How can machine learning detect fraud?

Machine learning can detect fraud by analyzing huge amounts of raw data under specific instruction to identify patterns and anomalies that indicate suspicious user behavior. It can be human-supervised for more accurate results without false positives.

What is the best machine learning algorithm for fraud detection?

It depends on the volume and complexity of the data, the type of fraud that you're looking for, and the level of accuracy and speed you're willing to accept. The best algorithm will require little human oversight when it's up and running.

What is ML based financial fraud detection?

This is a technology that uses algorithms and statistical models to identify fraudulent transactions in financial accounts. Scanning through large amounts of data, ML algorithms identify problematic actions and either block or highlight them for review.

How to Prevent Carding, Card Cracking, & API Abuse on Your Payment API

Payment fraud API

Online businesses use Application Programming Interfaces (APIs) to easily execute actions online, such as triggering a payment. APIs are meticulously organized and extremely useful, which is why fraudsters and bad bots target them frequently.

Another reason payment APIs are highly targeted by cybercriminals is their significant ROI potential. Not only can attackers sell the outputs to a third party, but they can leverage a legitimate application’s API pathways to conduct more fraudulent activity.

Therefore, in order to keep your online business safe against carding, card cracking, and API abuse, you must protect your APIs as carefully as you protect your websites and mobile apps.

The Role of APIs in Payment Processing

APIs enable all kinds of devices and applications to exchange information via all types of communication protocols, helping developers create great user experiences easily and efficiently. Companies that leverage APIs grow revenue faster, create integrated offers with partners more often, and deliver new products and services quicker than competitors that don’t use APIs.

How APIs Facilitate Convenient Payment Transactions

Payment APIs allow online enterprises to easily integrate payment processing functionality into applications, websites, and other digital platforms. APIs enable web and mobile apps to accept and send payments quickly and accurately by acting as an intermediary between businesses and their payment processors that handle their transactions.

Payment APIs can accommodate various forms of online payments, including debit card, credit card, bank transfer, Automated Clearing House (ACH), and through payment gateways like Apple Pay, PayPal, and Google Pay. Perhaps most importantly, whether your business is e-commerce, B2C, or B2B, payment APIs help provide a seamless checkout experience for your customers.

The Risks of API Exposure to External Threats

Unfortunately, along with the easy integration and payment convenience offered by APIs comes the potential exposure of an application and its data, greatly expanding your attack surface for fraudsters to target. Because APIs are used for communication and data transfer, an insecure API can expose sensitive customer or corporate data, causing revenue loss and damage to your brand reputation.

Many of the most infamous data breaches in recent history have been the result of API vulnerabilities, including the 2018 Facebook breach that exposed 50 million users’ personal data and cost the company millions of dollars. And API attacks are not going away. Gartner has predicted API attacks would become the most frequent attack vector causing data breaches for enterprise web applications.

Why do fraudsters target payment APIs?

Fraudsters, attackers, and other malicious bot operators love APIs for their easy access to stable, structured information. In fact, customer data shows that 70% of traffic on some of the most targeted APIs is generated by bots.

But for many businesses, the benefits of APIs outweigh the security risks, leading to more mobile apps using APIs by the day to interact with back-end services and information.

How Bad Bots Approach API Attacks

Very few good bots will ever have any interest in your APIs, so most bots that try to access your APIs are bad bots. Bot operators have a few common techniques for conducting API attacks and abuse. They can:

Reverse-engineer the API.
Run the app with an emulator.
Use automation software and a mobile farm.

Our article on how to protect mobile apps from bad bots provides more detail on each approach.

What are carding, card cracking, & card not present fraud?

Card not present (CNP) fraud, carding, and card cracking are subsets of credit card fraud, the most common type of identity theft, which has increased sharply in recent years. Here is a quick summary of the different types of credit card fraud discussed:

CNP fraud is a type of credit card fraud where the cybercriminal has the card number, cardholder name, cardholder address, and three-digit CVV security code. Often, the fraudster buys a list of credit card and CVV numbers, and then matches them up to the personal data (e.g. home address) necessary to use the card without actually having physical possession of the card.
Carding attacks (OAT-001) involve cybercriminals using bots to test the validity of stolen card data, often with small transactions to avoid drawing attention.
Card cracking (OAT-010; aka “card testing”) is a type of brute force attack that involves using bots to guess missing values for stolen credit or debit card data on an e-commerce platform’s payment interface (or payment API).

