Fraud, How do we handle it ?

This post is for Day 24 of Merpay Advent Calendar 2022, brought to you by codechaitu from Merpay TnS Team.

Handling millions of user transactions and providing the best service is a tough job because of the fraudulent activities.So today let’s see how in merpay we handle fraud situations and how we are working towards fraud prevention.

Let’s understand what fraud is, Wikipedia says “fraud is intentional deception to secure unfair or unlawful gain”. In simple words, using different ways to access private or unauthorized information in illegal ways. Knowing these types of activities happen, we are taking our best effort in minimizing the fraud.

Hello there, I am Chaitu, currently working for Trust and Safety of mercari/merpay users. I would like to discuss what measures we are taking to help customers to have a trusted environment about their transactions.

I was curious when I knew about this topic and wanted to understand more about it. I know you are also excited about it. Without further ado, let’s dig deeper together. For fraud prevention we use multiple different approaches, let’s understand them one-by-one.

With backend implementation approaches

While there are multiple methods implemented internally with a set of rules to check each transaction is legitimate or not. Out of all them, two features I liked the most are

Anshin Shiharai [あんしん支払い]

Let’s take a situation to understand how

1. A user wants to login, input ID and password to a phishing site.
2. Attacker fetches and puts them in the actual mercari app.
3. Authentication SMS is sent to mercari user.
4. The attacker fetches the code entered on the phishing site and inputs it to the mercari website.
5. Now the attacker gained unauthorized access.

Now with the あんしん支払い feature, backend will update the purchase limit of the user to 0yen [0 円].

But if an attacker wants to purchase some items with stolen credentials, the safe payment limit needs to be increased. For that another SMS authentication is needed, which is difficult.

If you want to learn more about this feature, here it is.

Using 3DS SDK

If a user is using a credit card for purchasing an item, for an extra layer of protection from fraud transaction, we use 3DS SDK with the app. The 3DS means 3 dimensional security which enhances each online transaction with user authorization using either PIN or password or OTP.

This will only be enabled only if the transaction looks suspicious. The flow of user transactions if found suspicious would be processed based on the risk type of the transaction.

With Machine Learning [ ML ] approach

Carefully checking each transaction manually is hard and time taking, so make it easier and quicker, few ML related techniques are employed, in them,

Handling chargeback fraud

Chargeback fraud is bank-initiated refund for a purchase when the card owner claims a transaction is unauthorized. Let’s understand from a example situation,

1. A credit card is stolen from a person.
2. Purchases are made from mercari using the stolen card.
3. Cardholder knew about the unauthorized transaction and contacted the bank.
4. Bank works with mercari to refund the money to the cardholder.

In the above process, the best place to stop fraud is in step-2 [ before buying things on mercari with a stolen credit card ].

The ML team uses a classification approach in figuring out the transaction is a normal or a chargeback transaction. Internally we use the per buyer transaction window algorithm to obtain important features to detect chargeback transactions which is implemented with Google AI platform and Airflow.

With Security approach

When backend and ML teams are trying to protect the user within the mercari/merpay environment, the security team is extending its support in protecting the user from risks outside the mercari/merpay environment.
One such risk to users is from Phishing sites, these sites look-alike actual mercari/merpay system, but can be identified with URL. Let’s see an example below, a phishing site created a UI which almost looks like a mercari login screen.

According to APWG’s recent report, phishing attacks climbed to a new record high in 2022 in the world. The same trend followed in Japan too when checked with the council of anti-phishing japan’s report.

Security team is trying to detect and take down phishing sites even before the user knows about it.

What as an end user should you take care of ?

While I am getting some notes about fraud prevention, I got some suggestions to general public,

1. To avoid phishing, don’t trust links in email. Use your app or bookmark an official website.
2. Flag an item or report if it is suspicious in the app.

Acknowledgements:

I would like to thank everyone who supported me for providing information about fraud prevention topics and answered my questions patiently.