Iaroslav Polianskii is the senior data scientist in the compromised accounts and scam prevention team at Wise, where he develops and implements new fraud protection solutions. Prior to this, Iaroslav developed cyber security products, including platforms for identifying threats and conducting OSINT (open source intelligence). He’s also managed the development of a grant project funded by the Cybersecurity Agency of Singapore.
Luca Traverso is the lead data scientist of the Servicing function at Wise. He holds a PhD in Applied Mathematics from Cardiff University, and has 20 years’ experience developing complex numerical models for various applications. At Wise, he oversees machine learning development across domains including fraud prevention and detection.
In our latest post, Iaroslav Polianskii and Luca Traverso from the Forex company Wise discuss their approach to fraud protection. How does Wise ensure enhanced security for all international transactions without impacting the experience of genuine customers? The solution is an advanced, multi-level system that transcends traditional fraud detection methods:
Our vision at Wise is to create a world where money moves without borders – instant, convenient, transparent, and eventually free. We strive to make it as easy as possible for people and businesses around the world to use our products, so they can swiftly move and manage money internationally. However, we also understand that our platform’s size makes it a target for payment fraud and cybercrime. Every fraudulent transaction or action we prevent contributes to our mission by ensuring a positive experience for all involved. In conjunction, we also place emphasis on balancing the negative impact of our preventative measures on genuine customers. To combat fraud within our platform, we have developed an advanced, multi-level system designed to prevent and detect malicious activities. Additionally, we have implemented a comprehensive system of different controls for risk management, which effectively mitigates direct losses, costs, and frictions for genuine customers.
Online payment fraud is a challenging problem to solve, involving a significant class imbalance (i.e. a data set with skewed class proportions). It’s a highly dynamic environment where bad actors constantly adapt and complicate their methods of attack. Above all, a fraud protection system needs to be accurate, fast, and scalable for scoring large volumes of events. It needs to balance blocking and limiting fraudulent behaviour and minimising false positives that impact the experience of genuine customers.
On the way to creating such systems, data science has emerged as an indispensable asset, empowering analysts, product managers, engineers, designers, and operation agents in their collaborative efforts to combat fraudulent activities. The need for robust fraud protection mechanisms has never been more important. This article explores the typical approaches to fraud protection in the online payments domain, and how these can be extended to tackle the growing challenges of a connected and digital world.
Fraud is often broken down into distinct typologies, including chargeback fraud, account takeover, and others. This segmentation serves a dual purpose: it not only enhances the precision in monitoring, but also aids in the development of countermeasures against them. The fraud volume is influenced by factors such as seasonal peaks during holidays or sales, the activity level of fraud groups, or the advent of new tools like stealers or phishing kits. However, even within the same typology, different fraud schemes can be applied. In essence, these schemes are descriptions of the specific steps required to successfully carry out an attack.
Fraudulent schemes can be broken down into tactics, similar to those in the MITRE ATT&CK® matrix, which together form a chain of attack. An example of these tactics could be the interaction with the victim, gaining access to an account, withdrawal and laundering of funds, and other actions (see Figure 1). In turn, each of the tactics can be implemented using one or more techniques. The set of tactics and the type of techniques used can vary depending on the fraud typology (for example, the steps involved during the execution of remittance fraud are generally different from those followed during a scam or an account takeover). Fraud protection systems aim at identifying the weak points in the chain of attack and implementing controls that disrupt (or significantly complicate) the execution of the attack. Well-developed fraud protection systems allow the identification of the intersection of tactics across different typologies, as this enables for developing controls that mitigate multiple fraud schemes at the same time.
At each stage of a chain of attack, protection systems implement solutions that can be divided into two main levels: a prevention stage and a detection stage. The goal of the prevention stage is to develop technical measures and solutions that reduce the range of attack vectors (for instance, using a two-factor authentication (2FA) at login instead of a single password authentication). This security method requires two forms of identification to access an account or system, providing an extra layer of protection beyond a password. Typically, priority is given to these measures, as they prevent the occurrence of fraud and eliminate the task of having to detect it as well as dealing with its consequences.
