CN110706090A

CN110706090A - Credit fraud identification method and device, electronic equipment and storage medium

Info

Publication number: CN110706090A
Application number: CN201910792220.5A
Authority: CN
Inventors: 刘永迅; 陈新
Original assignee: Alibaba Group Holding Ltd
Current assignee: Advanced New Technologies Co Ltd; Advantageous New Technologies Co Ltd
Priority date: 2019-08-26
Filing date: 2019-08-26
Publication date: 2020-01-17

Abstract

The invention discloses a credit fraud identification method and a device, comprising the following steps: receiving a transaction request; acquiring transaction information, account information of both transaction parties, equipment information of a transaction paying party and a cheating risk score made for the transaction paying party according to the transaction request; generating a risk evaluation result according to the transaction information, the account information of both transaction parties, the equipment information of a transaction paying party and the cheated risk score of the transaction paying party; and if the risk assessment result is at risk, sending a risk prompt. The invention also discloses an electronic device and a storage medium for realizing the credit fraud identification method.

Description

Credit fraud identification method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of data processing technologies, and in particular, to a credit fraud identification method and apparatus, an electronic device, and a storage medium.

Background

Credit fraud, which generally refers to fraudulent practices in which a fraudster uses certain dialogs and routing procedures to misunderstand that a victim is genuine and voluntarily transfers funds to the fraudster, or gives the fraudster security information through an account number, resulting in the victim suffering a loss.

The credit fraud case is the main wind control of the current payment products, and how to identify the credit fraud behavior is one of the main tasks of the payment products.

Disclosure of Invention

In view of the above, an object of the embodiments of the present invention is to provide a credit fraud identification method and apparatus, an electronic device, and a storage medium, which can better identify credit fraud and implement risk indication to a certain extent.

Based on the above object, a first aspect of the embodiments of the present invention provides a credit fraud identification method, applied to a server, including:

receiving a transaction request;

acquiring transaction information, account information of both transaction parties, equipment information of a transaction paying party and a cheating risk score made for the transaction paying party according to the transaction request;

generating a risk evaluation result according to the transaction information, the account information of both transaction parties, the equipment information of a transaction paying party and the cheated risk score of the transaction paying party;

and if the risk assessment result is at risk, sending a risk prompt.

Optionally, the credit fraud identification method further includes:

acquiring a user information variable, a consumption information variable, an operation information variable and a safety consciousness information variable of a transaction paying party;

respectively carrying out evidence weight scoring on the user information variable, the consumption information variable, the operation information variable and the safety consciousness information variable to obtain a user information variable score, a consumption information variable score, an operation information variable score and a safety consciousness information variable score;

and calculating to obtain the cheated risk score according to the user information variable score, the consumption information variable score, the operation information variable score and the safety consciousness information variable score.

Optionally, the user information variable includes at least one of a user age, a frequent occurrence frequency of a user frequent site, a city grade of the user frequent site, an account authentication duration of the user, and an account fund grade of the user;

the consumption information variable comprises at least one of transaction times in a first preset period, average prices of purchased commodities in the first preset period, hotel order times in the first preset period, air ticket order times in the first preset period and online game transaction times in the first preset period;

the operation information variable comprises at least one of the number of times of browsing high-risk webpages in a second preset period, the number of times of searching the high-risk webpages in the second preset period, the number of times of using external WIFI and external equipment to operate the account in the second preset period, the number of city logins of the accounts in the second preset period, the number of effective logins of the accounts in the second preset period and the number of times of clicking marketing activities in the second preset period;

the security awareness information variable includes the number of security products used.

Optionally, generating a risk assessment result according to the transaction information, account information of both transaction parties, and device information and cheated risk score of a transaction paying party, includes:

and substituting the transaction information, the account information of both transaction parties, the equipment information of a transaction paying party and the cheated risk score into a supervised gradient boosting decision tree risk evaluation model to obtain a risk evaluation result.

Optionally, the credit fraud identification method further includes:

establishing a risk assessment model by utilizing a gradient lifting decision tree;

acquiring normal transaction historical data, normal user data, fraud transaction historical data and fraud user data, marking the normal transaction historical data and the normal user data as normal, and marking the fraud transaction historical data and the fraud user data as abnormal;

and training the risk assessment model by using the marked normal transaction historical data, normal user data, fraud transaction historical data and fraud user data to obtain the supervised gradient boosting decision tree risk assessment model.

Optionally, the credit fraud identification method further includes:

according to whether the data is generated in a trusted environment or not, grouping the marked normal transaction historical data, normal user data, fraud transaction historical data and fraud user data to obtain a trusted environment data group and an untrusted environment data group;

and respectively training the risk evaluation model by utilizing the credible environment data group and the non-credible environment data group to obtain a risk evaluation model of the supervised gradient boosting decision tree of the credible environment and a risk evaluation model of the supervised gradient boosting decision tree of the non-credible environment.

dividing the transaction information, account information of both transaction parties and equipment information of a transaction paying party into a trusted environment information group and an untrusted environment information group according to whether the data is generated in a trusted environment;

substituting the trusted environment information group and the cheated risk score into a supervised gradient boosting decision tree risk evaluation model of the trusted environment to obtain a risk evaluation result of the trusted environment;

substituting the information group of the untrusted environment and the scavenged risk score into a supervised gradient boosting decision tree risk assessment model of the untrusted environment to obtain a risk assessment result of the untrusted environment;

and obtaining a final risk evaluation result according to the risk evaluation result of the trusted environment and the risk evaluation result of the untrusted environment.

Optionally, the transaction information includes at least one of user information of both transaction parties, whether both transaction parties have the same trusted city within a third preset period, and whether equipment or certificates of a transaction paying party and certificates of a transaction income party have a transaction history within a fourth preset period;

the account information of the transaction payer comprises at least one of a short-term loan record in a fifth preset period, the number of newly-added low-quality friends in the fifth preset period, the number of times of asynchronous events of the account in the fifth preset period, and the number of unique material identification codes related to the account in the fifth preset period;

the equipment information of the transaction paying party comprises at least one of the installation times of high-risk applications, the times of disguised operation behaviors of the equipment, the times of switching between applications in a sixth preset period and the credibility level of the equipment;

the account information of the transaction income party comprises at least one of the historical province number of the income account under the same issuer identification code, the failed transaction proportion of the income card bound by the income account, and the payment times of the income card bound by the income account under the non-credible environment.

