In 2024, global e-commerce fraud losses exceeded $48 billion, with sophisticated attackers constantly evolving their tactics. Traditional rule-based security systems struggle to keep pace, often catching less than 30% of fraudulent transactions while generating excessive false positives that frustrate legitimate customers. Enter AI-powered fraud detection: intelligent systems that analyze behavioral patterns, detect anomalies in real-time, and adapt to new threats automatically.
This comprehensive guide explores how to implement AI-driven security systems in web applications. We will cover fraud detection algorithms, bot detection mechanisms, real-time risk scoring, account takeover prevention, and payment fraud detection. You will learn practical machine learning approaches, feature engineering techniques, and strategies for handling imbalanced datasets that plague fraud detection systems.
Understanding AI-Powered Fraud Detection
AI-powered fraud detection fundamentally differs from traditional rule-based systems. While rules like "block transactions over $10,000 from new accounts" are easily circumvented, machine learning models identify subtle patterns across hundreds of features that human analysts would never discover.
The Limitations of Rule-Based Systems
Traditional fraud detection relies on explicit rules:
// Traditional rule-based fraud detection - easily bypassed
function checkFraudRules(transaction) {
const rules = [
// Rule 1: High-value transactions from new accounts
() => transaction.amount > 10000 && transaction.accountAge < 7,
// Rule 2: Multiple failed attempts
() => transaction.failedAttempts > 3,
// Rule 3: Velocity check - too many transactions
() => transaction.transactionsLastHour > 10,
// Rule 4: Geographic mismatch
() => transaction.country !== transaction.billingCountry,
// Rule 5: Known bad IP ranges
() => isBlacklistedIP(transaction.ipAddress)
];
for (const rule of rules) {
if (rule()) {
return { blocked: true, reason: rule.name };
}
}
return { blocked: false };
}
// Problems with this approach:
// 1. Fraudsters learn the rules and work around them
// 2. $9,999 transactions pass Rule 1
// 3. Legitimate travelers trigger Rule 4
// 4. New fraud patterns go undetected
// 5. High false positive rates frustrate customersThe AI Advantage
Machine learning models process hundreds of behavioral signals simultaneously, recognizing complex patterns that indicate fraudulent activity:
// AI-powered fraud detection architecture
interface FraudDetectionConfig {
models: {
primary: 'gradient_boosting' | 'neural_network' | 'isolation_forest';
ensemble: boolean;
};
features: FeatureGroup[];
thresholds: {
highRisk: number; // 0.8 - block immediately
mediumRisk: number; // 0.5 - require additional verification
lowRisk: number; // 0.2 - allow with monitoring
};
realTime: boolean;
}
class AIFraudDetectionEngine {
private model: TensorFlowModel;
private featureExtractor: FeatureExtractor;
private riskScorer: RiskScorer;
constructor(config: FraudDetectionConfig) {
this.model = this.loadModel(config.models);
this.featureExtractor = new FeatureExtractor(config.features);
this.riskScorer = new RiskScorer(config.thresholds);
}
async evaluateTransaction(transaction: Transaction): Promise<RiskAssessment> {
// Extract features from transaction
const features = await this.featureExtractor.extract(transaction);
// Get model prediction
const prediction = await this.model.predict(features);
// Calculate risk score with confidence
const riskScore = this.riskScorer.calculate(prediction);
// Determine action based on risk level
const action = this.determineAction(riskScore);
// Log for model improvement
await this.logPrediction(transaction, riskScore, action);
return {
score: riskScore.value,
confidence: riskScore.confidence,
action: action,
factors: riskScore.topFactors,
requiresReview: action === 'review'
};
}
private determineAction(riskScore: RiskScore): FraudAction {
if (riskScore.value >= 0.8) return 'block';
if (riskScore.value >= 0.5) return 'review';
if (riskScore.value >= 0.2) return 'monitor';
return 'allow';
}
}Feature Engineering for Fraud Detection
The quality of your fraud detection model depends heavily on the features you engineer. Effective features capture behavioral patterns, device characteristics, and transaction context.