The goal of the detection stage is to identify fraudulent activity as it occurs. Transactional analysis forms the core of fraud detection systems for payments. While rule-based systems are still widely used by financial institutions for the detection task, in recent years the industry has seen the emergence of detection systems based on sophisticated machine learning (ML) models. Rule-based systems (i.e. static rules) are based on a predefined set of business rules that compose a risk score for each payment carried out on the platform. Conversely, ML systems analyse vast amounts of data in real-time, including transaction history, user behaviour, and other significant factors to compose a risk score and identify patterns and anomalies that may indicate suspicious activity. Based on this data and calculated risk scores, a fraud protection system generates alerts to carry out further investigations or take actions such as suspending transactions or requesting additional authentication.
Rule or ML-based systems have advantages and disadvantages. Rule-based detection can be implemented quickly and easily. However, rules target specific patterns and thus can be circumvented by bad actors and become outdated as the bad actors’ strategy evolves. Governance and maintenance of rules can also be challenging, especially when a large number is developed over an extensive period of time. In contrast, ML-based systems generalise well to new and emerging patterns as they learn continuously from a vast amount of data. On the other hand, ML model development can be labour-intensive as this requires collecting and preparing vast amounts of data, and the training and deployment of new models. Some of these limitations in ML systems can be overcome with the addition of automation of some or all of the steps involved in a model development cycle. Figure 2 provides an example of transaction analysis architecture used at Wise.
Models (primarily supervised learning) are developed for specific fraud typologies and product offerings; model scores are used in combination with transaction segments (a sequence of payment characteristics) as well as static rules to provide an effective and scalable transaction monitoring system.
While the above described system is typical in the industry, at Wise we are moving towards the development of a multi-stage, comprehensive fraud protection system that allows for the implementation of preventative and detection methods. The system enables adding controls at different steps in a chain of attack in a way that different fraud schemes can be neutralised. The system makes use of rules, machine learning and a combination of both, thus combining the advantages and strengths of the state-of-the-art technologies currently employed across the industry.
Most often transactions are the last step in the chain, and this is where transaction analysis typically takes place. The team at Wise has worked towards enabling preventative and detective controls at various pre-transactional stages. Adding targeted frictions and ensuring protection at each stage of the chain ensures that bad actors are not successful at scaling their attacks, which in turn ensures that the overall return on investment of attacks is unprofitable for the perpetrators, leading to an overall reduction of fraud in the system. Wise’s system assesses customer’s risk at several stages (see Figure 3 below) which include (but are not limited to) transaction monitoring, the signup process, verification (Know Your Customer, KYC) and behaviour analysis at several interactions with our platform during login sessions. At each stage, based on the customer’s actions, we can obtain an estimate of the associated risk (this can increase or decrease based on the customer actions and data points considered) and, based on these assessments, enact certain controls such as providing or limiting access to certain product features and services.
The comprehensive pre-transaction monitoring system at Wise consists of several models at different stages of the customer lifecycle. These include the onboarding model, computer vision models for KYC processes, device identification and session analysis.
The onboarding model serves as the first stage in preventing fraud from infiltrating the platform. As already noted, it’s more important to prevent fraud from entering the platform than to fight it later. However, it’s also important to remember that at the onboarding stage, we don’t have much information about the customer. Among the information that’s used at this stage are device information and network connection data. Although this allows for detection of only the simplest fraud patterns, this model serves as a good initial filter. Such capabilities increase the cost of conducting attacks, as it requires additional expenses for bad actors to complicate and automate their processes.
After the initial onboarding, verification models (KYC) come into play. For the most part, the solution is built around the analysis and verification of uploaded documents. The task is inherently complex due to the global nature of operations. For example, Wise allows customers to send money to more than 50 countries across the world, serving over 10 million customers. Each country can have its own unique document types and languages, making the processing and understanding of these documents a significant challenge. Documents first need to be verified, then data extracted and checked. Additionally, models for document processing can be specialised to identify fake documents generated through artificial intelligence, a growing risk and concern in the payment industry.
The primary purpose of a device identity model is to authenticate devices in order to address various applied tasks, for example fraud prevention or detection. It’s important to distinguish between device identification and device fingerprinting. Typically, identification involves comparing an ID of a device with the previously seen ones, as well as verifying the application for originality. On the other hand a device fingerprint is created by considering various device parameters such as hardware identifiers, the operating system version, the browser version installed on the device, and other system and hardware characteristics. The main challenge in creating a digital fingerprint is to strike a balance between the uniqueness of the fingerprint and the frequency of changes in the parameters used to create it. Device fingerprints are used to monitor user behaviour to detect anomalies, for example in scenarios of unauthorised access to customer accounts (i.e. account takeovers). Fingerprinting is a fundamental method of fraud detection that allows users to be linked by using the same devices.
Session analysis, the process of analysing a series of customer application interactions, provides the ability to detect malicious activity before the actual execution of fraud, such as accessing compromised user accounts or transferring proceeds of fraud to other accounts (also known as money muling). This involves detecting suspicious sessions based on a defined sequence of events, identifying typical bad actors’ patterns and behaviour, and recognising signs of device emulators, malware, or remote access tools. It also involves building an individual behavioural user profile. Typical scenarios involving anomalous behaviour identifiable through session analysis are the transfer of account ownership from one customer to another, and account compromise. The first scenario is often organised with one team of bad actors specialising in creating verified fake accounts, while another focuses on executing the fraud schemes. At the time of change of ownership, the account often undergoes ‘configuration’ changes (such as changing the password, phone number, email, etc.) and execution of a test payment (for testing purposes). In the second scenario when a customer account is compromised, the unauthorised access to the account is usually achieved through a new device followed by a change in account security settings to restrict access for the genuine owner. Session analysis helps in identifying anomalous and sudden changes in accounts data and sequence of events, thereby allowing appropriate controls and safeguards to be triggered.
As Wise operates a diverse range of markets and offers a variety of services to its customers, it necessitates a fraud protection system that is both versatile and marketspecific. This system must efficiently incorporate new solutions, which can range from machine learning models to rules-based approaches or a combination thereof, through streamlined and automated processes. Moreover, it is crucial for the system to scale effectively, managing and supporting numerous models and rules concurrently while maintaining specific service-level agreements.
To achieve these goals, the team at Wise has invested considerable resources into the development of sophisticated internal tools and automation of processes to enhance operational efficiency. This includes the development of tools designed to streamline the collection of transactional data from fraud investigations, which are crucial for the ongoing development and refinement of machine learning models. Additionally, the team has created advanced tools to facilitate the intricate and demanding task of feature engineering. This process involves the collection of new data points and generation of aggregations on streaming data with the objective to enhance the overall prevention and detection intelligence. Furthermore, the team has implemented scalable data pipelines to automate the collection and update of large datasets essential for model training, ensuring that the
data remains current at all times. Automation extends to the periodic retraining of models, guaranteeing that the latest versions are always prepared for deployment in a production environment, thereby enhancing the efficiency and reliability of model deployment and evaluation processes.
Furthermore, Wise places a strong emphasis on the governance and assessment of the models and rules, recognising the importance of these elements in maintaining a complex system’s integrity. To this end, every model’s retraining is logged, capturing not only the standard machine learning metrics, but also the specific datasets employed in the model’s creation. This approach ensures the reproducibility of models at any future point. Continuous monitoring of the models and rules once deployed in production is critical to aligning actual performance with the expectations set during testing phases and to promptly identify any deviations in the performance. Additionally, the system includes mechanisms for the ongoing surveillance of the quality of features and data points that underpin the models. This includes monitoring within data gathering pipelines to detect any shifts in data distribution or potential anomalies, thereby safeguarding the integrity and effectiveness of the machine learning models in a dynamic and evolving environment.
Fraud detection and prevention is a dynamic and evolving field. Traditional methods of fraud detection, such as transactional analysis with rule-based system and machine learning models, remain essential but are now being extended. By focusing on prevention by pretransactional monitoring through onboarding models, device identification, and session analysis, the chain of fraudulent activities can be disrupted before they reach the transactions stage. Furthermore, the creation of such systems needs to be supported by internal tooling and automation to make processes streamlined, reduce manual workload, and enhance the efficiency and accuracy of fraud detection systems. A comprehensive fraud protection system combining robust traditional methods with innovative strategies and automation, such as the one developed at Wise, is critical for mitigating risks and maintaining trust in the increasingly digital financial landscape.
We extend our deepest gratitude to the entire Wise team – data scientists, analysts, engineers, agents and managers – whose dedication and experience enable Wise to provide a safe and reliable service to its customers.