Optionally, the device information of the transaction paying-out party is collected from a device of the transaction paying-out party by using an edge cloud technology.

Optionally, the sending the risk prompt includes:

if the transaction paying party is in a trusted environment, sending a transaction risk prompt;

and if the transaction paying party is in the non-trusted environment, sending an identity verification prompt.

Optionally, after the transaction risk reminder is sent, the method further includes:

if the confirmed transaction information of the transaction paying party is received, the transaction is released;

and if the transaction information which is not confirmed by the transaction paying party is received, sending an identity verification prompt.

Optionally, after sending the identity verification prompt, the method further includes:

receiving identity information provided by a transaction paying party;

if the identity information is verified to pass, the transaction is released;

and if the identity information is not verified, sending a transaction failure message or limiting the transaction authority.

Optionally, the identity information is biometric information of the transaction paying out party.

Optionally, the sending the risk prompt includes:

and if the risk evaluation result exceeds a preset danger threshold, sending a transaction failure message or limiting the transaction authority.

In a second aspect of the embodiments of the present invention, there is provided a credit fraud detection apparatus, including:

a receiving module for receiving a transaction request;

the data acquisition module is used for acquiring transaction information, account information of both transaction parties, equipment information of a transaction paying party and a cheated risk score made for the transaction paying party according to the transaction request;

the risk evaluation module is used for generating a risk evaluation result according to the transaction information, the account information of both transaction parties, the equipment information of a transaction paying party and the cheated risk score made on the transaction paying party;

and the sending module is used for sending a risk prompt if the risk assessment result is risky.

Optionally, the credit fraud identification apparatus further comprises a cheated risk scoring module, configured to:

Optionally, the risk assessment module is to:

Optionally, the sending module is configured to:

Optionally, after sending the transaction risk reminder, the sending module is configured to:

Optionally, the receiving module is configured to receive identity information provided by a transaction paying-out party;

and if the identity information is not verified, the sending module is used for sending a transaction failure message or limiting the transaction authority.

Optionally, the sending module is configured to:

In a third aspect of the embodiments of the present invention, there is provided an electronic device, including:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method.

In a fourth aspect of the embodiments of the present invention, a computer-readable storage medium is provided, in which a computer program is stored, wherein the computer program, when executed by a processor, performs the steps of the method.

As can be seen from the above, the credit fraud identification method and apparatus, the electronic device, and the storage medium provided by the present invention can better complete credit fraud identification by calculating the fraud risk score for the user and using the fraud risk score for modeling and risk assessment, compared to the existing fraud identification technology, increasing the fraud risk score variables.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings of the embodiments will be briefly described below, and it is apparent that the drawings in the following description only relate to some embodiments of the present invention and are not limiting on the present invention.

FIG. 1 is a block diagram of a credit fraud detection system according to an embodiment of the present invention;

FIG. 2 is a flow chart illustrating a credit fraud identification method according to an embodiment of the present invention;

FIG. 3 is a schematic flow chart of one embodiment of fraud risk scoring in an embodiment of the present invention;

FIG. 4 is a flowchart illustrating an embodiment of a process for building a risk assessment model with supervised gradient boosting decision trees according to an embodiment of the present invention;

FIG. 5 is a flowchart illustrating an embodiment of a process for building a risk assessment model with supervised gradient boosting decision trees according to the present invention;

FIG. 6 is a schematic flow chart diagram illustrating an embodiment of generating a risk assessment result according to an embodiment of the present invention;

FIG. 7 is a block diagram illustrating a credit fraud detection apparatus according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of an apparatus for implementing a credit fraud identification method according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention without any inventive step, are within the scope of protection of the invention.

Unless defined otherwise, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this invention belongs. The use of "first," "second," and similar terms in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. Also, the use of the terms "a," "an," or "the" and similar referents do not denote a limitation of quantity, but rather denote the presence of at least one. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.

Credit fraud cases are a major stubborn existence of current wind control of payment type products. Fraudsters often commit losses to victims by voluntary funds transfer, or through account security information, to fraudsters who misunderstand their truths by using certain dialects and passes on chat tools. The difficulty of prevention and control is that most of the devices are trusted environments (such as devices normally used by users for a long time), and effective utilization information is less. In addition, in a cheating and stealing combined scene (for example, a cheater cheats the user account number, the password, the bank card number or even the check code information through a method of swiping a bill or fishing a short message and the like, and transfers the account number or purchases goods easy to sell and stolen on an untrusted device), although the device is in an untrusted environment, the client actively cooperates with the cheater to complete breakthrough check. A common effective prevention measure is to initiate a verification of the biometric identity or to directly fail the transaction, but this places a very high demand on the accuracy of fraud identification in view of the disturbance to the customer. Therefore, it is very important to comprehensively collect more information describing risks and establish a real-time credit fraud identification and prevention and control system.

A prerequisite for the occurrence of credit fraud cases is the need for beneficial driving or user belief of a story authored by a rogue, with the frauds having commonalities in certain characteristics. Common fraud methods such as short message phishing link and billing are used, and users of the group are more younger, have small credit records on the internet and the like. Therefore, the user risk characteristics of different types of historical fraud cases can be depicted, the user cheating score can be given and used as the input of the credit fraud behavior identification model, and compared with the traditional fraud identification method which focuses on the characterization mode of behaviors in transactions between two parties and even asynchronous behaviors after the transactions, the method has more logic of prevention and control in advance.

The existing credit fraud prevention and control identification data acquisition range mainly focuses on the following three angles: risk characteristics such as historical behaviors, environment, conflict and the like of the income account are provided; secondly, transaction operation abnormal behavior risk characteristics in the expenditure side station; and thirdly, relationship conflict between the two parties or abnormal transaction operation behavior link between the two parties. However, many expenses of the credit fraud cases are actively operated by the clients, the key information of the abnormal behavior event is less, and more off-site information needs to be expanded to assist risk identification so as to improve higher accuracy.

Based on the entire capital expenditure scenario and without excluding the trusted relationship of the device and account number, the credit fraud identification system would be computationally expensive. For example, the magnitude of payment behaviors attempted by paying treasures users per day is about more than 4 hundred million, and the real-time online credit fraud identification and prevention and control system needs to carry out real-time credit fraud risk identification and prevention and control on all the payment behaviors, and the analysis time of each payment behavior is controlled within 0.2 second. With such a large computational demand, the algorithms of the system need to be as efficient as possible.