Comprehensive Feature Extraction
// Feature engineering for fraud detection
class FeatureExtractor {
private userHistoryService: UserHistoryService;
private deviceService: DeviceService;
private geoService: GeoLocationService;
async extract(transaction: Transaction): Promise<FeatureVector> {
const [
userFeatures,
deviceFeatures,
transactionFeatures,
velocityFeatures,
behavioralFeatures
] = await Promise.all([
this.extractUserFeatures(transaction),
this.extractDeviceFeatures(transaction),
this.extractTransactionFeatures(transaction),
this.extractVelocityFeatures(transaction),
this.extractBehavioralFeatures(transaction)
]);
return this.combineFeatures([
userFeatures,
deviceFeatures,
transactionFeatures,
velocityFeatures,
behavioralFeatures
]);
}
private async extractUserFeatures(tx: Transaction): Promise<UserFeatures> {
const user = await this.userHistoryService.getUser(tx.userId);
const history = await this.userHistoryService.getHistory(tx.userId, 90);
return {
// Account characteristics
accountAgeDays: daysSince(user.createdAt),
isEmailVerified: user.emailVerified ? 1 : 0,
isPhoneVerified: user.phoneVerified ? 1 : 0,
hasLinkedPaymentMethod: user.paymentMethods.length > 0 ? 1 : 0,
// Historical behavior
totalTransactions: history.length,
avgTransactionAmount: this.calculateMean(history.map(h => h.amount)),
stdTransactionAmount: this.calculateStd(history.map(h => h.amount)),
maxTransactionAmount: Math.max(...history.map(h => h.amount)),
// Time-based patterns
typicalTransactionHour: this.calculateMode(history.map(h => h.hour)),
hourDeviationFromTypical: Math.abs(tx.hour - user.typicalHour),
isWeekend: [0, 6].includes(tx.dayOfWeek) ? 1 : 0,
// Payment patterns
preferredPaymentMethod: this.encodePaymentMethod(user.preferredPayment),
isNewPaymentMethod: !user.paymentMethods.includes(tx.paymentId) ? 1 : 0,
// Fraud history
previousFraudAttempts: user.fraudAttempts || 0,
previousChargebacks: user.chargebacks || 0,
// Trust signals
trustScore: user.trustScore || 0.5,
successfulTransactionRate: history.filter(h => h.successful).length / history.length
};
}
private async extractDeviceFeatures(tx: Transaction): Promise<DeviceFeatures> {
const device = await this.deviceService.analyze(tx.deviceFingerprint);
return {
// Device identification
isKnownDevice: device.seenBefore ? 1 : 0,
deviceAge: daysSince(device.firstSeen),
deviceTrustScore: device.trustScore,
// Browser characteristics
browserFingerprint: this.hashFingerprint(device.browserFingerprint),
hasJavaScript: device.jsEnabled ? 1 : 0,
hasCookies: device.cookiesEnabled ? 1 : 0,
screenResolution: this.encodeResolution(device.screenResolution),
// Suspicious indicators
isVPN: device.isVPN ? 1 : 0,
isTor: device.isTor ? 1 : 0,
isProxy: device.isProxy ? 1 : 0,
isDataCenter: device.isDataCenter ? 1 : 0,
isEmulator: device.isEmulator ? 1 : 0,
// Device consistency
deviceLocationMatch: this.calculateLocationMatch(device.location, tx.billingAddress),
timezoneConsistent: device.timezone === tx.expectedTimezone ? 1 : 0,
languageConsistent: device.language === tx.userLanguage ? 1 : 0
};
}
private async extractVelocityFeatures(tx: Transaction): Promise<VelocityFeatures> {
const windows = ['1h', '24h', '7d', '30d'];
const velocities: Record<string, VelocityMetrics> = {};
for (const window of windows) {
const transactions = await this.getTransactionsInWindow(tx.userId, window);
velocities[window] = {
count: transactions.length,
totalAmount: transactions.reduce((sum, t) => sum + t.amount, 0),
uniqueCards: new Set(transactions.map(t => t.cardId)).size,
uniqueIPs: new Set(transactions.map(t => t.ipAddress)).size,
uniqueDevices: new Set(transactions.map(t => t.deviceId)).size,
failedAttempts: transactions.filter(t => t.failed).length
};
}
return {
transactions1h: velocities['1h'].count,
transactions24h: velocities['24h'].count,
transactions7d: velocities['7d'].count,
amount1h: velocities['1h'].totalAmount,
amount24h: velocities['24h'].totalAmount,
// Velocity anomalies
isVelocitySpike: velocities['1h'].count > velocities['24h'].count * 0.5 ? 1 : 0,
amountVsAverage: tx.amount / (velocities['30d'].totalAmount / velocities['30d'].count),
// Card/device velocity
uniqueCards24h: velocities['24h'].uniqueCards,
uniqueDevices24h: velocities['24h'].uniqueDevices,
failureRate24h: velocities['24h'].failedAttempts / velocities['24h'].count
};
}
private async extractBehavioralFeatures(tx: Transaction): Promise<BehavioralFeatures> {
const session = await this.getSessionData(tx.sessionId);
return {
// Session behavior
sessionDuration: session.duration,
pagesViewed: session.pagesViewed,
timeOnCheckout: session.checkoutTime,
// Mouse/keyboard patterns (if available)
mouseMoveEntropy: session.mouseMoveEntropy || 0,
keyboardCadence: session.keyboardCadence || 0,
typingSpeed: session.typingSpeed || 0,
// Navigation patterns
directNavigation: session.directToCheckout ? 1 : 0,
searchBeforePurchase: session.usedSearch ? 1 : 0,
viewedProductDetails: session.viewedProductDetails ? 1 : 0,
// Checkout behavior
copiedPaymentInfo: session.copiedPaymentInfo ? 1 : 0,
rapidFormFill: session.formFillTime < 5 ? 1 : 0, // Suspiciously fast
multiplePaymentAttempts: session.paymentAttempts,
// Bot signals
hasHumanInteraction: session.hasMouseMovement ? 1 : 0,
consistentBehavior: this.calculateBehaviorConsistency(session)
};
}
}Machine Learning Models for Fraud Detection
Different ML algorithms excel at different aspects of fraud detection. The most effective systems use ensemble approaches combining multiple models.
