AWS for Industries

How anti-fraud systems use explainable AI to protect the betting and gaming industry

Online betting and gaming are businesses with strict rules and regulations. To stay profitable and comply with laws, licensed operators develop mechanisms to restrict illegitimate customers from using their platforms. Fraudsters’ malicious activity can lead to significant financial losses for betting and gaming platforms if not proactively stopped. Such serious potential consequences require a rapid response when a legitimate account is taken over.

Group-IB developed a user behavior analysis tool powered by artificial intelligence (AI) and Amazon Web Services (AWS), which helps companies detect identity fraud. This tool is part of the fraud detection solution provided by Group-IB’s Fraud Protection system. It complements the system’s analytical capabilities and benefits from its solid infrastructure.

Working with a rigorous set of other Fraud Protection indicators, the mobile user behavior analysis system enhances the ability to detect identity fraud on average by 27 percent among our customers.

Group-IB's Fraud Protection system evaluates session data through microservices such as the user behavior analysis (UBA) system. The enriched data is returned to the Fraud Protection GUI and API endpoint.Figure 1. General structural schema of Group-IB’s Fraud Protection system

Overview of solution

Malicious actors want to gain control over legitimate users’ accounts and exploit them harmfully, or even illegally, under the legitimate user’s name. This is what is called identity fraud.

Generally, identity fraud implies account hijacking. In the betting and gaming sphere, legitimate accounts can also be sold intentionally. Bad actors are especially interested in accounts with proven bet records with at least some prior betting and gaming history. While newly created accounts are always considered suspicious and thus restricted by these platforms, accounts with proven betting records are usually granted some additional privileges. So, how do operators ensure that each user is who they claim to be?

A widespread solution among industry players is to force customers to use mobile devices to complete their bets with additional authorization through an app. This approach enables them to collect a more comprehensive device fingerprint, thus imposing restrictions more effectively. It also helps them address other common problems like multi-accounting or bot activity. For that, platforms rely on comprehensive rule-based fraud detection systems, which require a set of predefined rules to flag suspicious activities. However, identity fraud detection is a problem that is hard to address with only traditional rule-based methods. Rules might detect a device change or check if the verification is passed, but they cannot reveal a user change under the same account. This is especially true in cases when not only was the account taken over but also the corresponding device.

This solution aims to complement rule-based systems in the protection of mobile applications. Empowered by AI and Group-IB Fraud Protection data collection and processing capabilities, it analyzes mobile users’ behavioral patterns and creates comprehensive user profiles. By using AWS cloud-based hosting solutions, this system can be deployed on a massive scale, providing the computational power to detect identity fraud in real time and provide timely alerts. It is designed to handle vast amounts of data, making it well-suited for large platforms for which millions of user behavior profiles must be created.

Solution

A comprehensive user behavior profile is the bedrock of spotting abnormal user behavior. It reflects the minute details of typical user behavior: how they hold their device, where and how they swipe and tap, which UI components they usually interact with, and other similar behaviors. Moreover, to be truly comprehensive, such profiles are reassessed frequently and accessed quickly.

How to model mobile user behavior
What kind of user behavior does the model have to detect? Consider, on the one hand, a legitimate user account and, on the other, a malicious actor who somehow gained complete control of this account. Since newly created accounts rarely become a target for takeover, an account of interest is one with some historical activity of the legitimate user, for example their activity when they signed in to the application and interacted with the interface. Such activity might include a simple balance check, money withdrawal, or making bets. Those historical activities become data points on which the model is trained. When a malicious actor signs in to the account, the model evaluates their behavior and detects differences in behavioral patterns between the fraudster and the account’s owner.

The standard approach to modeling user behavior is based on user interaction with the application`s interface. It implies collecting data from the following sources:

  • User application journey: Which interface elements does the user interact with and in which order? This kind of data is customized to reflect the business logic behind the interface components.
  • User journey characteristics: delays between clicks, taps, swipes, and other actions during the journey.
  • Characteristics of user interaction with the interface: number, frequency, and areas of interaction (clicks, taps, and swipes).