In summary, the credit fraud identification and prevention and control system needs to identify and prevent and control the credit fraud transaction for all the payment fund expenditure behaviors without considering the trusted relationship between the account and the device. The credit fraud behavior identification and prevention and control system is mainly used for accurately identifying credit fraud behaviors, effectively eliminating risks by adopting an optimal decision-making means and adopting a most efficient algorithm, and is three technical problems mainly solved by the credit fraud behavior identification and prevention and control system.

At present, some recognition models exist for the credit fraud cases, for example, a long-term memory behavior sequence algorithm (LSTM) is used to improve fraud risk recognition, but the method has 3 obvious disadvantages:

1. in the traditional fraud risk identification model, the selected depicting behavior variables are relatively limited. The limit point has two aspects: firstly, more characteristic selection ranges are that common event behavior sequences are searched from transaction and operation behavior links in payment products of thieves and thieves, and the risk characteristic of easily deceived people is not considered as an effective pre-characteristic supplement; and secondly, data are limited in the events of in-station information, operation, payment and browsing behaviors of payment products, but most of the cases are actively operated by thieves, and abnormal behavior characteristics are few.

2. The coverage range of a control application scene is narrow, the traditional behavior sequence fraud identification model focuses on behavior operation link identification of a trusted environment in which a user is deceived to autonomously transfer payment, and the current common deception and theft combined case is not covered. Therefore, how to supplement the features of the embezzlement class and merge the features into the model provides a challenge for the existing fraud identification model by supplementing and realizing the accurate identification capability of the cheating and embezzlement combined case on the original application scene.

3. The traditional credit fraud recognition model is an offline model, a newly generated sample is subjected to offline model training at a fixed time, scoring logic is output, and then risk recognition is carried out on the latest transaction behavior. The offline identification training mode has the defect that the fraud risk cannot be identified in time based on the latest information. Meanwhile, algorithms and variables used by the traditional model are complex, such as deep learning algorithms. The complex variables and algorithms can cause great computing resource consumption, so that the reloading model is difficult to lighten and is difficult to convert into a real-time online model.

FIG. 1 shows an architectural diagram of a credit fraud identification system. As shown in fig. 1, the system may include a server, a transaction paying party, and a transaction beneficiary party. And the transaction paying party and the transaction income party can exchange data with the server through some equipment with a data processing function. The device with data processing function may be, for example, a mobile phone, a tablet computer, a personal computer, a notebook computer, a palm-top computer (PDA), a wearable device (e.g., smart glasses, smart watch), and the like.

The devices of the transaction paying party and the transaction income party can realize data exchange with the server through a network. The network may be a wired network or a wireless network.

In some scenarios, the payment software, such as a payment treasurer, may be installed in the devices of the transaction paying and revenue parties. In this way, the transaction paying party and the transaction beneficiary party can carry out transaction operation through payment software installed in the device. For example, the transaction paying party may initiate a payment request to the server by using the device with the data processing function, and the server transfers the money corresponding to the payment request to the corresponding account of the transaction income party, so that the transaction between the transaction paying party and the transaction income party is completed immediately.

Referring to fig. 1, for example, in the credit fraud identification system according to the embodiment of the present invention, when a transaction payer sends a payment request for a transaction to a server, the server may first determine whether there is credit fraud in a current transaction between the transaction payer and a transaction profit party, and then respond accordingly according to a risk assessment result, instead of directly releasing the transaction. For example, when the risk assessment result is at risk, a risk early warning prompt may be performed inside the system, a risk reminder may be issued to the transaction paying party or the transaction paying party may be required to perform an identity verification, a risk warning may be issued to the transaction beneficiating party or the transaction beneficiating party may be required to perform an identity verification, and the like.

The credit fraud recognition system is an important technology for preventing account number of payment products from stealing a wind control system, and fills the gap of account number wind control strategies of the payment products in the field of credit fraud.

Fig. 2 is a flow chart of a credit fraud identification method according to an embodiment of the present invention. As shown in fig. 2, the credit fraud identification method is applied to a server side, and includes:

step 11: a transaction request is received.

Here, the transaction request may be an initiation request or a payment request of any transaction, and may be from a transaction paying party or a transaction benefitting party.

For example, the transaction request may include account information (e.g., a bound bank card number or an issuer identification number) of both transaction parties (a transaction paying party and a transaction beneficiary party), account information (e.g., a payroll account number) of both transaction parties (a transaction paying party and a transaction beneficiary party), a transaction amount, a transaction object (e.g., what goods are purchased), and the like.

Optionally, after receiving the transaction request, the server may trigger subsequent steps of the credit fraud identification method, so as to determine whether credit fraud exists in the current transaction.

Step 12: and acquiring transaction information, account information of both transaction parties, equipment information of a transaction paying party and cheating risk scores made on the transaction paying party according to the transaction request.

For example, the transaction information may include user information of both transaction parties and historical transaction behavior information of both transaction parties.

Optionally, the user information of the two transaction parties may include some registration information of the user (for example, a user name, a user age, a registration duration, an authentication duration, and the like), and may also include information on whether the two transaction parties have the same trusted city within a third preset period, where if the trusted city lists associated with the two transaction parties have an intersection, the risk is low; here, the trusted city is whether the position where the transaction paying party is located when performing the transaction is a resident city or a city that has been visited, and the third preset period is a preset data collection period (for example, 3 months), which is a time period that can be set as required. Optionally, the historical transaction behavior information of the transaction parties may include whether the transaction history exists between the equipment or certificate of the transaction paying party and the certificate of the transaction income party within a fourth preset period, and if the transaction history exists between the equipment or certificate of the transaction paying party and the certificate of the transaction income party, the risk is low. Here, the device may be a device that is performing a current transaction, and may be determined by a device identification code; the certificate can be a certificate bound with an account number when a user performs identity authentication, such as an identity card, a passport, a driving license and the like; the fourth preset period is a preset data acquisition period (for example, 1 year), and is a time period which can be set as required; whether the equipment or the certificate of the transaction paying party and the certificate of the transaction income party have transaction history or not can be judged by calling the information of the equipment or the certificate associated with the account numbers of the two parties in the transaction record.