Gradient Boosting for Transaction Fraud
// Gradient Boosting model for fraud detection (Node.js with TensorFlow.js)
import * as tf from '@tensorflow/tfjs-node';
class GradientBoostingFraudModel {
private model: any; // XGBoost or LightGBM model
private featureImportance: Map<string, number>;
async train(trainingData: TrainingDataset): Promise<TrainingMetrics> {
// Handle class imbalance with SMOTE
const balancedData = await this.applySMOTE(trainingData);
// Configure gradient boosting parameters
const config = {
objective: 'binary:logistic',
eval_metric: ['auc', 'aucpr'], // Area under PR curve for imbalanced data
max_depth: 6,
learning_rate: 0.1,
n_estimators: 500,
scale_pos_weight: trainingData.negativeCount / trainingData.positiveCount,
subsample: 0.8,
colsample_bytree: 0.8,
early_stopping_rounds: 50
};
// Train with cross-validation
const results = await this.crossValidate(balancedData, config, 5);
// Extract feature importance
this.featureImportance = this.calculateFeatureImportance();
return {
auc: results.meanAUC,
precision: results.meanPrecision,
recall: results.meanRecall,
f1Score: results.meanF1,
topFeatures: Array.from(this.featureImportance.entries())
.sort((a, b) => b[1] - a[1])
.slice(0, 10)
};
}
async predict(features: FeatureVector): Promise<PredictionResult> {
const prediction = await this.model.predict(features);
// Calculate SHAP values for explainability
const shapValues = await this.calculateSHAPValues(features);
return {
fraudProbability: prediction[0],
confidence: this.calculateConfidence(prediction),
explanations: this.generateExplanations(shapValues)
};
}
private async applySMOTE(data: TrainingDataset): Promise<TrainingDataset> {
// Synthetic Minority Over-sampling Technique
const minorityClass = data.samples.filter(s => s.label === 1);
const majorityClass = data.samples.filter(s => s.label === 0);
const syntheticSamples: Sample[] = [];
const k = 5; // k-nearest neighbors
for (const sample of minorityClass) {
const neighbors = this.findKNearestNeighbors(sample, minorityClass, k);
const synthetic = this.generateSyntheticSample(sample, neighbors);
syntheticSamples.push(synthetic);
}
return {
...data,
samples: [...data.samples, ...syntheticSamples]
};
}
}Isolation Forest for Anomaly Detection
// Isolation Forest for detecting anomalous transactions
class IsolationForestDetector {
private trees: IsolationTree[];
private sampleSize: number;
private numTrees: number;
constructor(numTrees: number = 100, sampleSize: number = 256) {
this.numTrees = numTrees;
this.sampleSize = sampleSize;
this.trees = [];
}
fit(data: number[][]): void {
const heightLimit = Math.ceil(Math.log2(this.sampleSize));
for (let i = 0; i < this.numTrees; i++) {
const sample = this.subsample(data, this.sampleSize);
const tree = this.buildTree(sample, 0, heightLimit);
this.trees.push(tree);
}
}
private buildTree(data: number[][], height: number, limit: number): IsolationTree {
if (height >= limit || data.length <= 1) {
return { type: 'leaf', size: data.length };
}
// Randomly select feature and split value
const featureIndex = Math.floor(Math.random() * data[0].length);
const values = data.map(d => d[featureIndex]);
const min = Math.min(...values);
const max = Math.max(...values);
const splitValue = min + Math.random() * (max - min);
const left = data.filter(d => d[featureIndex] < splitValue);
const right = data.filter(d => d[featureIndex] >= splitValue);
return {
type: 'internal',
featureIndex,
splitValue,
left: this.buildTree(left, height + 1, limit),
right: this.buildTree(right, height + 1, limit)
};
}
score(sample: number[]): number {
const pathLengths = this.trees.map(tree => this.pathLength(sample, tree, 0));
const avgPathLength = pathLengths.reduce((a, b) => a + b, 0) / pathLengths.length;
// Anomaly score: shorter path = more anomalous
const c = this.averagePathLength(this.sampleSize);
return Math.pow(2, -avgPathLength / c);
}
private pathLength(sample: number[], tree: IsolationTree, depth: number): number {
if (tree.type === 'leaf') {
return depth + this.averagePathLength(tree.size);
}
if (sample[tree.featureIndex] < tree.splitValue) {
return this.pathLength(sample, tree.left!, depth + 1);
}
return this.pathLength(sample, tree.right!, depth + 1);
}
private averagePathLength(n: number): number {
if (n <= 1) return 0;
return 2 * (Math.log(n - 1) + 0.5772156649) - (2 * (n - 1) / n);
}
}Real-Time Risk Scoring System
Production fraud detection systems must evaluate transactions in milliseconds. Here is a complete real-time risk scoring implementation:
// Real-time risk scoring service
import { Redis } from 'ioredis';
import { Kafka } from 'kafkajs';
class RealTimeRiskScoringService {
private redis: Redis;
private kafka: Kafka;
private model: AIFraudDetectionEngine;
private cache: LRUCache<string, RiskScore>;
constructor() {
this.redis = new Redis(process.env.REDIS_URL);
this.kafka = new Kafka({ brokers: [process.env.KAFKA_BROKER] });
this.model = new AIFraudDetectionEngine(fraudConfig);
this.cache = new LRUCache({ max: 10000, ttl: 1000 * 60 * 5 });
}
async scoreTransaction(transaction: Transaction): Promise<RiskDecision> {
const startTime = Date.now();
try {
// Step 1: Check velocity limits (fast path)
const velocityCheck = await this.checkVelocityLimits(transaction);
if (velocityCheck.blocked) {
return this.createDecision('block', velocityCheck.reason, 1.0);
}
// Step 2: Check cached scores for similar transactions
const cachedScore = this.getCachedScore(transaction);
if (cachedScore) {
return this.createDecisionFromScore(cachedScore);
}
// Step 3: Extract features in parallel
const features = await this.extractFeaturesWithTimeout(transaction, 50);
// Step 4: Run ML model prediction
const prediction = await this.model.evaluateTransaction(transaction);
// Step 5: Apply business rules overlay
const finalScore = this.applyBusinessRules(prediction, transaction);
// Step 6: Cache result and record metrics
this.cacheScore(transaction, finalScore);
this.recordMetrics(transaction, finalScore, Date.now() - startTime);
// Step 7: Publish for async analysis
await this.publishForAnalysis(transaction, finalScore);
return this.createDecisionFromScore(finalScore);
} catch (error) {
// Fail-open or fail-closed based on configuration
console.error('Risk scoring error:', error);
return this.handleScoringError(transaction, error);
}
}
private async checkVelocityLimits(tx: Transaction): Promise<VelocityResult> {
const pipeline = this.redis.pipeline();
// Check multiple velocity windows
const keys = {
user1h: `velocity:user:${tx.userId}:1h`,
user24h: `velocity:user:${tx.userId}:24h`,
card1h: `velocity:card:${tx.cardHash}:1h`,
ip1h: `velocity:ip:${tx.ipAddress}:1h`,
device1h: `velocity:device:${tx.deviceId}:1h`
};
for (const key of Object.values(keys)) {
pipeline.incr(key);
pipeline.expire(key, 86400); // 24-hour TTL
}
const results = await pipeline.exec();
const counts = this.parseRedisResults(results);
// Check against limits
if (counts.user1h > 20) {
return { blocked: true, reason: 'user_velocity_exceeded' };
}
if (counts.card1h > 10) {
return { blocked: true, reason: 'card_velocity_exceeded' };
}
if (counts.ip1h > 50) {
return { blocked: true, reason: 'ip_velocity_exceeded' };
}
return { blocked: false };
}
private applyBusinessRules(prediction: RiskAssessment, tx: Transaction): RiskScore {
let adjustedScore = prediction.score;
const adjustments: ScoreAdjustment[] = [];
// High-value transaction adjustment
if (tx.amount > 5000) {
adjustedScore = Math.min(1.0, adjustedScore * 1.2);
adjustments.push({ reason: 'high_value', delta: 0.2 });
}
// New account penalty
if (tx.accountAgeDays < 7) {
adjustedScore = Math.min(1.0, adjustedScore * 1.3);
adjustments.push({ reason: 'new_account', delta: 0.3 });
}
// Trusted customer discount
if (tx.trustScore > 0.9 && tx.totalSuccessfulTransactions > 50) {
adjustedScore = Math.max(0.0, adjustedScore * 0.7);
adjustments.push({ reason: 'trusted_customer', delta: -0.3 });
}
// First-party fraud signals
if (tx.isHighRiskMerchant) {
adjustedScore = Math.min(1.0, adjustedScore * 1.4);
adjustments.push({ reason: 'high_risk_merchant', delta: 0.4 });
}
return {
value: adjustedScore,
confidence: prediction.confidence,
factors: [...prediction.factors, ...adjustments.map(a => a.reason)],
adjustments
};
}
private async publishForAnalysis(tx: Transaction, score: RiskScore): Promise<void> {
const producer = this.kafka.producer();
await producer.connect();
await producer.send({
topic: 'fraud-events',
messages: [{
key: tx.transactionId,
value: JSON.stringify({
transactionId: tx.transactionId,
riskScore: score.value,
factors: score.factors,
timestamp: new Date().toISOString(),
decision: score.value > 0.8 ? 'blocked' :
score.value > 0.5 ? 'review' : 'allowed'
})
}]
});
await producer.disconnect();
}
}Intelligent Bot Detection
Bots account for over 40% of web traffic, with malicious bots performing credential stuffing, content scraping, and inventory hoarding. AI-powered bot detection identifies automated traffic through behavioral analysis.