When working with mobile users’ activity, several new degrees of freedom are added, which makes user behavior profiles more complete and precise:

  • Screen interaction when using the application (scrolling and zooming).
  • Space position of the device when using the application (angles and height).
    PIN code input pattern.

To consider all the variety of data, a set of machine learning models must be trained on user application activity data, heatmaps of user screen interaction, and built-in mobile device sensors (accelerometer, gyroscope, and gravity sensor). Together, they allow the building of a comprehensive user behavior profile precise enough to distinguish one user from another.

Visualization of the mobile user touch activity model
The following two figures show the difference between the account owner’s activity and the activity of a fraudster interacting with the interface under the same account. The blue points indicate the previous (historical) owner’s behavior on which the model was trained. The red points indicate user behavior in the current session.

User touch interaction with UI components is depicted as a scatter plot. Plot shows little difference between the current session of the legitimate user and their previous sessions. Figure 2. Genuine account owner activity

User touch interaction with different UI components is depicted as a scatter plot. Plot shows significant differences between the current fraudulent session and legitimate user’s previous sessions.Figure 3. Malicious activity in the same account

The image set demonstrates the difference between the characteristics of two mobile users’ journeys: the image of the account’s owner (figure 2) and the image of the malicious actor (figure 3). Each feature represents transition time—the delay between user interaction with certain UI elements. Note that the difference in delay time between the malicious actor and the account owner is significant.

Visualization of the touch screen pressure, swipes, and haptic feedback model
The next two figures depict the same scenario based on mobile sensor data. In figure 4, the account owner’s behavior in the current session broadly intersects with their historical behavior but in figure 5, score sensor metrics are noticeably shifted.

User behavior as observed by different mobile sensors is depicted as a scatter plot. Plot shows little difference between the current session of the legitimate user and their previous sessions.Figure 4. Genuine account owner activity

User behavior as observed by mobile sensors is depicted as a scatter plot. Plot shows significant difference between the current fraudulent session and the legitimate user’s previous sessions.Figure 5. Malicious actor activity in the same account

Typically, biometric security systems are characterized by the balance between the fraction of falsely rejected users (false positives) and falsely accepted users (false negatives). The performance of our mobile user behavior analysis tool was assessed against real user data. This data was gathered over the course of a year from three of Group-IB’s clients operating in distinct regions. The data comprises more than 1 million unique users. Using that data, this tool alone achieves 80 percent accuracy in detecting identity change with an equal fraction of false positives and false negatives (20 percent). The fractions balance can be adjusted to the platform’s requirements. Later verdicts of the tool are combined with other Fraud Protection detection capabilities, such as device fingerprints and geolocation, to stop identity fraud.

How to build a system that will assess user behavior on the fly
To prepare a fleet of user profile models for each platform user and keep them up to date and ready to assess user behavior each time they log into their account, a scalable cloud-based system must be put in place. Such a system consists of three major components:

  1. Computing power, where all user models are trained.
  2. Data storage, where all user models are stored.
  3. Event-driven workers to orchestrate the models.

1. Cloud computing power

An online betting and gaming platform might host hundreds of thousands of users. Each user profile is based on one to four models, depending on the data provided. At peak times—such as during the initial setup or major sports events—a vast number of models must be trained. A powerful and scalable cloud-based computation resource is required for this type of demand.

Amazon Elastic Kubernetes Service (Amazon EKS) is an appropriate solution for containerized computing resources in the cloud. It offers a way to manage Kubernetes infrastructure and scale it based on the current needs through a convenient dashboard. Thus, in a few steps, infrastructure specifications can be adjusted for customer platforms with any number of users and scale up rapidly at peak times. In contrast, creating infrastructure for bare metal on-premises is much more cumbersome.

2. Cloud data storage

After the fleet of models is built, it must be stored so that thousands of models can be saved and accessed at a time for each customer platform. It also must scale up quickly to accommodate millions of new models when a new customer is added. Thus, such a cloud-based storage solution has to be scalable, read-optimized, and have a well-organized memory.

Amazon Simple Storage Service (Amazon S3) meets all of these requirements. File buckets can be dynamically scaled up based on real storage claims and organized to provide an efficient save and load process with the help of a prefix indexing mechanism.

