Building a fraud prevention component using Symfony

For a quick read-through of the main takeaways, keep scrolling for our distilled write-up. We utilized ChatGPT to enhance the grammar and syntax.

Building a Robust Abuse Prevention System with Risk Scoring

In today’s digital landscape, preventing abuse and fraud is critical to protect both businesses and their customers. In a recent presentation, Moritz, a Product Engineer at Platform.sh, walked through the journey of designing and implementing a sophisticated abuse prevention system, weaving together real-world scenarios with technical insights. Let’s break down the key elements of his talk and explore how risk scoring can effectively mitigate fraud.

From Public Transport Fare Fraud to Digital Risk Management

Moritz began by sharing a compelling story about how public transport systems once faced widespread abuse. The anecdote centered on an individual, "Claus," who was unknowingly charged thousands of dollars for bus tickets due to his bank account details ending up on a list for automated purchases. This real-world case study highlights how repeated fraudulent use of a registered account can lead to significant financial damage, company mistrust, lawsuits, and systemic breakdown if left unchecked.

The scenario underscores a critical lesson: if preventive measures aren’t integrated early, the consequences can spiral out of control. While Moritz’s example was specific to public transportation, the principles of account abuse, payment fraud, and the cat-and-mouse game between fraudsters and system defenders are universal.

Identifying Risks and Potential Abuses

The talk then pivoted to the various kinds of risks associated with registered user accounts:

Automated Account Creation: Fraudsters can create multiple accounts using variations of a single email address. With little to no identity verification, these accounts can be used to access free resources or test payment methods.

Abuse of Free Resources: Just like getting free samples at a supermarket, users might exploit free trials or resources repeatedly, draining company resources without consent.

Payment Abuse: Testing stolen credit cards, card cashing (using a stolen card across multiple accounts), and vulnerable payment methods are critical threats. Fraudsters may even exploit prepaid or digital cards that can be quickly generated and discarded to avoid detection.

Balancing Security Measures and User Experience

Introducing stricter verification—like free email providers, demanding passport scans, or requiring video calls—might seem like a straightforward solution. However, such measures can alienate legitimate users and create friction. The goal is to balance necessary precautions with a seamless customer experience. Strategies discussed include:

Duplicate Detection: Normalize email addresses (removing dots, plus signs, etc.) to detect multiple account creations.

Limiting Free Resource Access: Put thresholds on how much free resource a new or unverified user can access until a trustworthy history is built.

Phone Verification & Support Vetting: Trigger additional verification steps (SMS, WhatsApp) selectively, based on the user's risk profile.

Credit Card Requirements: For certain free resources, requiring credit card details can introduce a layer of risk assessment, although it’s not foolproof due to prepaid and disposable cards.

Crafting a Risk Scoring System

The heart of Moritz’s presentation was the introduction of a comprehensive risk scoring system. Instead of rigid rules that can create false positives or block legitimate users, a dynamic risk score helps systems make nuanced decisions. Key components that feed into this score include:

Email Risk Assessment: Checking for disposable email providers, unusual patterns, or recently created domains.

IP Risk Scoring: Evaluating the risk associated with an IP address, such as its origin (data center vs. residential), geolocation accuracy, and historical abuse patterns.

Payment History & Patterns: Leveraging data from payment providers that includes successful transactions, disputes, and early fraud warnings to adjust trustworthiness.

Duplicate Account Detection: Recognizing duplicate patterns across accounts and using that data to adjust risk.

Moritz explained how these factors are mathematically integrated into a neural network model. This model continuously learns and adjusts scores to mitigate false positives while still catching malicious behaviors. It ensures that legitimate users face minimal friction, while suspicious activities trigger additional verification steps or limitations.

Implementing the Solution with Microservices

To bring this idea to life, the team built a microservice using Symfony. The advantages were clear: quick prototyping, easy integration with existing infrastructure (like Upsun), and the ability to expose a RESTful API. This microservice acts as a passive component that other systems query for risk scores during critical decision points, such as account creation, payment processing, and resource allocation.

The architecture involves endpoints for:

• Feeding in staff-confirmed data (like verified accounts or confirmed abuses).
• Webhooks from payment providers to gather risk data in real time.
• Integration with external blocklists for IPs and emails.

By centralizing risk assessment in one microservice, teams can make consistent, data-driven decisions across the platform.

Results and Continuous Improvement

After implementing the risk scoring system, the impact was significant. Support agents reported a drastic reduction in time spent analyzing and removing abusive accounts—from days to roughly one hour per week. Infrastructure load was also reduced in some regions by up to a third, thanks to automated prevention and early detection of abusive activities.

Moritz emphasized that building such a system is a continuous cat-and-mouse game. As fraudsters adapt, the risk scoring model needs regular updates, learning from new data, and refining its parameters to avoid false positives without compromising on security.

Looking Forward

For developers interested in constructing their own abuse prevention systems, Moritz recommended:

• Explore external services for IP and email risk scoring.
• Leverage payment provider risk assessments.
• Fine-tune data analysis to balance security with a smooth user experience.
• Keep informed through community talks and resources, like Haylee’s upcoming presentation on crafting microservices tailored to specific needs.

By combining technical strategies with thoughtful system design, developers can create resilient solutions that protect both their businesses and their customers from ever-evolving threats.