As security.org reports, the number of credit card fraud victims in America reached 151 million in 2022, increasing the percentage of cardholders who have been credit card fraud victims to 65%, up from 58% in 2021. As the frequency and cost of credit card fraud continue increasing, so does the widespread usage of payment APIs for online business, and so should your API security.

The Cost of Card Fraud on Your Payment API

In the first half of 2022, Americans lost a record $3.56 billion to online fraud, and the Federal Trade Commission received 800,000 fraud complaints, with 27% of cases incurring a financial loss. Attackers everywhere want a piece of the action, and payment APIs seem like an easy target.

87% of consumers are unwilling to do business with a company if they have concerns about its security, even though individual cardholders face limited liability for credit card fraud. The majority of credit card fraud costs fall on the merchant or bank to cover.

Cost of Payment Processing for Failed Payments

Many enterprises are charged an authorization fee of $0.15 – $0.25 for every transaction, including declines and voids. Failed and declined payments can add up over time, costing as much as $375k per year, and can even result in your payment processor threatening to cut you off.

The volume of failed payments started to creep up, to such an extent that our payment processor warned us that we needed to do something or the service could be cut off. So we blocked traffic from countries we don’t serve, added lots of different Fastly rules, and so on—and then the attacks skyrocketed.

– Vincent Cerone, Senior Manager of Development at KISS USA

PCI DSS Compliance Penalties

The Payment Card Industry Data Security Standard (PCI DSS) is a standard for businesses that handle card payments.

The 12 PCI DSS requirements include an obligation to protect cardholder data and to “address new threats and vulnerabilities on an ongoing basis.” Generally speaking, fines for non-compliance may range from $5,000 to $100,000 per month.

The negative financial impacts of malicious bot attacks and API abuse can range from immediate to delayed and be both severe and long-lasting. That’s why most enterprise leaders agree that finding the right bot protection saves you money in the long run.

How is protecting payment APIs different from protecting websites?

API protection from malicious bots and fraudsters is very different from website protection because the inputs are different, requiring specific algorithms to recognize intruders. API protection needs to be able to collect and analyze multiple sensors and events. But there are few API protection tools currently available, and most are not very sophisticated.

For example, WAFs (Web Application Firewalls) and API gateways are powerless to protect APIs from advanced bots that use the correct API keys, authentication, and protocols. If a bot knows how to forge attributes like server-side fingerprints, and those are the only signals available to your API protection tool, then your API would be blind to advanced threats.

More signals of different types collected and processed by your API protection means greater accuracy and better capability of detecting sophisticated threats. The result? An all around more secure payment API.

2 Sides to Detecting Payment API Attacks on Mobile Apps

To detect all kinds of unauthorized API access, effective bot and online fraud protection must rely on a combination of client-side and server-side integrations.

A server-side module installed on your API.
A client-side module seamlessly integrated into your mobile application via SDKs (ideally, extremely lightweight SDKs).

Note: Most anti-bot and anti-fraud experts know that a client-side module is essential for collecting device properties and behavioral data, and for displaying a CAPTCHA (but only if the visitor’s API call is blocked by the server-side module.)

Obfuscated implementation can ensure that reverse-engineering your protection code is sufficiently difficult, so fraudsters will determine the target is not worth the effort.

Defending Single-Page Apps From Payment API Attacks

The typical implementation of a single-page app sends the browser an empty “shell” of an HTML page without content. Then, the content is dynamically loaded on demand via AJAX requests, presented on the client side via a JavaScript (JS) framework such as Angular, React, or Vue.

Because they rely so heavily on AJAX calls, single-page apps are trickier to defend from bots than multi-page sites.

When a single-page app makes an AJAX call, the JavaScript framework expects a very specific response from the API—specific, but unique for every implementation. There is no standard. When a request is blocked, the API will not send back the response the single-page app was expecting, and the application will be unable to correctly interpret the unexpected response.