3. Event-driven orchestration system:

When a user signs in to an account, a new session begins, and user activity data collection is launched. When the user invokes a predefined critical event (prepares to make a bet or withdraw money), the system must have its verdict ready, regardless of if the current user is the account’s owner or a stranger.

After the event is invoked, the Fraud Protection’s input data processing hub instantaneously calls the mobile user behavior analysis system through a dedicated API. The corresponding user models are requested from Amazon ElastiCache and then from Amazon S3 storage. If the models are available, they’re fetched from storage and the scorer module uses them to produce its verdict and sends the answer back to the hub.

If the current session is considered legitimate, its data is recorded to become training material for the next model update. If enough data from a specific number of client sessions is accumulated, the models are re-trained by the builder module and saved to the S3 bucket.

Inside the UBA system. The scorer requests the user model first in cache, then in Amazon S3. Model verdicts are then returned as an output. Builder rebuilds model if necessary and saves it to Amazon S3.Figure 6. Schema of the user behavior analysis (UBA) system

Conclusion

No matter how sophisticated user registration and know your customer (KYC) processes are, a platform cannot guarantee that users are who they claim to be. Group-IB Fraud Protection enables betting and gaming platforms to identify customers from a behavioral point of view and distinguish them from anyone else.

Fraud Protection has a track record of delivering 20 percent fewer false positives than other providers. This not only reduces workload but also enables the risk team to focus on genuine cases. The precision that we offer means that we can reduce the number of one-time password (OTP) or two-factor authentication (2FA) requests by 30 percent, thereby improving the user experience while also bringing the number of fraud cases down by 20 percent.

See how Fraud Protection generated a 130 percent ROI in 6 months after replacing an existing solution.

Speak to your AWS or Group-IB advisors to learn how we can protect your customers and business.

Sergey Kurson

Sergey Kurson

Sergey Kurson is a Principal Solutions Architect at Amazon Web Services. He has over 15 years of experience in IT industry. He has been working on numerous projects in Gaming industry, led and implemented financial systems development and is currently closely collaborating with industry experts to build most innovative and advanced IT solutions.

Andrey Gaev

Andrey Gaev

Andrey Gaev is a Senior Machine Learning Engineer at Group-IB in the MEA region. He has been developing Machine Learning (ML) based algorithms for user behavior analysis. He holds a Master's in Computer Systems and Networks from Bauman Moscow State Technical University.

Dmitrii Pisarev

Dmitrii Pisarev

Dmitrii Pisarev is a Team lead at Fraud Protection, Group-IB, based in Amsterdam. With a computer science and cybersecurity background, he is leading a dynamic team of cybersecurity professionals in developing and implementing robust strategies for preventing and detecting fraud. Dmitrii holds a Master's in Cybersecurity and Management from the University of Warwick.

Igor Kaplun

Igor Kaplun

Igor Kaplun is a Data Scientist at Fraud Protection, Group-IB, based in Amsterdam, with 4Y+ of modeling and software development experience. He develops elaborate tools that enhance and automatize decision-making. Igor holds a BSc in Applied Mathematics from Saint-Petersburg State University and an MSc in Financial Engineering from École Polytechnique Fédérale de Lausanne.

Julien Laurent

Julien Laurent

Julien Laurent is the Global Financial Crime Specialist at Group-IB. He has over 15 years of experience fighting Financial Crime and supporting financial institutions globally. Previously, Julien headed the FFC Services department at SWIFT for the CEE region, developing GTM strategies across EMEA, and led regional divisions at Schlumberger and Bankers Accuity (LexisNexis). Julien holds a Master's in Engineering from Strasbourg’s National Institute of Applied Sciences.

Nikita Fedkin

Nikita Fedkin

Nikita Fedkin is a seasoned Solution Architect at Amazon Web Services, bringing over 12 years of diverse IT experience to his role. Having traversed various roles in the industry, from Data Science engineer to Head of Infrastructure, Nikita has developed a comprehensive skill set. Currently, he channels his expertise towards ISV customers, with a specific emphasis on dynamic market segments, including the rapidly evolving industries of betting and gaming and fintech.