Detecting a suspicious transaction within a network-based facility
Jan 13, 2014
Detecting a suspicious transaction within a network-based facility
Methods and associated computer-readable media to detect fraudulent activities made over a network-based facility using a machine are disclosed. Responsive to a first event with respect to the network-based facility and initiated either under a first user identity or a first set of user transaction preferences from the machine which is coupled to the network-based facility via a network, the method causes a first identifier associated with either the first user identity or the first set of user transaction preferences to be stored on the machine. Responsive to a second event initiated under either a second user identity or a second set of user transaction preferences, detecting a potentially fraudulent activity occurs by detecting a lack of correspondence between the first identifier stored on the machine and a second identifier associated with either the second user identity or the second set of user transaction preferences.
Latest eBay Patents:
This application is a continuation of and claims the benefit of priority under to U.S. patent application Ser. No. 09/905,046, filed on Jul. 26, 2001, which claims the benefit of priority under to U.S. Provisional Patent Application Ser. No. 60/249,139, filed Nov. 15, 2000, the benefit of priority of each of which is claimed hereby, and each of which are incorporated by reference herein in its entirety.
FIELD OF THE INVENTIONThe present invention relates generally to the field of e-commerce and, more specifically, to detecting, minimizing, and deterring suspicious transactions occurring within a network-based transaction facility such as, for example, an Internet-based auction facility.
BACKGROUND OF THE INVENTIONSome of the advantages offered by a typical network-based transaction facility, such as an Internet-based auction facility, are the simplicity, promptness and convenience of participating in the auction process. Conducting transaction such as auctioning over a network-based transaction facility has becoming very popular. Increasing traffic to the facility also increases the occurrence of fraudulent transactions, for example, fraudulent bidding and fraudulent providing of feedback by the same entity or its associates. Fraudulent transactions continue to plague many online auction facilities with negative press, associated backlash and possible decrease in overall transitioning levels.
SUMMARY OF THE INVENTIONThe present invention discloses methods and apparatuses for detecting fraudulent activities made over a network-based transaction facility using a machine. In responsive to a first event with respect to the network-based transaction facility and initiated under a first user identity from the machine which is coupled to the network-based transaction facility via a network, the method causes a first identifier associated with the first user identity to be stored on the machine. In responsive to a second event with respect to the network-based transaction facility and initiated under a second user identity from the machine, the method causes detecting of a potentially fraudulent activity by detecting a lack of correspondence between the first identifier stored on the machine and a second identifies associated with the second user identity.
The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
Methods and apparatuses for detecting suspicious transactions or fraudulent activities occurring over a network-based transaction facility are described. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be evident, however, to one skilled in the art that the present invention may be practiced without these specific details.
TerminologyFor the purposes of the present specification, the term “transaction” shall be taken to include any communications between two or more entities and shall be construed to include, but not be limited to, commercial transactions including sale and purchase transactions, auctions, providing feedback, accessing e-mail, and the like.
Transaction FacilityThe auction facility 10 includes one or more of a number of types of front-end servers, namely page servers 12 that deliver web pages (e.g., markup language documents), picture servers 14 that dynamically deliver images to be displayed within Web pages, listing servers 16, CGI servers 18 that provide an intelligent interface to the back-end of facility 10, and search servers 20 that handle search requests to the facility 10. E-mail servers 21 provide, inter alia, automated e-mad communications to users of the facility 10.
The back-end servers include a database engine server 22, a search index server 24 and a credit card database server 26, each of which maintains and facilitates access to a respective database, for example, database 23.
The internet-based auction facility 10 may be accessed by a client program 30, such as a browser (e.g., the Internet Explorer distributed by Microsoft Corp. of Redmond, Wash.) that executes on a client machine 32 and accesses the facility 10 via a network such as, for example, the Internet 34. Other examples of networks that a client may utilize to access the auction facility 10 include a wide area network (WAN), a local area network (LAN), a wireless network (e.g., a cellular network), or the Plain Old Telephone Service (POTS) network.
