decision camp 2013 - ouyang ming - paypal - stopping fraud early
DESCRIPTION
PayPal discusses challenges related to payment fraud, and the technology they use to stop it fasterTRANSCRIPT
© 2013 Sparkling Logic, Inc. company confidential
Stopping Fraud EarlyOuyang MingDistinguished Scientist
Interviewed by
Carole-Ann MatignonCo-Founder & CEO
Sparkling Logic
© 2013 Sparkling Logic, Inc. company confidential
How big of a problem is Fraud at PayPal?
• PayPal attempts• 50% invalid browser finger print• Fraudsters are probing PayPal system
• Losses upticks whenever we have tech issues: for bigger issues, the loss could easily double or triple
© 2013 Sparkling Logic, Inc. company confidential
What are the different type of risks?
• Account taken over: online world
• ID theft: more a credit issue, real world
• CC risk
• ACH risk: stolen vs. credit
© 2013 Sparkling Logic, Inc. company confidential
Where are the “fraudsters” coming from?
• Phishing
• Malware, spyware and botnet
• Data/security breach• Shared passwords: 40k out of 200k matched w/ PP
• Unintentional issues: recycled emails
• Underground market
© 2013 Sparkling Logic, Inc. company confidential
How do you identify Fraud?
• Customer claims
• Merchant reports
• Agents review
• CC charge back
• ACH returns
• Loss monitoring
© 2013 Sparkling Logic, Inc. company confidential
How do you stop Fraud?
• Manual review vs. data driven
• Data• Point-in-Time notion
• Decision Management tools• SAS• Knowledge Seeker• Sparkling Logic SMARTS BluePen
© 2013 Sparkling Logic, Inc. company confidential
What does a Flash Fraud rule look like?
definitions
set '__is_WH' to boolean to string( ( CtrlActions number of actions "180" + CtrlActions number of actions "181" + CtrlActions number of actions "182" ) is more than 0 ) ;
set '__true_cc_idi' to all of the following conditions are true :
- _VAR value of variable ( "IS_CAM_ATTEMPT" ) equals "1"
- _VAR value of variable ( "IS_CAM_PLUS" ) equals "1"
- _VAR value of variable ( "MODEL_SEGMENT_CAM" ) to integer is more than 0 , ;
set '__attempt_amt' to Transaction USD amount USD amount ;
set '__cam2013_score' to iif ( _VAR value of variable ( "CAMNNMODEL_SCORE2" ) is not empty ? True _VAR value of variable ( "CAMNNMODEL_SCORE2" ) : False "0" ) to decimal ;
set '__p_value' to iif ( __cam2013_score is at least 1 ? True "0.54" : False iif ( __cam2013_score is less than 0.03 ? True "0" : False decimal number to string( __cam2013_score * __cam2013_score * __cam2013_score * 0.5841 - __cam2013_score * __cam2013_score * 0.305 + __cam2013_score * 0.2333 + 0.0032 ) ) ) to decimal ;
set '__sim_qp_scr' to __p_value * __attempt_amt * 100 * 10 ;
if
__true_cc_idi
and _VAR value of variable ( "CAMNNMODEL_SCORE2" ) is not empty
and integer to string( User account number ) right 6 chars left 2 chars to integer is between 80 and 99
and none of the following conditions are true :
- Transaction is dcc
- Transaction is virtual terminal
- Transaction is hss ,
and none of the following conditions are true :
- Transaction is eBay customized end of auction
- Transaction is eBay express payment
- Transaction is eBay immediate payment
- Transaction is eBay marketplace payment
- Transaction is eBay motors deposit ,
and none of the following conditions are true :
- FundingActions number of actions "98" is more than 0 and __is_WH equals "0"
- FundingActions number of actions "29" is more than 0 and __is_WH equals "0"
- FundingActions number of actions "16" is more than 0 and __is_WH equals "0" ,
and any of the following conditions is true :
- _VAR value of variable ( "CAMNNMODEL_SCORE2" ) to decimal is at least 0.03 and __attempt_amt is at least 250
- _VAR value of variable ( "CAMNNMODEL_SCORE2" ) to decimal is at least 0.1 and __attempt_amt is at least 150 and less than 250
- _VAR value of variable ( "CAMNNMODEL_SCORE2" ) to decimal is at least 0.3 and __attempt_amt is at least 100 and less than 150
- _VAR value of variable ( "CAMNNMODEL_SCORE2" ) to decimal is at least 0.4 and __attempt_amt is at least 50 and less than 100
- _VAR value of variable ( "CAMNNMODEL_SCORE2" ) to decimal is at least 0.7 and __attempt_amt is at least 25 and less than 50
- _VAR value of variable ( "CAMNNMODEL_SCORE2" ) to decimal is at least 0.8 and __attempt_amt is at least 0 and less than 25 ,
and __sim_qp_scr is at least 40,000
and none of the following conditions are true :
- 'User counterparty' has ALF ( alf_digital_content ) active on account
- 'User counterparty' has ALF ( alf_digital_content_olg ) active on account
- _RADD Misc 03 exists with keys ( "ARS_TRUE_INDUSTRY" , "ARS_TRUE_INDUSTRY" , "ARS_TRUE_INDUSTRY" , integer to string( 'User counterparty' account number ) )
and _RADD Misc 03 string variable "CAT" with keys ( "ARS_TRUE_INDUSTRY" , "ARS_TRUE_INDUSTRY" , "ARS_TRUE_INDUSTRY" , integer to string( 'User counterparty' account number ) ) equals "gaming"
- _RADD Misc 03 exists with keys ( "ARS_DG_SELLER_LIST" , "ARS_DG_SELLER_LIST" , "ARS_DG_SELLER_LIST" , integer to string( 'User counterparty' account number ) )
and _RADD Misc 03 integer variable "IS_DG" with keys ( "ARS_DG_SELLER_LIST" , "ARS_DG_SELLER_LIST" , "ARS_DG_SELLER_LIST" , integer to string( 'User counterparty' account number ) ) equals 1 ,
then
the BREFundingActions flag hold the current transaction of User ;
© 2013 Sparkling Logic, Inc. company confidential
How big is the solution?
• Events through rules engine: over 110 million requests/day
• Machines we have for rules engine: 360 boxes
© 2013 Sparkling Logic, Inc. company confidential
How do you know how well you do?
• Business Metrics and Business Objectives• Hit rate / Catch rate• Financial objectives
© 2013 Sparkling Logic, Inc. company confidential
How do you track performance over time?
• Flash Fraud is an Endless Game• Technology evolvement: proxy, VPN, Remote Desktop • Interactive game: you change, they change accordingly
• Control Groups
© 2013 Sparkling Logic, Inc. company confidential
Let’s end with an anecdote…