Fang Yu on machine learning and the evolving nature of fraud

In this episode, O’Reilly’s Jenn Webb talks with Fang Yu, cofounder and CTO of DataVisor. They discuss sniffing out fraudulent sleeper cells, incubation in money transfer fraud, and adopting a more proactive stance against fraud.

Here are some highlights:

Catching fraudsters while they sleep

Today’s attackers are not using single accounts to conduct fraud; if they have a single account, the fraud they can conduct is very limited. What they usually do is construct an army of fraud accounts and then orchestrate either mass registration or account takeovers. Each of the individual accounts will then conduct small-scale fraud. They can do spamming, phishing, and all different types of malicious activity. But because they use many coordinated individual accounts, the attacks are massive in scale. To detect these, we take what is called an unsupervised machine learning approach. We do not look at individual users anymore—we take a holistic view of all the users and their correlations and linkage, and we use graph analysis and clustering techniques to identify these fraud rings. We can identity them even while they are sleeping. Hence, we call them ‘sleeper cells.’

Distinguishing bad from good is increasingly difficult

The biggest threat we are facing right now is that fraudsters have almost unlimited resources and are equipped with advanced technologies. They can access cloud resources in a data center, for example, and they have underground markets with access to people specialized in creating new accounts, getting stolen credit cards, and taking over users’ existing accounts. In addition, they often have significantly more information than normal users would possess. For example, they can get credit reports and know exactly where a user lived three years ago, five years ago, and where they worked. The information they gather is very accurate, and that makes it easy for fraudsters to effectively impersonate a legitimate person. Accordingly, when online service providers see a request come in online, it’s very hard for them to distinguish whether it is coming from a real user or a fraudster.

Incubation in money transfer attacks

When fraudsters set up different accounts for money transfers, they frequently start by testing small transactions. In the very beginning, it’s all legitimate. They send small amounts to different users, and they use legitimate banking information, so there is no charge back. After that, they incubate for weeks or longer. After that incubation period, they use these accounts to conduct much larger transactions, because they’d already established the reputation for these accounts. Then, they begin conducting fraudulent transactions.

That’s one of the typical trends we see in our analysis. More than a quarter of fraudster accounts incubate, and many incubate a long time—more than 30 days before they start attacking. More than 11% attack after incubating more than 100 days. We saw one extreme case of a group of accounts that aged for more than three years before they started attacking.

Moving from reactive to proactive detection

At DataVisor, we do not want a point solution that only catches what attackers are already doing. That’s a cat and mouse game. We want to stay ahead of the game and know when fraudsters start doing something, or even anticipate when they’ll start before they do anything. We use data analytics to look at the behavior of attackers along with normal users, and extract fraudulent activities. Attackers have a lot of advanced techniques right now. They can go through two-factor authentication, and they have access to data centers. So, we use the latest technologies to defend against them and then to view the systems that they cannot invade—because, in the end, by looking at the attackers’ behavior, we can create a system that can detect and preempt fraud.