Database StructureCentral to the database 23 is a user table 40, which contains a record for each user of the auction facility 10. A user may operate as a seller, buyer, or both, within the auction facility 10. A user information table 41 is linked to the user table 40 and includes more detailed information about each user. The database 23 also includes item tables 42 that may be linked to the user table 40. Specifically, the tables 42 include a seller items table 44 and a bidder items table 46. A user record in the user table 40 may be linked to multiple items that are being, or have been, auctioned via the facility 10. A link indicates whether the user is a seller or a bidder (or buyer) with respect to items for which records exist with the item tables 42. The database 23 also includes a note table 48 populated with note records that may be linked to one or more item records within the item tables 42 and/or to one or more user records within the user table 40. Each note record within the table 48 may include, inter alia, a comment, description, history or other information pertaining to an item being auction via the auction facility 10, or to a user of the auction facility 10.
A number of other tables are also shown to be linked to the user table 40, namely a user past aliases table 50, a feedback table 52, a feedback details table 53, a bids table 54, an accounts table 56, an account balances table 58 and a transaction record table 60. In addition, the database 23 includes a location table 59 which stores valid demographic information that is used to verify registration information submitted by users during the registration process. Further yet, database 23 includes a potentially fraudulent activity table or a suspicious transaction table 70-1 and report table 70-2 used to record and report potentially fraudulent activities or suspicious transactions occurring from client machines.
It will be appreciated that any information other than that described above may populate the user table 40 without loss of generality.
It will be appreciated that other demographic information may also populate the location table 59.
Shill BiddingShill bidding is defined as fraudulent bidding by the seller (using an alternate registration) or by an associate of the seller in order to Inflate the price of an offering (e.g., an item or a service). One form of shill bidding is when a seller uses multiple user identifiers or user identifications (IDs) to bid on his/her own auction items using the same client machine, for example, the same computer that is connected to the Internet-based action facility.
Shill FeedbackA feedback feature is an option allowing users to provide trustworthy rating or any comment regarding a particular user when they completed a transaction. In one example, comments are recorded in the feedback table 52 and/or feedback details table 53. Such comments may include whether the transaction went through smoothly, the seller/bidder/purchaser was good to deal with, or anything relating to the trustworthiness of the activities completed, are recorded here. Shill feedback is defined as fraudulent feedback by one person, either by a bidder, seller, or his associates, for himself, to fraudulently bolster his/her own trustworthiness. For instance, a user who is the seller may also pose as a bidder who has completed a transaction with this seller and now has rated him as a trustworthy person in order to encourage activity to his listing items.
Suspicious TransactionsSuspicious transactions may include but is not limited to shill bidding or shill feedback. Suspicious transactions may also include a fraudulent activity conducted with the transaction facility. Fraudulent activity likewise may include shill bidding or shill feedback.
Shill CookieA shill cookie of this method and apparatus invention is used for detecting, in turn, minimizing and deterring, shill bidding that occurs when the same client machine was used to both list and bid on an item This shill cookie invention is also used for detecting, minimizing and deterring shill feedback that occurs when the same client machine was used to both make a transaction and give a feedback comment regarding the transaction.
A cookie is a file that contains information (cookies) created by conventional Web sites (such as the Internet-based auction facility 10) that is stored on the user's machine, the client machine. A cookie is a one way for the Internet-based auction facility 10 to keep track of its users' patterns and preferences. The cookies may contain URLs (addresses) for the Internet-based auction facility 10. When the browser encounters the URLs again, it would send those specific cookies to the Web servers. In that event, it would save the user from typing the same information, such as user preferences, populated fields on the item listing form, etc., all over again when accessing that service for the second and subsequent time. For the cookies to work, the Web site typically needs the cooperation of the Web browser used by the client machine to store the cookies on the client machine in the cookie file.
One novel method of the instant invention is the application of a cookie as a mechanism to detect suspicious transactions or fraudulent activities. Using a cookie writing method, the shill cookie will record all activities that occurred on a particular client machine and when there is an interaction between the different accounts from the same computer, such interaction is recorded into a database (see below). This tracking mechanism is effective at detecting, minimizing, and deterring fraudulent transactions.
In one exemplary embodiment, when a new user (a user identity) with new user identification or user identifier (user-ID) performs one of the triggering events with the Internet-based auction facility 10, a cookie is placed in the client machine. In the event that a cookie for the Internet-based auction facility 10 already exists in the client machine, the cookie will add this new user's user-ID into the cookie. If at least two triggering events with two different user-IDs are both recorded into the same shill cookie, a potentially fraudulent activity is suspected.
