How the Tech Behind Google Analytics Helps Detect Fraud
Riskified’s web beacon gathers data about the shopper’s device and their shopping behavior.
It’s hard to imagine what the internet would look like without Google Analytics. It’s a powerful tool for eCommerce retailers to understand the efficacy of their online marketing campaigns, learn about their online customer base and optimize their various shopping pages.
The technology that makes this customer tracking possible is both simple and ingenious. When you register with Google Analytics, you give permission to Google to embed a small snippet of javascript – called a web beacon – on each page of your website. When a shopper visits your site this beacon transmits data to Google.
But it turns out that this web beacon is good for more than just analytics.
How can a web beacon help identify fraud?
Like the analytics beacons, Riskified’s web beacon gathers data about the shopper’s device and their shopping behavior. But instead of using this information to increase marketing efficiency or streamline the checkout process, Riskified uses it to help differentiate between legitimate and fraudulent purchases.
Before we get into the advantages of having a beacon, it’s worth saying a word about digital privacy. Our business is built on a foundation of trust–merchants trust us with the details of their customers, and we take that very seriously. You can read more about our digital security here. Now onto the fun stuff:
Have we seen a device before?
There are two ways that device fingerprinting – learning about the user’s device – can help us make a decision on whether to approve or decline an order. One is if we’re able to identify the device, and link it to previous orders placed by the same phone, computer or tablet. If this device was previously used to place a fraudulent order, there’s a very high chance this new order is also fraud and vice versa. Second, even if we’ve never seen a device before there are certain device characteristics which in and of themselves offer clues to the legitimacy of an order.
There are many device traits that Riskified’s web beacon gathers to help us link the device to one we’ve seen before. Browser type and device model are good places to start, but not nearly enough on their own. The name given to the device by the owner, often something like ‘George’s MacBook,’ is another valuable piece of information that can help confirm a good order, or corroborate suspicions of fraud. Last year Riskified succeeded in uncovering a fraudster based mainly upon the fact that all of his orders were placed using the same device, called ‘Kevin’s iPhone.’
Fraudsters are generally shrewd enough to make sure they change the name of their device between fraud attempts. But Riskified measures dozens of other more obscure attributes, to establish a comprehensive device profile, for example, color depth of device, or combinations of plugins installed on a browser. These, and other data points are incredibly useful when allowing us to determine if we’ve seen a shopper before.
Device traits tell a story
Our web beacon is able to tell us about social media and email accounts installed on the device. These are good examples of the sort of data that helps us analyze an order, even when we’re not able to link it to a previous transaction. A mismatch between the email on the phone and the one the shopper entered when placing the order is something that needs to be explained. On the flip side, a Facebook name and email name that match the credit card name is a very strong indication of legitimacy.
Certain combinations of plugins installed on browsers also alert us to a strong possibility of fraud. There are forums on the darkweb – sort of fraudster tutorials – where they recommend installing very specific plugins for identity concealment. There are plenty of real customers who use these plugins for privacy reasons, so by no means do we recommend auto-declining customers using them – but these orders probably deserve a closer look.
Other settings on the device are most useful when looked at in conjunction with each other. Riskified’s web beacon gathers information on physical location (as determined by IP address), languages installed on the device, and the time zone the device is set to. A South Korean IP address, plus a Korean keyboard, and a time zone consistent with Korean local time is the start of a pretty legitimate order story. But a South Korean IP with only a Russian keyboard and a Moscow time zone is a mismatch that could be a Russian traveling in Korea, or a fraudster located in Russia using a proxy IP address.
This brings us to perhaps the most critical data that our web beacon is able to provide us about a shopper’s device: the nature of their internet connection. One aspect of this is proxy detection. By measuring ping duration, we attempt to figure out if a shopper is using a proxy to disguise their true location. Our models consider proxy use to be an indication of risk – we’re only able to approved 40% of orders using proxy, compared to over 97% otherwise.
Are they shopping like a fraudster or a real customer?
Like Google, Riskified’s beacon collects information about which webpages users are visiting, and for how long. Our behavioral analytics have found that certain pages are more indicative of safe shopping; fraudsters rarely bother to spend time on pages about returns policies or shipping prices.
Real customers also tend to shop around a lot more. They’re far more likely to go back and forth between item pages in order to compare prices of merchandise. Real customers might leave the site to go check the price of the same item with a different merchant, and may even visit your site a couple of times over the span of a week before buying, while they mull it over. Fraudsters on the other hand usually go straight for the goods, and check out. They’re not using their own money, so there’s little need to shop around. And much like thieves in the physical world, online fraudsters simply want to get in and out as quickly as they can.
Our beacon also collects page reference data, meaning we know which page was viewed prior to arrival at the merchant’s site. Sometimes this data can betray a fraudster. We once had a shopper place a large order with one of our partners using a U.S. credit card and U.S. IP address. Thanks to the beacon we could see that they’d arrived at the merchant’s site via Google Indonesia. More than likely, this meant that this shopper was located in Indonesia, but using a proxy to pretend to be in the U.S.
How do we put it all together?
Riskified’s web beacon collects dozens of data points about every shopper’s device and behavior. These, along with hundreds of other order details, are funneled into our machine learning algorithms, to analyze complex patterns and decide whether the order is legitimate, or fraudulent.
As an oversimplified example of this, our algorithms may determine that visiting an item page on a merchant’s site for seven minutes, followed by researching shipping options for over three minutes, is a sign of order legitimacy only if the shopper is located in a different country than the merchant and will have to pay international shipping fees. For a more thorough explanation of machine learning, and how it can be used to detect fraud, check out our post on the topic.
I hope this was a helpful primer on Riskified’s beacon technology, and how it helps us in the fraud detection process. For more information about our solution please visit www.riskified.com, or contact us at [email protected].