Some bot protection vendors hard block any suspicious request from a single-page app to your API, without showing so much as a CAPTCHA. When that happens, real (human) visitors can be denied access, while your business is left in the dark with no feedback loop, no view of false positives, and no way to assess the accuracy of your protection.

The result? Unidentified damage to your use experience.

Unacceptable. To keep customers today, businesses must refuse to compromise the user experience for effective security.

A unique solution is DataDome’s JS tag that monitors every AJAX call to any URL and displays a CAPTCHA in front of a single-page app (again, only when an API call is blocked by the server-side module). The JS tag has been tested and successfully deployed on the major JavaScript frameworks, including Angular, React and Vue.

Further Considerations for Payment API Protection

Strong Authentication Mechanisms

Two-factor authentication (2FA) and multi-factor authentication (MFA) are commonly used by online platforms to confirm users’ claimed identity using one of the following:

Information they know (that is not common/public knowledge), such as answers to security questions, one-time passwords (OTPs), or codes sent via SMS or email to the contact information on the account.
A proprietary object they possess, such as a dongle, token, or card you have provided that can be recognized by your system.
A unique physical characteristic, such as their fingerprint, face ID, or iris scan.

Data Encryption & Secure Transmission

SSL/TLS encryption is critical in modern cybersecurity. Both Secure Sockets Layer (SSL) and Transport Layer Security (TLS) data encryption work together to secure an internet connection and protect data in transit from being intercepted by malicious actors.

SSL/TLS encryption creates an encrypted tunnel between two points on a network—typically a web server and the end user’s browser. The encryption scrambles data as it moves through the tunnel, preventing fraudsters from intercepting and accessing sensitive data.

Monitoring & Anomaly Detection

Real-Time Request/Transaction Monitoring

As both fraud and fraud detection continue to evolve with advances in artificial intelligence (AI), data science, and machine learning (ML), effective fraud detection requires real-time threat monitoring at the edge.

Note that rules-based systems cannot adapt quickly enough to stop new threats, and siloed detection mechanisms offer no feedback loop to ensure accuracy or inform future attack prevention (or to safeguard your user experience). Adaptive ML technology monitored 24/7 by human experts is the best solution to secure payment APIs now and in the future.

Identifying Suspicious Activities

An important part of monitoring your payment API’s security is anomaly detection, which involves identifying data points that should not normally occur in your system for further analysis. Anomaly detection in transactional data is essential for detecting fraudulent transactions and other types of attacks on your websites, apps, and APIs.

Ensuring Smooth Performance & Fair Usage

API rate limiting and API throttling are two ways of supporting your payment API’s optimal performance, fair usage, and security.

Rate limiting is a way of controlling the number of requests sent to your API to help prevent the API from getting overwhelmed and keep things running smoothly. If too many requests are made, the API can either say no to the request, respond with an error message, or take time before responding.
API throttling is a technique used to control the number of API requests by temporarily blocking clients that exceed the allowed request rate, preventing them from making any further requests for a certain period of time. Throttling is more aggressive than rate limiting.

Fraud Detection & Prevention

AI-Based Fraud Detection

The right AI-based fraud detection solution will use a variety of signals and data sources to ensure protection beyond your payment API, securing all your endpoints across the customer journey on your websites, apps, and APIs on autopilot. The key is finding a provider with the right combination of ML detection models with constant monitoring by threat research experts.

Address Verification Services (AVS)

AVS tools aim to verify, correct, and standardize residential and corporate addresses, as well as other physical identifying data to help limit fraud and chargebacks. AVS is often provided to merchants by credit card processors and issuing banks. AVS does not guarantee fraud prevention, and can sometimes generate false declines or partial declines.

Conclusion: How to Begin Preventing Payment API Abuse

Learning the ins and outs of payment APIs, API abuse, and fraud attacks on APIs is a great step toward strengthening your API security. If you want to learn more details about API protection, DataDome has several resources available:

If you are ready to dive into your traffic to see which types of bot and fraud attacks are targeting your websites, apps, and APIs, you can start a Vulnerability Scan of DataDome to access your real-time dashboard now. We also welcome you to contact us any time with questions and feedback.