Exemplary triggering events include: registering with the network-based transaction facility(e.g., user registration with the facility 10); communicating an offer to sell an offering (e.g., user listing an item for sale via the facility 10), communicating and offering to purchase the offering (e.g., user bidding on the offering via the facility 10), communicating a feedback regarding a transaction (e.g., user giving feedback comment on a transaction via the facility 10), updating a profile maintained by the facility 10 (e.g., user updating his personal profile), and/or any other bidding activities.
In one embodiment, the Internet-based auction facility 10 is currently recording user transaction preferences such as all of the information about any particular user. For example, selling preferences, preferred listing category, preferred buying category, preferred payment means, including what type of credit card and credit card numbers to accept or use, shipping information, and etc, are all recorded. The user would choose these options by checking off these options using a conventional user interface device, such as a keyboard or a mouse. By choosing these options, the user has instructed the Web browser to remember his/her user transaction preferences for dealing with the Internet-based auction facility 10. In that event, a cookie is created for this client machine.
Any subsequent dealing occurring from this client machine, for example, when a request is submitted for retrieval of information, this client machine will send the facility information such as the type of browser the client machine uses, the date of the request, as well as the information in the cookie file. Such sending is done automatically and freely each time an access to the internet-based auction facility 10 is made. Therefore, for any subsequent dealing with the Internet-based auction facility 10, the Web browser will retrieve the information from the preference cookie and communicate it to this facility. This will save the user from having to choose the preferences again, unless the user wishes to modify the user transaction preferences.
In a preferred embodiment, the shill cookie 501 is bundled together into a file containing multiple cookie files (cookie bundle). Cookie bundling is a common practice in this field wherein all of the separate cookies pertaining to different type of user transaction preferences are packed together into one file. The user must either accept all of the cookies as a bundle or none of the cookies will be placed in the machine. This cookie bundle may comprise other cookies for user transaction preferences that would be cumbersome for the user to creating anew each time the user accesses the Internet-based auction facility 10. The cookie bundle may include information relating to transactions with the Internet-based auction facility 10 as well as information relating to other request unrelated to auctioning.
In one method, a new cookie ID which indicates the shill cookie 501 is added to a list of other cookies. A cookie bundle's list may be as followings: “cookie-userID, cookieAdult, cookie_signinpref, cookie_persistent_userID, cookie_SYI, cookie_watchtotal, cookie_skipaddphotopage, cookie_history_item, cookie_history search, cookie_history_listing, and cookie_shill.” Each of the cookies may contain information pertaining to a set of preferences chosen by the user for the user's convenience.
In the preferred embodiment, the cookie bundle is “non-session” or “permanent” which does not expire at the end of every session with the Internet-based auction facility 10. By default, most cookies are sessional and expire when the session is completed, like when the user closes the browser. Non-session cookie is configured by the Internet-based auction facility 10 to expire at a certain time.
It may be desirable to encrypt the shill cookie and the cookie bundle using any conventional encryption technology widely available. However, encryption is complicated and expensive.
In a preferred embodiment, the shill cookie and the cookie bundle are encoded. Encoding a cookie is formatting a cookie into a language that is not readily apparent to the user. This practice is well known in the field. The encoded cookie will be unreadable to a layman user without the formula to decode the cookie. Encoding the cookie would make it more difficult for even the savvy users to know that their users IDs are recorded to the cookie. For example, for a user with a user ID “John Doe, ” the cookie will display a number “123456,” which is uniquely assigned to this user ID by the Internet-based auction facility 10. In this way, the user cannot alter a particular section of the cookie bundle without destroying the whole cookie bundle. For example, it will be difficult for the user to determine which code represents what preferences and which code represents the information that identifies the user. The user will not know what information to keep or delete such that his preference settings will not be destroyed.
