill those users who do not know English, because everything in the window is written in Russian, that's just the error message itself in English.

Actually, why is all this so bad?

From the above errors, we can draw conclusions about how the anti-fraud rules for Eleksnet are arranged (at least those that work on the recharge operations from the card):

  • There is a list of allowed countries, most likely it is Russia and the CIS countries. Accordingly, replenishment operations are allowed only from the IP addresses of these countries, all others are prohibited.
  • Another rule checks if the geography of the IP user and the country of the issuer match. There are possible options here: it is likely that a common geographical space has been made for Russia and the CIS (that is, it is possible to replenish the account from Ukraine with a Russian card, although I did not check this).
  • Worse, if the logic is more strict: the user's country must necessarily coincide with the country of the issuer and nothing else. Why, then, did I get a second error, while the antifraud did not swear on the "anti-black list"? Here suspicions creep in that at this moment the IP address of the Tor output node may have just turned out from the allowed country, but the country itself did not coincide with Russia (the card issuer). Guard!

As a result, there is a system of several simple anti-fraud rules, which, I think, are equally successful in both fighting fraud and complicating the life of normal users like me. It's all about how not to do it.

Now, actually about how it was possible (and necessary) to do it right.

  • First of all, I am not a new client of Eleksnet. More precisely, I have already used the same card several times to replenish the same wallet. That is, my pattern of payment behavior is very simple and transparent: about once a month I replenish my wallet from the same card. To assume that the fraudster will now replenish my wallet from my stolen card is somewhat strange. Hence the first correct step: it is necessary to memorize the card and operations on it, and apply a strict policy only when a new card appears in the system (that is, one that is not known about and is recorded for the first time). If the card does the same typical action (in this case, replenishes the wallet) for the fifth time in a row, then most likely it is the cardholder who does it and in this place it is necessary to soften the antifraud policy and allow the specific operation to be made regardless of the geographical location of both the user and the card issuer. Another option is to “dance” from the wallet and remember the history of payment behavior precisely from the point of view of the wallet (from where it is replenished, where it pays or transfers, etc.).
  • You also need to remember what exactly is a wallet in the Eleksnet system. The wallet number is essentially the owner’s phone number. And during authorization, you must specify a pair of phone number + password for accessing the wallet, issued during registration. But after all, Eleksnet is perfectly able to send SMS for any action in the system, in my case I receive SMS when replenishing the wallet, and when paying from it. So what is it worth, in the opinion of Eleksnet, of a suspicious operation simply requesting its confirmation by SMS? This is a common standard practice that is used in many payment systems (enhanced or two-factor authentication, for example, in Yandex.Money) and in banks (here the most obvious example is 3D Secure authorization): at the time of the transaction, the user receives an SMS with the code , who enters his payment operator on the page, thereby confirming the transaction. And moreover, the user of Eleksnet informs his phone number immediately upon registration and in the future this number is equal to the number of the user wallet, so all that remains to be done is to send the user SMS and wait for confirmation of the operation.
  • If various blacklists are present in the antifraud system (this is normal), then there must also be a flexible logic for their use, and for this it is necessary to take into account many factors besides the blacklist itself. The “forehead” approach (to prohibit everything by this, to allow everything to others) is uncomfortable, inflexible and spoils the life of ordinary users as soon as possible.
  • And finally, if the anti-fraud rules worked and forbade the operation, then of course it is not necessary to inform the user why this happened (remember that this may be a fraud). But be sure to tell how to solve the problem! (since this is exactly what is important for an honest user who has an antifraud caught under a horse ). Namely, where to write or call him, what simple system settings to tighten up and so on, and all this in human language. In my case, a message like: “Sorry! The operation does not work. We don’t recognize you, probably you are trying to replenish your wallet in a different way than usual. We’ll send you an SMS code now, enter it in the box below so that we can make sure that you are you .

At a minimum, these simple steps could greatly reduce the number of innocently suffering customers who were reckless to go abroad, and only as a result of their geographical movement were deprived of the opportunity to use the service.

If we go further along the path of improving anti-fraud rules, we can add more complex logic, for example, take into account the speed of the user moving between countries (payments from different countries every other day are much more likely than with a difference of five minutes), take into account the number of attempts to complete the operation ( including for different cards, thereby preventing the enumeration of card numbers), the fact of using proxies or anonymizing, and so on.

It’s important to add here that when I took further actions with the wallet, Eleksnet’s antifraud didn’t prevent me: after I replenished my account with the help of a friend in Russia (I had to give him step-by-step instructions on Skype), I was able to easily withdraw money from my wallet to an account with another Russian bank, while still being abroad. And this also raises questions. Indeed, from the point of view of anti-fraud policy, it is important to stop not only suspicious attempts to use bank cards, but also, possibly, atypical manipulations with funds on the wallet itself, and first of all it concerns risky directions of payment, in particular, withdrawal of funds (and this is the ultimate goal any forder, and the faster the better!). I can justify all this only with a small amount of operation (within a few thousand rubles).

As a result, the chain of my actions was as follows:

  • Several times periodically replenish your wallet with a credit card, being in Moscow - no problem.
  • Now I replenish the wallet from the same Russian card from abroad - several attempts and each time the recharge is blocked by antifraud rules.
  • I'm trying to do the same through Tor (obviously, the IP address could easily differ from the original country) - the same thing, the operation is impossible.
  • I turn to a friend in Moscow for help and send him detailed instructions on Skype - finally the operation goes through and the wallet is replenished.
  • Immediately after that, I withdraw money from the wallet to the card of another Russian bank, geographically being still there, abroad, from where I was not allowed to replenish the wallet. No questions, the operation was successful, the money was withdrawn.

The moral of this story is this: people move around the world, but for their financial services this should not be a source of problems, such as blocking bank cards, the inability to replenish an electronic wallet or pay for their own Moscow mobile phone while in another hemisphere.

Fight fraud correctly!

Also popular now: