That's exactly it. It's important to look at a whole bunch of factors. For example, fraudsters tend to go directly to the payments page, whereas good users will browse around the site before making a purchase. There are tons of little signals like that which allow you to distinguish legitimate users from the fraudsters.
We don't do things like two-factor auth -- in general, we believe in minimizing friction. It's a better user experience, and if you can prevent fraud without burdening the user, why not?
A long time ago we decreased fraud by a significant amount simply by putting a little message on our payment form that we detected fraud. Stolen numbers and identities are really valuable to fraudsters, they tend to prey on merchants they think they can get it by.
It is. If you spill the beans that you are checkin staying on site and browsing before buying, and it'll take a week till there's a tool for simulating that.
Will people please stop saying that in this context?
Merchant-side fraud prevention schemes are not security. They are heuristics for reducing the number of bad transactions that the vendor has to handle.
Algorithms should be air-tight. Yes, the best way to ensure that they are is to make them public. Heuristics by definition are not airtight. The best way to get utility from them is to keep their nature hidden from parties trying to abuse the system.
I'm not saying something like that will hold forever. It might take 2 months to figure out that sites check for that, and 2 weeks (/days) to code it up. If you make the information on your heuristic public, those 2 months just drop out straight.
Maybe you could add the predictable human irrationalities as an input signal. For example decision paralysis - I'd expect legit customers to take a bit longer for pages that require a decision. Or the way people react to discounts - a fraudster wouldn't care, but a legit customer would be happier and thus less a little bit less focused.
Re: the first point. . .no one can go directly to the payment page, don't you have to have something to purchase first? And if, as a user, I've been to the site before, I might select one item and then go directly to payment.
The idea behind machine learning is that no single data point does the changing. It's about modelling you with a computer and determining if the model matches current models of fraudsters. If you do go directly to the payment page, you use tor for your browsing, you auto-delete cookies, and whatever else they check for, you become more clearly likely to be committing fraud. This does not mean, still, that you are committing fraud, only that you probably ought to be inquired about.
It's the same thing with, say, shoplifting. If you own a thrift store, and you see someone come in with a heavy coat, you might think nothing of it. But if that person acts suspiciously and holds his hands in his pockets, you may inquire as to whether that person is shoplifting. Of course, people do walk around suspiciously with hands in the pockets of big coats who are not shoplifting, but false positives like that are removed when the human element steps in at the last stage.
That's only one of several signals they are tracking. There's also what you're ordering, where you're coming from, if you have a history on the site or not. Each one of those getting a pair of scores (likely_fraud, likely_legit) and the decision being made on the balance of probabilities at the time of purchase.
And remember that the goal isn't to absolutely eliminate fraud, it's to reduce it to the point where it has negligible impact on profitability.
We don't do things like two-factor auth -- in general, we believe in minimizing friction. It's a better user experience, and if you can prevent fraud without burdening the user, why not?
We have more information with some examples of signals our system uses here: https://siftscience.com/large-scale-machine-learning