Here, the account information may refer to information related to an account of a transaction paying party, and the account may refer to a user account of a payment product, such as a payment account.

For example, the account information of the transaction payer may include at least one of a short-term loan record in a fifth preset period, the number of newly added low-quality friends in the fifth preset period, the number of times of asynchronous events occurring in the account in the fifth preset period, and the number of Unique Material identifiers (IP-UMIDs) related to the account in the fifth preset period. For example, if there is a short-term loan record within a fifth preset period in the transaction payor, the risk of the user information being revealed is higher; generally, accounts of thieves are low-quality users who are newly registered or silenced for a long time, so that the risk is higher when the number of newly-added low-quality friends of a transaction paying party in a fifth preset period is larger; the number of times of asynchronous events of the account in a fifth preset period is used for depicting operational environment risks, and if the account of the user is frequently operated on a certain IP address for a long time, the risk is lower; the number of the unique material identification codes related to the account number can mean that a plurality of IP addresses are related to the same account number when the account number is logged in, the index is used for describing the conflict risk, and the risk coefficient is higher if the account number of the user is logged in many places or the account number has a sudden change in position.

The fifth preset period is a preset data acquisition period (for example, 3 months), and is a time period that can be set as required. The short-term loan may refer to a loan with a short term, and the specific term may be set as required, for example, a loan period within 3 months or 1 year is short; optionally, the short term loan record is a record of loans on the network. The low-quality friend may refer to a friend with a lower quality, and the specific quality metric may be set according to a requirement, for example, the registration duration or the authentication duration is shorter (e.g., only 1 month), the identity authentication is not performed, no consumption record or the consumption record is less than a certain number (e.g., 10 times), and such data may be used to measure whether a friend is a low-quality friend.

For example, the account information of the transaction income party may include at least one of the number of historical provinces where the income account is located under the same issuer identification number (card BIN), the failed transaction percentage of the income card bound to the income account, and the number of payments received under the non-trusted environment of the income card bound to the income account. For example, the number of historical provinces of the income account under the same issuer identification code is large, that is, the number of provinces to which the income account belongs is large, which indicates that the bank card corresponding to the issuer identification code is bound by multiple persons, and the risk of the bank card is relatively high; the failure transaction proportion of the income card bound by the income account number is higher, which indicates that the risk is higher; the more the user receives the money in the non-trusted environment of the revenue card bound by the revenue account number, the higher the transaction risk.

For a device which is normally used by a user for a long time, the account of the user and the device can be considered to be in a trusted relationship, otherwise, for a device which is not normally used by the user for a long time, the account of the user and the device can be considered to be in an untrusted relationship, and the account in the untrusted relationship can be considered to be in an untrusted environment.

For example, the device information of the transaction paying party includes at least one of the installation times of high-risk applications (or software), the times of the existence of disguised operation behaviors of the device, the times of inter-application switching within a sixth preset period, and the credibility level of the device. For example, if the transaction payer's equipment has more high-risk applications (or software) installed, the risk factor is relatively higher; if the equipment has disguised operation behaviors, for example, when the equipment of the transaction paying party has high-risk behaviors such as changing machines, crossing prisons, installing malicious plug-ins, tampering with Location Based Service (LBS), simulating click and the like, the equipment of the transaction paying party has higher related transaction paying risk; generally, when a credit fraud case is transacted, a customer is guided to operate and implement account transfer or transaction through chat software such as WeChat or QQ, if application switching exists in a sixth preset period, the transaction risk exists, and it needs to be explained that the distinguishing effect of the characteristic is very good in an actual training model; the credibility grade of the equipment is used for describing the risk degree of the equipment, and can be classified in a multi-stage mode from credibility to non-credibility, wherein the equipment with the non-credibility grade has the highest risk.

The high-risk application or software may be some predefined applications or software with risks, or a set of algorithm for identifying the high-risk application or software may be designed according to characteristics of the high-risk application or software to determine which software in the device is the high-risk application or software, and the specific implementation manner is not limited and may be selected according to needs. The disguised operation behaviors can be some predefined operation behaviors, such as high-risk behaviors of changing machines, crossing prisons, installing malicious plug-ins, tampering with LBS (location based service), simulating click and the like.

As an alternative embodiment, the device information of the transaction paying-out party is collected from the device of the transaction paying-out party by using the edge cloud technology.

For example, the device information of the transaction paying-out party may be acquired and processed through a wind control platform (such as an edge cloud) deployed on the user terminal device, so that the change of the terminal can be acquired more finely, and risk calculation is performed on the user terminal device. The EdgeCloud collects the behavior information of the equipment terminal; at present, the EdgeCloud equipment information can realize synchronous calculation and calling, and cheated risk scores can be evaluated once a month, so that the whole scheme can realize extraction and integration of related data in real time by depending on the existing data warehouse technology.

Therefore, the data is preprocessed at the equipment end, so that the storage and calculation cost of the server end can be greatly reduced; on the other hand, the edge cloud is a computing process for private data, since the device information generally relates to private information of a user, and is not suitable for being transmitted to a server side for analysis, and the security risk can be avoided by using the edge cloud technology.

As an embodiment, as shown in fig. 3, the credit fraud identification method further includes a step of scoring a fraud risk of a transaction paying-out party, which may specifically include:

step 21: and acquiring a user information variable, a consumption information variable, an operation information variable and a safety consciousness information variable of a transaction paying party.

Optionally, the user information variable includes at least one of a user age, a frequent occurrence frequency of a user frequent location, a city grade of the user frequent location, an account authentication duration of the user, and an account fund grade of the user.

For example, general college students and the elderly are credit fraud high-risk groups, and if the age of a user is less than 20 years old or more than 50 years old, the user is relatively high in fraud risk; if the user frequently has a residence in a frequent issue place of a credit fraud case, the user is indicated to have higher probability of being cheated; generally, people at remote areas are easier to cheat because of narrow information acquisition channels, and the risk is higher if the city grade is lower; if the authentication time is longer, the risk is lower; if the fund deposit amount in the account of the user is higher, the protection of the account of the user is higher, and the alertness is higher.

The case frequency can call official published data or reported case data existing in a database of a server side to calculate; the city grade can call official published data or city grade grading data which is already made by a server; the account number fund level can be calculated according to the deposit amount in the account number of the user, the grading standard of the fund level can be preset, each level is set with a certain amount range, and the specific setting mode is not limited.