// Advanced bot detection system
class BotDetectionEngine {
private behaviorAnalyzer: BehaviorAnalyzer;
private fingerprintService: DeviceFingerprint;
private mlModel: BotClassifier;
async analyzeRequest(request: IncomingRequest): Promise<BotAssessment> {
const signals = await Promise.all([
this.analyzeHeaders(request),
this.analyzeFingerprint(request),
this.analyzeBehavior(request),
this.analyzeNetworkSignals(request)
]);
const [headerSignals, fingerprintSignals, behaviorSignals, networkSignals] = signals;
// Combine signals for ML prediction
const features = this.combineSignals(signals);
const prediction = await this.mlModel.predict(features);
return {
isBot: prediction.probability > 0.7,
botProbability: prediction.probability,
botType: this.classifyBotType(prediction),
signals: {
header: headerSignals,
fingerprint: fingerprintSignals,
behavior: behaviorSignals,
network: networkSignals
},
recommendation: this.getRecommendation(prediction)
};
}
private analyzeHeaders(request: IncomingRequest): HeaderSignals {
const ua = request.headers['user-agent'] || '';
return {
// User-agent analysis
hasUserAgent: ua.length > 0,
isKnownBot: this.isKnownBotUA(ua),
uaConsistency: this.checkUAConsistency(ua, request),
// Header presence checks
hasAcceptLanguage: 'accept-language' in request.headers,
hasAcceptEncoding: 'accept-encoding' in request.headers,
hasReferer: 'referer' in request.headers,
// Suspicious patterns
unusualHeaderOrder: this.checkHeaderOrder(request.headers),
missingExpectedHeaders: this.countMissingHeaders(request.headers),
hasBotIndicatorHeaders: this.hasBotHeaders(request.headers),
// TLS fingerprint
ja3Hash: request.tlsFingerprint?.ja3 || null,
ja3Known: this.isKnownJA3(request.tlsFingerprint?.ja3)
};
}
private async analyzeBehavior(request: IncomingRequest): Promise<BehaviorSignals> {
const sessionId = request.sessionId;
const session = await this.behaviorAnalyzer.getSession(sessionId);
if (!session) {
return { hasEnoughData: false };
}
// Analyze mouse movements
const mouseAnalysis = this.analyzeMouseMovements(session.mouseEvents);
// Analyze keyboard patterns
const keyboardAnalysis = this.analyzeKeyboardPatterns(session.keyEvents);
// Analyze navigation patterns
const navigationAnalysis = this.analyzeNavigation(session.pageViews);
return {
hasEnoughData: true,
// Mouse signals
hasMouseMovement: mouseAnalysis.hasMovement,
mouseEntropy: mouseAnalysis.entropy,
mouseStraightLines: mouseAnalysis.straightLineRatio,
mouseSpeedVariation: mouseAnalysis.speedVariation,
// Keyboard signals
hasKeyboardInput: keyboardAnalysis.hasInput,
typingCadenceNatural: keyboardAnalysis.cadenceScore,
keystrokeVariation: keyboardAnalysis.variation,
// Navigation signals
pageViewDuration: navigationAnalysis.avgDuration,
scrollBehavior: navigationAnalysis.scrollScore,
clickPatterns: navigationAnalysis.clickNaturalness,
// Timing signals
requestTiming: this.analyzeRequestTiming(session.requests),
humanLikeDelays: this.checkHumanDelays(session.requests)
};
}
private analyzeMouseMovements(events: MouseEvent[]): MouseAnalysis {
if (events.length < 10) {
return { hasMovement: false, entropy: 0, straightLineRatio: 1, speedVariation: 0 };
}
// Calculate movement entropy
const angles: number[] = [];
const speeds: number[] = [];
for (let i = 1; i < events.length; i++) {
const dx = events[i].x - events[i - 1].x;
const dy = events[i].y - events[i - 1].y;
const dt = events[i].timestamp - events[i - 1].timestamp;
angles.push(Math.atan2(dy, dx));
speeds.push(Math.sqrt(dx * dx + dy * dy) / dt);
}
// Bots tend to have very uniform movements
const entropy = this.calculateEntropy(angles);
const speedVariation = this.calculateCoeffOfVariation(speeds);
// Bots often move in straight lines
const straightLineRatio = this.calculateStraightLineRatio(events);
return {
hasMovement: true,
entropy,
straightLineRatio,
speedVariation
};
}
private getRecommendation(prediction: BotPrediction): BotRecommendation {
if (prediction.probability > 0.95) {
return {
action: 'block',
reason: 'High confidence bot detection',
challengeType: null
};
}
if (prediction.probability > 0.7) {
return {
action: 'challenge',
reason: 'Suspicious automated behavior',
challengeType: 'captcha'
};
}
if (prediction.probability > 0.4) {
return {
action: 'challenge',
reason: 'Moderate bot signals',
challengeType: 'invisible_challenge'
};
}
return {
action: 'allow',
reason: 'Human-like behavior',
challengeType: null
};
}
}Account Takeover Prevention
Account takeover (ATO) attacks cost businesses billions annually. AI systems can detect unusual login patterns and compromised credentials before damage occurs.