In one embodiment, for each client machine, the non-session cookie bundle 511 containing shill cookie 501 may be recorded according to cookie bundle table 510. The table 510 may include a version column 512 for recording the version of the cookie bundle 511. The table 510 may also include a column 513 for the number of cookies, column 514 for all of the cookie IDs ever used, column 515 specifying the character length of each cookie and column 516 for recording the encoded information of each cookie. The cookie bundle's list mentioned above may be incorporated into the cookie ID column 514. It will be appreciated that other cookie information may also populate the cookie bundle table 510.
Suspicious Transactions TableA potentially fraudulent activity table is defined as a table that is stored within the database 23 of the Internet-based auction facility 10 that will record and store all the occurrences of suspicious transactions such as shill bidding and shill feedback. The potentially fraudulent activity table may store any suspicious transactions occurring over the facility 10. This table may be viewed as a shill table that record all the frequency of shill bidding or shill feedback after the occurrence of some triggering events. The following sections illustrate some triggering event examples.
In one embodiment, the facility 10 may cause a first identifier (e.g., a user-ID) that is associated with a first user identity (e.g., a seller or a bidder) to be stored on the machine (e.g., a client computer). This action is responsive to the first user identifier making a first event (e.g., his first transaction) with the facility 10 using the user-ID. In this example, the computer is coupled to the facility 10, for example, via a network connection.
The facility 10 will detect a potentially fraudulent activity when a second event (e.g., a second transaction) is made with the facility 10 using the same client computer. When the second event is made with a second user identifier (e.g., a new user-ID), the facility 10 may also cause the new user ID to be stored on the machine. When the facility 10 detects that there is a lack of correspondence between the first user identifier and the second user identifier, the potentially fraudulent activity is suspected. For instance, when both the first user identifier and the second user identifier are stored on the same client machine and they are distinct from one another, a potentially fraudulent activity is detected because of the lack of correspondence. In one embodiment, the facility 10 will cause the lack of correspondence between the first user identifier and the second user identifier to be detected at the machine. In that event, the facility 10 may send a program to the machine requesting a comparison of the first user identifier and the second user identifier and if there is a difference between the two identifiers the information is alerted to the facility 10. In another embodiment, both the first and the second user identifiers are sent by the machine to the facility 10 and the facility 10 will perform the detection of the lack of correspondence between these two user identifiers or any user identifiers for that matter. The user identifiers may be sent to the facility 10 using any conventional method of automatic exchanging of information between the machine and the facility 10 as discussed above (e.g., cookie mechanism).
When the potentially fraudulent activity is detected, the facility 10 may cause the system to prohibit a completion of any of the transactions. Alternatively, the facility 10 may allow the transaction to be completed and delay any course of action that the facility 10 may take. In this manner, the users committing the potentially fraudulent activities are unaware of the detection of their activities by the facility 10 until some course of actions is taken.
The first event and the second event may be any one of the triggering events described above. These events may also be any one of the following: registering with the network-based transaction facility, communicating an offer to sell an offering via the network-based transaction facility, communicating and offering to purchase the offering via the network-based transaction facility, communicating a feedback regarding a transaction, and updating a profile maintained by the network-based transaction facility.
It will be appreciated that the facility 10 will continue its process of detecting potentially fraudulent activities each time a new user identifier is used to make a new event using the same machine that the first user identifier used.
In yet another embodiment, the matching of the user-ID s occurring in
All of the suspicious transactions are or the potentially fraudulent activities recorded and sent to a database, such as database 23. These transactions are tabulated into the suspicious transactions table 70-1.
It will also be appreciated that other information may also populate the suspicious transaction table 701 without the lost of generality.
In one embodiment, a daily report 70-2 is generated at the end of each day or at any other predetermined time. (See
In one example, the report 70-2 comprises a field 721 for cookie IDS. This field 721 records all of the unique identification numbers of all cookies, which corresponds to certain client machines that record the suspicious transactions. The report 70-2 also comprises a field 722 for all of the user-IDs that are stored with the shill cookie. The field 722 will help give the Investigation Team insights, for example, that users X, Y, and Z share the same machine and are closely linked. This information provides additional utility, such as the ability to enforce the account disclosure initiative. Such a tool provides the Internet-based auction facility 10 with the visibility to all accounts owned by members. The report 70-2 also comprises a field 723 which records the frequency (shill count) for each of the client machine.