Optionally, the consumption information variable includes at least one of a number of trades within a first preset period, an average price of purchased commodities within the first preset period, a number of hotel orders within the first preset period, a number of airline ticket orders within the first preset period, and a number of online game trades within the first preset period.

For example, if the number of transactions in the first preset period is large, it indicates that the user is an active user of the payment product, so that the user has a strong sense of security transaction against the account number, and the risk is low; alternatively, the payment-type product described herein may be a pay-for-use. If the average price of the purchased commodities in the first preset period is higher, the higher the consumption level of the user is, the lower the risk coefficient is; alternatively, the average price of the purchased goods can be calculated by retrieving data from the purchase records of Tao-Bao and Chi-Mao. If the hotel order frequency and/or the air ticket order frequency in the first preset period are/is high, the user information leakage probability is higher, and the risk coefficient is higher; alternatively, the number of hotel orders and air ticket orders may be obtained by calling a payment record paid by the payment instrument. If the network game transaction times in the first preset period are more, the fact that people with the high-risk stolen goods activity are easy to click fishing and Trojan links is shown, namely the risk degree is higher.

The first preset period is a preset data acquisition period (for example, 1 year), and is a time period that can be set as required.

Optionally, the operation information variable includes at least one of the number of times of browsing high-risk webpages in a second preset period, the number of times of searching the high-risk webpages in the second preset period, the number of times of operating the account using external WIFI and external equipment in the second preset period, the number of cities logged by the account in the second preset period, the number of effective login times of the account in the second preset period, and the number of click times of the marketing activities in the second preset period.

For example, if the number of times of browsing high-risk webpages in the second preset period is large, which indicates that the user frequently browses the high-risk webpages, such as webpages of the emotion, gambling, advertising alliance and the like, the user is easier to cheat and has a high risk; if the number of times of using the external WIFI and the external equipment to operate the account is large in the second preset period, the fact that the user often uses the external WIFI and the external equipment to operate the account indicates that the account password is stolen at a higher probability, and the risk is higher; if the number of the accounts logged in the cities in the second preset period is large, the fact that the accounts are frequently operated in different cities by the user is indicated, and the behavior that the accounts are frequently operated in different cities is a high-risk characteristic, so that the risk is high; if the effective login times of the account in the second preset period are more, the account is an account with a certain activity, the user holding the account has strong sense of transaction, the account is not easy to steal, and the risk is low; if the number of clicks of the marketing campaign is high in the second preset period, the user often clicks the marketing campaign link, so that the crowd is easier to cheat by the phishing short message link, and the risk is high.

The high-risk web pages can be preset web pages with risks or risk web pages obtained by algorithm screening according to the characteristics of the high-risk web pages, and the specific setting mode is not limited. The second preset period is a preset data acquisition period (for example, 3 months), and is a time period that can be set as needed.

Optionally, the security awareness information variable comprises a number of used security products. If the number of the used safety products is large, the situation that the security awareness of the user is strong and the cheating risk is small is shown. Alternatively, the security product may be a security product provided by a payment instrument.

Step 22: and respectively carrying out evidence weight scoring on the user information variable, the consumption information variable, the operation information variable and the safety consciousness information variable to obtain a user information variable score, a consumption information variable score, an operation information variable score and a safety consciousness information variable score.

Here, the English of the Evidence Weight is called Weight of Evidence, WOE for short. WOE is a form of encoding of the original arguments. After the related variable information is acquired in the previous steps, the score of each variable can be obtained through an evidence weight scoring algorithm and is used for calculating the cheated risk score. The specific calculation method may refer to the calculation principle of WOE, and is not described herein again.

Step 23: and calculating to obtain the cheated risk score according to the user information variable score, the consumption information variable score, the operation information variable score and the safety consciousness information variable score.

Here, the cheated risk score may be obtained by adding the user information variable score, the consumption information variable score, the operation information variable score and the safety awareness information variable score, or may be obtained by a weighted average calculation method, and a specific algorithm may be set according to an actual requirement, which is not described herein again.

Therefore, the cheating risk score for the transaction paying party can be calculated through the algorithm and used for calculating a risk evaluation result subsequently. Because the deception risk of the user is not considered when credit fraud is identified in the prior art, the risk of the easily deceived people is depicted, and the deceived risk score of the user is output by adopting a comprehensive scoring method to serve as modeling feature supplement. Meanwhile, equipment information is added as supplement, for example, switching frequency between equipment applications, and equipment installation high-risk application information is used as supplement of transaction event information, so that the accuracy of model identification is effectively improved.

The algorithm characterizes the risk figures of the vulnerable members based on the analysis of historical data. A WOE comprehensive grading method is adopted in the method, so that the model is more interpretable, and the member cheating risk grade is obtained by synthesizing the WOE grades corresponding to all risk variable values and is used for calculating the risk evaluation result subsequently.

Alternatively, the cheated risk score may be made in advance at the server side for each user, and when the cheated risk score needs to be called for a specific user (when the cheated risk score becomes a transaction paying party), the calculated cheated risk score is called directly from the server side, so that the cheated risk score does not need to be specially calculated when a risk assessment result is generated in real time, and the calculation efficiency is improved. Alternatively, the cheated risk score may be calculated periodically, for example once every month, and the calculated cheated risk score may be stored in the database and available for recall at any time.

Step 13: and generating a risk evaluation result according to the transaction information, the account information of both transaction parties, the equipment information of a transaction paying party and the cheated risk score of the transaction paying party.

Optionally, the step 13 may be: and substituting the transaction information, the account information of both transaction parties, the equipment information of a transaction paying party and the cheated risk score into a supervised gradient boosting decision tree risk evaluation model to obtain a risk evaluation result.

As an alternative embodiment, referring to fig. 4, the process of establishing the supervised gradient boosting decision tree risk assessment model includes the following steps:

step 31: and establishing a risk assessment model by using a Gradient Boosting Decision Tree (GBDT for short).

Here, a risk assessment model using a gradient boosting decision tree is first built and trained on subsequent input data.

Step 32: acquiring normal transaction historical data, normal user data, fraud transaction historical data and fraud user data, marking the normal transaction historical data and the normal user data as normal, and marking the fraud transaction historical data and the fraud user data as abnormal.

Here, the normal user may refer to a user whose transactions have been performed are in a normal state, and the fraudulent user may refer to a user whose transactions have been performed are fraudulent; the normal transaction history data may refer to transaction history data in which the transaction history is in a normal state, and the fraudulent transaction history data may refer to transaction history data in which the transaction history is identified as fraudulent behavior.

Optionally, the normal transaction history data may include transaction information in a normal state and account information of both parties of the transaction, and the normal user data may include device information of a user in the normal state and a fraud risk score made for the user.

Optionally, the fraudulent transaction history data may include transaction information of fraudulent transactions and account information of both parties of the transactions, and the fraudulent user data may include device information of a user who has fraudulent transactions and a fraud risk score given to the user.

Here, the normal transaction history data, the normal user data, the fraudulent transaction history data, and the fraudulent user data are respectively marked, and a supervised model can be obtained by training a model using the marked data.

Step 33: and training the risk assessment model by using the marked normal transaction historical data, normal user data, fraud transaction historical data and fraud user data to obtain the supervised gradient boosting decision tree risk assessment model.

Therefore, the risk assessment model is trained by using the marked data, the risk assessment model with the supervised gradient lifting decision tree can be obtained, and compared with an unsupervised model, the risk assessment model with the supervised gradient lifting decision tree has higher accuracy rate in subsequent fraud recognition.

The present embodiment utilizes a Gradient Boosting Decision Tree (GBDT) for supervised learning of credit fraud. It should be noted that besides GBDT, other supervised machine learning models, such as random forest and XG-Boost, may be used. Preferably, the GBDT is better in terms of accuracy and operating efficiency as shown by the final comparison. Considering the large transaction magnitude of the system analysis, the GBDT model may be preferred as the final system learning model, but the possibility of using other models is not excluded, and the scope of protection should not be limited to the model algorithm selected in this embodiment.

As another alternative, referring to fig. 5, the process of establishing the supervised gradient boosting decision tree risk assessment model includes the following steps:

step 41: and establishing a risk evaluation model by utilizing the gradient lifting decision tree.

Step 42: acquiring normal transaction historical data, normal user data, fraud transaction historical data and fraud user data, marking the normal transaction historical data and the normal user data as normal, and marking the fraud transaction historical data and the fraud user data as abnormal.

Step 43: and grouping the marked normal transaction historical data, normal user data, fraud transaction historical data and fraud user data according to whether the data is generated in the trusted environment or not to obtain a trusted environment data group and an untrusted environment data group.

Here, the trusted context and the untrusted context may be for whether the device of the user is a commonly used device; when the user's device is a normal device, the data formed using the normal device is generated in the trusted environment, whereas when the user's device is an emergency device, the data formed using the emergency device is generated in the untrusted environment.

Optionally, when the data is generated in the trusted environment, only the device information of the user may be utilized in training the model, on one hand, when the model is applied to the trusted environment, the performance differentiation of the device dimensional characteristics is better, on the other hand, the overall processing efficiency may also be reduced, and the real-time recognition of credit fraud is more facilitated.

Step 44: and respectively training the risk evaluation model by utilizing the credible environment data group and the non-credible environment data group to obtain a risk evaluation model of the supervised gradient boosting decision tree of the credible environment and a risk evaluation model of the supervised gradient boosting decision tree of the non-credible environment.

When the model is trained, the models of the credible environment and the non-credible environment are subjected to clustering modeling, and the characteristic expressions of cases of different types can be different. For example, in a trusted environment, the degree of performance differentiation of device dimensional features is good. Under the non-trusted environment, the account information of both parties of the transaction and the behavior characteristics between both parties of the transaction have better distinguishing effect. Therefore, the accuracy of the credit fraud recognition of the whole model can be improved in a grouping modeling mode.

Optionally, referring to fig. 6, step 13 — substituting the transaction information, the account information of both transaction parties, the device information of the transaction paying party, and the cheated risk score into the supervised gradient boosting decision tree risk assessment model to obtain a risk assessment result, which may further include the following steps:

step 51: and dividing the transaction information, the account information of both transaction parties and the equipment information of the transaction paying party into a trusted environment information group and an untrusted environment information group according to whether the data is generated in a trusted environment.

Step 52: and substituting the trusted environment information group and the cheated risk score into a supervised gradient boosting decision tree risk evaluation model of the trusted environment to obtain a risk evaluation result of the trusted environment.

Step 53: and substituting the information group of the untrusted environment and the scavenged risk score into a supervised gradient boosting decision tree risk assessment model of the untrusted environment to obtain a risk assessment result of the untrusted environment.

Step 54: and obtaining a final risk evaluation result according to the risk evaluation result of the trusted environment and the risk evaluation result of the untrusted environment.

Therefore, the credible environment information group and the cheated risk score are substituted into the supervised gradient boosting decision tree risk evaluation model of the credible environment to obtain the risk evaluation result of the credible environment, the non-credible environment information group and the cheated risk score are substituted into the supervised gradient boosting decision tree risk evaluation model of the non-credible environment to obtain the risk evaluation result of the non-credible environment, and then the risk evaluation result of the credible environment and the risk evaluation result of the non-credible environment are synthesized to obtain the final risk evaluation result, so that the identification of the credit fraud behavior can be better completed, and the accuracy is higher.

Step 14: and if the risk assessment result is at risk, sending a risk prompt.

Optionally, when the risk assessment result is at risk, the risk prompt may be issued to the transaction paying-out party to prompt the transaction paying-out party that the current transaction is at risk of fraud; or, the risk prompt may also be sent to a patrol person preset by the system, so as to prompt that a transaction with a fraud risk is occurring currently; or, the risk prompt may also be sent to a transaction income party to warn the user that the current fraudulent transaction behavior has been concerned by the system; still alternatively, the risk cues may be sent to a public security agency to cause an official alert and attention.

The core-body transaction logic of a credit fraud case is different from the core-body logic of a traditional account password stealing event, and the trusted environment and the untrusted environment need to be distinguished.