// Account takeover prevention system
class AccountTakeoverPrevention {
private userProfileService: UserProfileService;
private riskEngine: RiskEngine;
private credentialService: CredentialService;
async evaluateLoginAttempt(login: LoginAttempt): Promise<ATOAssessment> {
// Check for known compromised credentials
const credentialCheck = await this.checkCredentialBreach(login);
if (credentialCheck.isCompromised) {
return {
riskLevel: 'critical',
action: 'block_and_notify',
reason: 'Compromised credentials detected',
requiresPasswordReset: true
};
}
// Build login context
const context = await this.buildLoginContext(login);
// Calculate risk factors
const riskFactors = await this.calculateRiskFactors(login, context);
// ML model prediction
const prediction = await this.riskEngine.predict(riskFactors);
return this.createAssessment(prediction, riskFactors);
}
private async buildLoginContext(login: LoginAttempt): Promise<LoginContext> {
const user = await this.userProfileService.getUser(login.userId);
const history = await this.userProfileService.getLoginHistory(login.userId, 90);
return {
user,
recentLogins: history,
// Location context
knownLocations: this.extractKnownLocations(history),
currentLocation: await this.geolocate(login.ipAddress),
// Device context
knownDevices: this.extractKnownDevices(history),
currentDevice: login.deviceFingerprint,
// Time context
typicalLoginTimes: this.calculateTypicalTimes(history),
currentTime: login.timestamp,
// Behavioral context
typicalBehavior: this.calculateTypicalBehavior(history)
};
}
private async calculateRiskFactors(
login: LoginAttempt,
context: LoginContext
): Promise<ATORiskFactors> {
return {
// Location anomalies
isNewLocation: !context.knownLocations.includes(login.location),
locationDistance: this.calculateLocationDistance(
context.user.lastLocation,
login.location
),
impossibleTravel: this.checkImpossibleTravel(context.recentLogins, login),
// Device anomalies
isNewDevice: !context.knownDevices.includes(login.deviceFingerprint),
deviceTrustScore: await this.calculateDeviceTrust(login.deviceFingerprint),
// Timing anomalies
isUnusualTime: !this.isTypicalLoginTime(login.timestamp, context.typicalLoginTimes),
timeSinceLastLogin: this.calculateTimeSinceLastLogin(context.recentLogins),
// Failed attempts
recentFailedAttempts: await this.getRecentFailedAttempts(login.userId),
failedAttemptsFromIP: await this.getFailedAttemptsFromIP(login.ipAddress),
// Credential stuffing signals
isPartOfVelocitySpike: await this.checkVelocitySpike(login.ipAddress),
credentialPairSeenElsewhere: await this.checkCredentialReuse(login),
// Session anomalies
hasActiveSession: await this.checkActiveSession(login.userId),
concurrentSessionCount: await this.getConcurrentSessions(login.userId)
};
}
private checkImpossibleTravel(
recentLogins: LoginRecord[],
currentLogin: LoginAttempt
): boolean {
if (recentLogins.length === 0) return false;
const lastLogin = recentLogins[recentLogins.length - 1];
const timeDiff = currentLogin.timestamp - lastLogin.timestamp;
const distance = this.calculateDistance(lastLogin.location, currentLogin.location);
// Maximum realistic travel speed (km/h)
const maxSpeed = 1000; // Roughly supersonic jet speed
const maxPossibleDistance = (timeDiff / 3600000) * maxSpeed;
return distance > maxPossibleDistance;
}
private async checkCredentialBreach(login: LoginAttempt): Promise<BreachCheck> {
// Check against Have I Been Pwned API (k-anonymity)
const passwordHash = this.hashPassword(login.password);
const prefix = passwordHash.substring(0, 5);
const breachedHashes = await this.credentialService.checkBreaches(prefix);
const isBreached = breachedHashes.includes(passwordHash.substring(5));
return {
isCompromised: isBreached,
breachCount: isBreached ?
await this.credentialService.getBreachCount(passwordHash) : 0
};
}
}Payment Fraud Detection
Payment fraud detection requires specialized models that understand card-not-present fraud patterns, friendly fraud, and first-party fraud schemes.
// Payment fraud detection system
class PaymentFraudDetector {
private transactionModel: TransactionFraudModel;
private cardRiskService: CardRiskService;
private merchantRiskService: MerchantRiskService;
async evaluatePayment(payment: PaymentRequest): Promise<PaymentRiskAssessment> {
// Multi-stage fraud detection
const stages = await Promise.all([
this.preAuthorizationCheck(payment),
this.cardRiskAnalysis(payment),
this.merchantRiskAnalysis(payment),
this.transactionPatternAnalysis(payment),
this.networkRiskAnalysis(payment)
]);
// Combine all signals
const combinedRisk = this.combineRiskSignals(stages);
// Apply fraud rules overlay
const finalAssessment = this.applyFraudRules(combinedRisk, payment);
return {
riskScore: finalAssessment.score,
decision: this.makeDecision(finalAssessment),
factors: finalAssessment.topFactors,
recommendedAction: finalAssessment.action,
requires3DS: finalAssessment.score > 0.3,
manualReviewRequired: finalAssessment.score > 0.5 && finalAssessment.score < 0.8
};
}
private async preAuthorizationCheck(payment: PaymentRequest): Promise<PreAuthResult> {
return {
// BIN analysis
binRisk: await this.cardRiskService.analyzeBIN(payment.cardBIN),
issuingBank: await this.cardRiskService.getIssuingBank(payment.cardBIN),
cardType: await this.cardRiskService.getCardType(payment.cardBIN),
// Velocity checks
cardVelocity: await this.checkCardVelocity(payment.cardHash),
merchantVelocity: await this.checkMerchantVelocity(payment.merchantId),
// Blocklist checks
isBlockedCard: await this.checkBlocklist(payment.cardHash),
isBlockedEmail: await this.checkBlocklist(payment.email),
isBlockedDevice: await this.checkBlocklist(payment.deviceId)
};
}
private async transactionPatternAnalysis(payment: PaymentRequest): Promise<PatternAnalysis> {
const history = await this.getTransactionHistory(payment.cardHash, 90);
return {
// Amount analysis
amountDeviation: this.calculateAmountDeviation(payment.amount, history),
isRoundAmount: payment.amount % 100 === 0,
isTestAmount: [1, 0.01, 0.1].includes(payment.amount),
// Frequency analysis
transactionFrequency: this.calculateFrequency(history),
isUnusualFrequency: this.isAnomalousFrequency(payment, history),
// Category analysis
merchantCategoryRisk: this.getMCCRisk(payment.merchantCategory),
isNewMerchantCategory: !this.hasUsedCategory(history, payment.merchantCategory),
// Pattern matching
matchesKnownFraudPattern: await this.matchFraudPatterns(payment),
similarToChargedBackTransactions: await this.similarityToChargebacks(payment)
};
}
private async networkRiskAnalysis(payment: PaymentRequest): Promise<NetworkAnalysis> {
// Graph-based analysis of transaction network
const graph = await this.buildTransactionGraph(payment);
return {
// Connection to known fraud
degreesToKnownFraud: graph.shortestPathToFraud,
sharedDevicesWithFraud: graph.sharedDeviceCount,
sharedIPsWithFraud: graph.sharedIPCount,
// Velocity across network
networkVelocityAnomaly: graph.velocityAnomaly,
// Synthetic identity signals
syntheticIdentityScore: await this.detectSyntheticIdentity(payment),
// First-party fraud signals
firstPartyFraudScore: await this.detectFirstPartyFraud(payment)
};
}
private async detectSyntheticIdentity(payment: PaymentRequest): Promise<number> {
// Synthetic identity fraud uses fabricated or combined real/fake data
const signals = {
// SSN/identity verification
ssnAgeMatch: await this.verifySsnAge(payment.ssn, payment.dateOfBirth),
addressHistory: await this.verifyAddressHistory(payment.address),
phoneMatch: await this.verifyPhoneOwnership(payment.phone, payment.name),
// Credit bureau signals
creditFileAge: await this.getCreditFileAge(payment.ssn),
authorizedUserHistory: await this.getAuthorizedUserHistory(payment.ssn),
// Behavioral signals
applicationVelocity: await this.getApplicationVelocity(payment.ssn),
dataConsistency: this.checkDataConsistency(payment)
};
return this.syntheticIdentityModel.predict(signals);
}
}Key Takeaways
- AI outperforms rules: Machine learning models detect 80%+ of fraud vs 30% for rule-based systems
- Feature engineering is critical: Combine behavioral, device, velocity, and transaction features
- Handle class imbalance: Use SMOTE, class weighting, and precision-recall metrics
- Real-time scoring: Production systems must evaluate transactions in under 100ms
- Bot detection requires behavior: Mouse movements, keyboard patterns, and navigation analysis
- Account takeover prevention: Detect impossible travel, new devices, and compromised credentials
- Ensemble approaches work best: Combine gradient boosting, isolation forest, and neural networks
Handling Imbalanced Datasets
Fraud detection datasets are notoriously imbalanced, typically with 0.1-1% fraudulent transactions. Standard accuracy metrics are misleading when 99% of transactions are legitimate.