In another embodiment, the report 70-2 may also include field 724, 725, 726, and 727 for optional information such as the category that had suspicious transactions, the specialty site that had suspicious transactions, the country where the suspicious transactions occurred and the price range with which the suspicious transactions occurred.
In a preferred embodiment, the report 70-2 have all of the information sorted by user IDs and by shill count in a descending or ascending order. The user IDs may also be listed first to alert the Investigation Team to the repeat offenders for appropriate actions.
In yet another preferred embodiment, the report 70-2 may include a ranking indication such as to alert the Investigation Team to the client machine with the highest frequency of occurrences of suspicious transactions. For instance, the report 70-2 may be sorted in the order of high frequency occurrence to low frequency occurrence. The ranking indication may be included in priority ranking column 728. A system such as high priority, medium priority, and low priority may be established to indicate to the Investigation Team which group of client machines the team should investigate first. In one example, the high priority group may include those cookie IDs with shill counts above 200; the medium priority group may include those cookie IDs with shill counts between 51-200; and the low priority group may include those cookie IDs with shill counts between 1-50.
In one embodiment, the management team at the Internet-based auction facility 10 is endorsed with the ability to override the report for a particular client machine. Alternatively, the management team is endorsed with the ability to perform selective auditing of a certain client machine. This feature is particularly helpful for the unusual situations where the Internet-based auction facility 10 already knows that the same client machine will be used to make many different transactions. An auction house is one of such example.
In summary, it will be appreciated that the above described interfaces, and underlying technologies, provide a convenient vehicle for verifying the identity of a participant in a transaction facility using a seamlessly integrated, real-time process and for making a verification result readily available to other participants.
Computer ArchitectureThe computer system 800 includes a processor 802, a main memory 804 and a static memory 806, which communicate with each other via a bus 808. The computer system 800 may further include a video display unit 810 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)). The computer system 800 also includes an alpha-numeric input device 812 (e.g., a keyboard), a cursor control device 814 (e.g., a mouse), a disk drive unit 816, a signal generation device 820 (e.g., a speaker) and a network interface device 822.
The disk drive unit 816 includes a computer-readable medium 824 on which is stored a set of instructions (i.e., software) 826 embodying any one, or all, of the methodologies described above. The software 826 is also shown to reside, completely or at least partially, within the main memory 804 and/or within the processor 802. The software 826 may further be transmitted or received via the network interface device 822. For the purposes of this specification, the term “computer-readable medium” shall be taken to include any medium that is capable of storing or encoding a sequence of instructions for execution by the computer and that cause the computer to perform any one of the methodologies of the present invention. The term “computer-readable medium” shall accordingly be taken to included, but not be limited to, solid-state memories, optical and magnetic disks, and carrier wave signals.
Thus, a method and apparatus for detecting suspicious transactions occurring over a network-based transaction facility have been described. Although the present invention has been described with reference to specific exemplary embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
Claims
1. A method of detecting fraudulent activity, the method comprising:
- causing a first identifier associated with a first user identity to be stored on a machine responsive to a first event with respect to a network-based facility and initiated under the first user identity from the machine that is coupled to the network-based facility via a network; and
- detecting, one or more processors, a potentially fraudulent activity by detecting a lack of correspondence between the first identifier stored on the machine and a second identifier associated with a second user identity responsive to a second event with respect to the network-based facility and initiated under the second user identity from the machine.
2. The method of claim 1, further comprising storing the first identifier in a shill cookie on the machine.
3. The method of claim 2, further comprising generating the second identifier associated with the second user identity and storing the second user identifier in the shill cookie on the machine.
4. The method of claim 2, further comprising encoding the shill cookie.
5. The method of claim 2, further comprising encrypting the shill cookie.
6. The method of claim 1, further comprising generating and storing a new shill cookie on the machine or adding to an existing shill cookie stored on the machine each time one of a plurality of triggering events occurs.
7. The method of claim 3, wherein the plurality of triggering events includes at least one type of event selected from a group of events including registering with the network-based facility, communicating with the network-based facility to offer a good or service for sale, communicating with the network-based facility to purchase a good or service, communicating with the network-based facility to present feedback regarding a transaction, and updating a profile maintained by the network-based facility.