Therefore, as an optional embodiment, the sending the risk prompt may specifically include the following steps:

if the transaction paying-out party is in the trusted environment, sending a transaction risk reminder (for example, displaying a reminder popup window on a transaction interface of a user) to the transaction paying-out party to remind the transaction paying-out party that a fraud risk possibly exists in the current transaction;

and if the transaction paying party is in an untrusted environment, which indicates that the current transaction is in a high risk state, sending an identity verification prompt to the transaction paying party to force the transaction paying party to verify the identity of the user so as to ensure the transaction safety.

Here, because the trusted environment is a device commonly used by the user, a more relaxed control manner may be adopted for the transaction risk occurring in the trusted environment, and a more strict control manner may be adopted for the untrusted environment.

Optionally, after the transaction risk reminder is sent, the following steps may be further included:

if the confirmation transaction information of the transaction paying party is received, the user confirms that the current transaction has no risk, and then the transaction is released;

if the transaction information of the transaction paying party is not confirmed, which indicates that the user cannot confirm whether the current transaction has risk, the identity verification prompt is sent to force the transaction paying party to verify the identity of the user, so that the transaction safety is guaranteed.

Optionally, after sending the identity verification prompt, the following steps may be further included:

receiving identity information provided by a transaction paying party;

if the identity information is verified to be passed, the user himself is shown to be transacted currently, and then the transaction is released;

if the identity information is not verified, the fact that the current transaction is probably not the user himself is indicated, a transaction failure message is sent or the transaction authority is limited.

Optionally, the limiting of the transaction right may include only allowing the account of the transaction paying-out party to obtain revenue but not allow payment, or closing the account balance of the transaction paying-out party and freezing the account, and so on, and the specific right limiting manner may be specifically set according to the degree of risk, and is not limited herein.

Preferably, the identity information is biometric information (such as a human face, a fingerprint, etc.) of the transaction paying party. Because the current transaction is in a fraud risk state, if the conventional password login or authentication code input mode is used, the fraud transaction is not prevented, so that the identity verification mode of the biological identification information can be adopted to better identify whether the operation user of the current transaction is the user himself or herself, and the transaction safety is guaranteed.

As an optional embodiment, the sending the risk prompt may further include:

and if the risk evaluation result exceeds a preset danger threshold, sending a transaction failure message.

Optionally, the preset risk threshold is a preset high risk threshold, and when the risk evaluation result exceeds the threshold, indicating that the currently performed transaction is in a high risk state, the transaction should be stopped immediately without considering the procedures of identity verification and the like.

Optionally, after the risk assessment result exceeds the preset risk threshold and the transaction failure message is sent, the method further comprises the step of limiting the transaction authority so as to make a forbidding expenditure limit on future transactions of the user at an account layer.

Optionally, the credit fraud identification method may further include step 15: and if the risk assessment result is no risk, releasing the transaction without risk prompt.

As can be seen from the above embodiments, the credit fraud identification method provided by the embodiment of the present invention calculates the fraud risk score for the user, and uses the fraud risk score for modeling and risk assessment, so that compared with the existing fraud identification technology, the fraud risk score variable is added, and credit fraud identification can be completed better.

In one embodiment, the model algorithm adopts a GBDT model with supervised learning, so that the recognition accuracy and the processing efficiency can be effectively improved.

In one embodiment, the model input features are supplemented with device information, thereby improving the accuracy of credit fraud identification.

In an embodiment, the credit fraud identification method provided by the embodiment of the invention also performs clustering modeling on the non-trusted environment and the trusted environment to supplement the risk index characteristics of the stealing domain, so that the credit fraud combined with cheating and stealing can be identified.

In one embodiment, the variables and algorithms used in the credit fraud identification method provided by embodiments of the present invention are computationally relatively fast. The device information acquired by the edge cloud technology also supports the real-time synchronization capability, so that real-time online risk analysis of a large number of transaction requests becomes possible.

Fig. 7 shows a credit fraud recognition apparatus according to an embodiment of the present invention. As shown in fig. 7, the credit fraud recognition apparatus includes:

a receiving module 61, configured to receive a transaction request;

the data acquisition module 62 is configured to acquire transaction information, account information of both transaction parties, device information of a transaction paying party, and a cheated risk score made for the transaction paying party according to the transaction request;

the risk evaluation module 63 is used for generating a risk evaluation result according to the transaction information, the account information of both transaction parties, the equipment information of a transaction paying party and the cheated risk score made on the transaction paying party;

and a sending module 64, configured to send a risk prompt if the risk assessment result is risky.

As can be seen from the foregoing embodiments, the credit fraud identification apparatus provided in the embodiments of the present invention calculates the fraud risk score for the user, and uses the fraud risk score for modeling and risk assessment, so that compared with the existing fraud identification technology, the fraud risk score variable is added, and credit fraud identification can be completed better.

As an embodiment, the credit fraud identification apparatus further includes a fraud risk scoring module 65 configured to:

Through the embodiment, the cheated risk score for the transaction paying-out party can be calculated and used for calculating the risk evaluation result subsequently. Because the deception risk of the user is not considered when credit fraud is identified in the prior art, the risk of the easily deceived people is depicted, and the deceived risk score of the user is output by adopting a comprehensive scoring method to serve as modeling feature supplement. Meanwhile, equipment information is added as supplement, for example, switching frequency between equipment applications, and equipment installation high-risk application information is used as supplement of transaction event information, so that the accuracy of model identification is effectively improved.

As an embodiment, the user information variable includes at least one of user age, frequent pattern frequency of user frequent premises, city grade of user frequent premises, account authentication duration of user, account fund grade of user;

As an embodiment, the risk assessment module 63 is configured to:

As an embodiment, the transaction information includes at least one of user information of both transaction parties, whether both transaction parties have the same trusted city within a third preset period, whether equipment or certificate of a transaction paying party and certificate of a transaction income party have transaction history within a fourth preset period;

the account information of the transaction income party comprises at least one of the historical province number of income accounts under the same issuer identification code, the failed transaction proportion of income cards bound by the income accounts, and the payment times of the income cards bound by the income accounts under the non-trusted environment.

As one embodiment, the device information of the transaction payer is collected from the device of the transaction payer using edge cloud technology.

As an embodiment, the sending module 64 is configured to:

As an embodiment, after sending the transaction risk reminder, the sending module 64 is configured to:

As an embodiment, the receiving module 61 is configured to receive identity information provided by a transaction paying-out party;

if the identity information is not verified, the sending module 64 is configured to send a transaction failure message or limit the transaction right.