// Strategies for handling imbalanced fraud data
class ImbalancedDataHandler {
// Strategy 1: Synthetic Minority Oversampling (SMOTE)
applySMOTE(data: Dataset, targetRatio: number = 0.5): Dataset {
const minority = data.samples.filter(s => s.isFraud);
const majority = data.samples.filter(s => !s.isFraud);
const samplesToGenerate = Math.floor(
majority.length * targetRatio - minority.length
);
const synthetic = this.generateSyntheticSamples(minority, samplesToGenerate);
return {
samples: [...data.samples, ...synthetic]
};
}
// Strategy 2: Class Weighting
calculateClassWeights(data: Dataset): ClassWeights {
const fraudCount = data.samples.filter(s => s.isFraud).length;
const legitCount = data.samples.length - fraudCount;
return {
fraud: legitCount / fraudCount, // Higher weight for minority
legitimate: 1.0
};
}
// Strategy 3: Evaluation Metrics for Imbalanced Data
evaluateModel(predictions: Prediction[], actuals: boolean[]): ImbalancedMetrics {
let tp = 0, fp = 0, tn = 0, fn = 0;
for (let i = 0; i < predictions.length; i++) {
const predicted = predictions[i].isFraud;
const actual = actuals[i];
if (predicted && actual) tp++;
else if (predicted && !actual) fp++;
else if (!predicted && actual) fn++;
else tn++;
}
const precision = tp / (tp + fp);
const recall = tp / (tp + fn);
const f1 = 2 * (precision * recall) / (precision + recall);
// Area under precision-recall curve (better for imbalanced data)
const auprc = this.calculateAUPRC(predictions, actuals);
// Matthews Correlation Coefficient
const mcc = (tp * tn - fp * fn) /
Math.sqrt((tp + fp) * (tp + fn) * (tn + fp) * (tn + fn));
return {
precision,
recall,
f1Score: f1,
auprc,
mcc,
confusionMatrix: { tp, fp, tn, fn },
// Business metrics
fraudCaughtRate: recall,
falsePositiveRate: fp / (fp + tn),
dollarsSaved: this.calculateDollarsSaved(predictions, actuals)
};
}
// Strategy 4: Cost-Sensitive Learning
applyAsymmetricCosts(model: Model, costs: CostMatrix): void {
// False negative (missed fraud) is much more expensive
// than false positive (blocked legitimate)
model.setCostMatrix({
falseNegative: costs.fraudLoss, // e.g., $500 average fraud
falsePositive: costs.customerFriction // e.g., $5 support cost
});
}
}Adaptive Security Responses
Modern fraud detection systems adapt their responses based on risk levels, providing friction-appropriate challenges.
// Adaptive security response system
class AdaptiveSecuritySystem {
private challengeService: ChallengeService;
private notificationService: NotificationService;
async handleRiskDecision(
decision: RiskDecision,
context: TransactionContext
): Promise<SecurityAction> {
switch (decision.riskLevel) {
case 'critical':
return this.handleCriticalRisk(decision, context);
case 'high':
return this.handleHighRisk(decision, context);
case 'medium':
return this.handleMediumRisk(decision, context);
case 'low':
return this.handleLowRisk(decision, context);
default:
return { action: 'allow', challenges: [] };
}
}
private async handleHighRisk(
decision: RiskDecision,
context: TransactionContext
): Promise<SecurityAction> {
const challenges: Challenge[] = [];
// Step-up authentication based on risk factors
if (decision.factors.includes('new_device')) {
challenges.push({
type: 'device_verification',
method: 'email_code'
});
}
if (decision.factors.includes('unusual_location')) {
challenges.push({
type: '3ds_authentication',
version: '2.0'
});
}
if (decision.factors.includes('high_amount')) {
challenges.push({
type: 'biometric',
method: context.device.hasBiometric ? 'fingerprint' : 'sms_otp'
});
}
// Notify user of suspicious activity
await this.notificationService.sendSecurityAlert(context.userId, {
type: 'suspicious_activity',
details: decision.factors,
actionRequired: challenges.length > 0
});
return {
action: 'challenge',
challenges,
timeout: 300, // 5 minutes to complete challenges
fallbackAction: 'block'
};
}
private async handleMediumRisk(
decision: RiskDecision,
context: TransactionContext
): Promise<SecurityAction> {
// Invisible challenges that don't impact UX
return {
action: 'monitor',
challenges: [{
type: 'invisible_recaptcha',
scoreThreshold: 0.7
}],
postTransactionReview: true,
velocityLimitReduction: 0.5 // Temporarily reduce limits
};
}
}Case Study: 80% Fraud Reduction
A financial services company implemented the AI fraud detection system described in this article. Here are the results:
Implementation Results
- Fraud reduction: 80% decrease in successful fraud attempts
- False positive reduction: 65% fewer legitimate transactions blocked
- Detection speed: Average 23ms risk scoring (from 500ms rules)
- Customer satisfaction: 15% improvement in checkout conversion
- Cost savings: $2.3M annual reduction in fraud losses
- Manual review: 70% reduction in transactions requiring human review
Conclusion
AI-powered fraud detection represents a paradigm shift from reactive rule-based systems to proactive, adaptive security. By leveraging machine learning for real-time risk scoring, behavioral analysis for bot detection, and graph-based analysis for network fraud patterns, modern web applications can dramatically reduce fraud while improving the customer experience.
The key to success lies in comprehensive feature engineering, appropriate handling of imbalanced datasets, and adaptive response mechanisms that provide friction-appropriate challenges. Organizations implementing these systems typically see 70-80% fraud reduction while simultaneously decreasing false positives that frustrate legitimate customers.
As fraudsters continue to evolve their tactics, AI systems provide the adaptive intelligence needed to stay ahead. The combination of supervised learning for known patterns and unsupervised anomaly detection for novel attacks creates a robust defense that improves over time.
In the next article, we will explore Smart Forms with AI: Auto-completion and Validation, examining how AI can enhance user input experiences with intelligent suggestions and real-time validation.