8. The method of claim 1, wherein the network-based facility is a network-based transaction facility.
9. The method of claim 1, wherein the network-based facility is a network-based auction facility.
10. The method of claim 1, further comprising recording a set of transaction preferences for the first user identity.
11. The method of claim 10, wherein the set of transaction preferences include a plurality of items selected from items including credit card numbers, bidding histories, payment methods, and shipping addresses.
12. The method of claim 1, further comprising recording the potentially fraudulent activity at the network-based facility responsive to the detection of the lack of correspondence between the first identifier and the second identifier.
13. The method of claim 1, further comprising:
- generating a potential fraudulent activities table having a fraudulent activity field, a cookie identifier field, a user identifier field, and a frequency field;
- recording each of a plurality of potentially fraudulent activities and corresponding information into the potential fraudulent activities table;
- updating the potential fraudulent activities table on at least a periodic basis; and
- providing an updated report of the potential fraudulent activities table to an investigation team.
14. The method of claim 1, further comprising providing a priority ranking system having a low priority for a low potential fraudulent activity frequency, a medium priority for a medium potential fraudulent activity frequency, and a high priority for a high potential fraudulent activity frequency.
15. A method of detecting fraudulent activity, the method comprising:
- generating a first identifier associated with a first set of transaction preferences, the first identifier to be stored on a first client machine, the first identifier being generated responsive to at least one of a plurality of triggering events with respect to a network-based facility;
- generating a second identifier associated with a second set of transaction preferences, the second identifier to be stored with either the first identifier on the first client machine or on a second client machine, the second identifier being generated responsive to at least one of the plurality of triggering events with respect to the network-based facility;
- receiving information stored in one or both of the first identifier and the second identifier at the network-based facility; and
- detecting, using one or more hardware processors, potentially fraudulent activity by detecting a lack of correspondence between the first set of transaction preferences and the second set of transaction preferences.
16. The method of claim 15, wherein the plurality of triggering events includes at least one type of event selected from a group of events including registering with the network-based facility, communicating with the network-based facility to offer a good or service for sale, communicating with the network-based facility to purchase a good or service, communicating with the network-based facility to present feedback regarding a transaction, and updating a profile maintained by the network-based facility.
17. The method of claim 15, wherein the potentially fraudulent activity includes at least one of shill bidding and shill feedback.
18. The method of claim 15, wherein the detection of the potentially fraudulent activity is responsive to a matching of a plurality of user transaction preferences from a plurality of different user identifies.
19. The method of claim 15, further comprising:
- generating a first shill cookie and a second shill cookie for the first user identifier and the second user identifier, respectively; and
- transmitting information stored on the first shill cookie and the second shill cookie to the network-based facility responsive to one of the plurality of triggering events with respect to a network-based facility and associated with the first identifier and the second identifier, respectively.
20. A computer-readable storage medium comprising no transitory signals, the computer-readable storage medium having instructions that, when executed by at least one processor causes the at least one processor to perform operations, the operations comprising:
- generating a first identifier associated with a first set of transaction preferences, the first identifier to be stored on a first client machine, the first identifier being generated responsive to at least one of a plurality of triggering events with respect to a network-based facility;
- generating a second identifier associated with a second set of transaction preferences, the second identifier to be stored with either the first identifier on the first client machine or on a second client machine, the second identifier being generated responsive to at least one of the plurality of triggering events with respect to the network-based facility;
- receiving information stored in one or both of the first identifier and the second identifier at the network-based facility; and
- detecting potentially fraudulent activity by detecting a lack of correspondence between the first set of transaction preferences and the second set of transaction preferences.
Type: Application
Filed: Jan 13, 2014
Publication Date: Jul 10, 2014
Applicant: eBay Inc. (San Jose, CA)
Inventors: Christine Cheng (Sunnyvale, CA), Brenda Won (Sunnyvale, CA), Dheeraj Singh Mohnia (Palo Alto, CA), Ha Nguyen (Sunnyvale, CA), Reed Maltzman (San Francisco, CA), Isaac Strack (Saratoga Springs, UT), Noel Morin (Hilo, HI)
Application Number: 14/153,959
International Classification: G06Q 20/38 (20060101); G06Q 30/08 (20060101);
No comments:
Post a Comment