As one example, the identity information is biometric information of the transaction issuer. Because the current transaction is in a fraud risk state, if the conventional password login or authentication code input mode is used, the fraud transaction is not prevented, so that the identity verification mode of the biological identification information can be adopted to better identify whether the operation user of the current transaction is the user himself or herself, and the transaction safety is guaranteed.

As an embodiment, the sending module 64 is configured to:

Fig. 8 is a hardware schematic diagram of an embodiment of the apparatus for performing the credit fraud identification method according to the embodiment of the present invention.

As shown in fig. 8, the apparatus includes:

one or more processors 71 and a memory 72, one processor 71 being exemplified in fig. 8.

The apparatus for performing the credit fraud identification method may further include: an input device 73 and an output device 74.

The processor 71, the memory 72, the input device 73 and the output device 74 may be connected by a bus or other means, which is exemplified in fig. 8.

Memory 72, as a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules (e.g., receiving module 61, data obtaining module 62, risk assessment module 63, and sending module 64 shown in fig. 7) corresponding to the credit fraud identification method in the embodiment of the present application. The processor 71 executes various functional applications and data processing of the server by executing nonvolatile software programs, instructions and modules stored in the memory 72, namely, implements the credit fraud identification method of the above-described method embodiment.

The memory 72 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created from use of the credit fraud identification apparatus, and the like. Further, the memory 72 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 72 may optionally include memory located remotely from processor 71, and these remote memories may be connected to the member user behavior monitoring device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The input device 73 may receive input numeric or character information and generate key signal inputs related to user settings and function controls of the credit fraud recognition apparatus. The output device 74 may include a display device such as a display screen.

The one or more modules are stored in the memory 72 and, when executed by the one or more processors 71, perform the credit fraud identification method of any of the method embodiments described above. The technical effect of the embodiment of the device for executing the credit fraud identification method is the same as or similar to that of any method embodiment.

Embodiments of the present application provide a non-transitory computer storage medium, where a computer-executable instruction is stored, and the computer-executable instruction may execute a processing method for list item operations in any of the above method embodiments. Embodiments of the non-transitory computer storage medium may be the same or similar in technical effect to any of the method embodiments described above.

Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes in the methods of the above embodiments may be implemented by a computer program that can be stored in a computer-readable storage medium and that, when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like. The technical effect of the embodiment of the computer program is the same as or similar to that of any of the method embodiments described above.

Furthermore, the apparatuses, devices, etc. described in the present disclosure may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television, etc., and may also be large terminal devices, such as a server, etc., and therefore the scope of protection of the present disclosure should not be limited to a specific type of apparatus, device. The client disclosed by the present disclosure may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.

Furthermore, the method according to the present disclosure may also be implemented as a computer program executed by a CPU, which may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method of the present disclosure.

Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.

Further, it should be appreciated that the computer-readable storage media (e.g., memory) described herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.

Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions described herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.

In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.

Disclosed exemplary embodiments should be noted, however, that various changes and modifications could be made herein without departing from the scope of the disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosure may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.

It should be understood that, as used herein, the singular forms "a," "an," "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.

The above-mentioned serial numbers of the embodiments of the present disclosure are merely for description and do not represent the merits of the embodiments.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.

Claims

1. A credit fraud identification method is applied to a server side and comprises the following steps:

receiving a transaction request;

and if the risk assessment result is at risk, sending a risk prompt.

2. The method of claim 1, further comprising:

3. The method of claim 2, wherein the user information variables include at least one of user age, frequent occurrence of frequent user premises, city class of frequent user premises, account authentication duration of the user, account fund class of the user;

4. The method of claim 1, wherein generating a risk assessment result according to the transaction information, account information of both transaction parties, and device information and cheated risk score of a transaction paying party comprises:

5. The method of claim 4, further comprising:

6. The method of claim 4, further comprising:

7. The method of claim 6, wherein generating a risk assessment result according to the transaction information, account information of both transaction parties, and device information and cheated risk score of a transaction paying party comprises:

8. The method according to claim 1, wherein the transaction information includes at least one of user information of both parties of the transaction, whether both parties of the transaction have the same credible city within a third preset period, whether equipment or certificate of a payment party of the transaction and certificate of a income party of the transaction exist in transaction history within a fourth preset period;

9. The method of claim 1, wherein the transaction issuer device information is collected from a transaction issuer device using edge cloud technology.

10. The method of claim 1, wherein sending a risk hint comprises:

11. The method of claim 10, wherein after sending the transaction risk reminder, further comprising:

12. The method according to claim 10 or 11, wherein after sending the identity verification prompt, further comprising:

receiving identity information provided by a transaction paying party;

if the identity information is verified to pass, the transaction is released;

13. The method of claim 12, wherein the identity information is biometric information of a transaction issuer.

14. The method of claim 1, wherein sending a risk hint comprises:

15. A credit fraud recognition apparatus, comprising:

a receiving module for receiving a transaction request;

16. The apparatus of claim 15, further comprising a spoofed risk scoring module for:

17. The apparatus of claim 16, wherein the user information variables comprise at least one of user age, frequent occurrence of frequent user premises, city class of frequent user premises, account authentication duration of user, account fund class of user;

18. The apparatus of claim 15, wherein the risk assessment module is configured to:

19. The apparatus of claim 18, wherein the risk assessment module is configured to:

20. The apparatus of claim 18, wherein the risk assessment module is configured to:

21. The apparatus of claim 20, wherein the risk assessment module is configured to:

22. The apparatus of claim 15, wherein the transaction information comprises at least one of user information of both parties of the transaction, whether both parties of the transaction have the same trusted city within a third preset period, whether a device or certificate of a payment party of the transaction and a certificate of a income party of the transaction have a transaction history within a fourth preset period;

23. The apparatus of claim 15, wherein the transaction issuer device information is collected from a transaction issuer device using edge cloud technology.

24. The apparatus of claim 15, wherein the sending module is configured to:

25. The apparatus of claim 24, wherein after sending the transaction risk reminder, the sending module is configured to:

26. The apparatus of claim 24 or 25, wherein the receiving module is configured to receive identity information provided by a transaction payor;

27. The apparatus of claim 26, wherein the identity information is biometric information of the transaction issuer.

28. The apparatus of claim 15, wherein the sending module is configured to:

29. An electronic device, comprising:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-14.

30. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 14.