# Fraud Prevention System

### Protection Layers

Three independent systems work in concert to provide comprehensive fraud coverage at the point of payment.

* Anti-Bot: Behavioral analysis and challenge-response to detect and block automated traffic.
* Anti-Card Testing: Detects rapid sequential payment attempts characteristic of stolen card validation.
* Device Fingerprint: Persistent device identity tracking to link activity across sessions and accounts.

### Anti-Bot Detection <a href="#anti-bot" id="anti-bot"></a>

The anti-bot layer analyses dozens of passive signals during the payment session, mouse movement entropy, keystroke timing, browser environment consistency, and TLS fingerprint, to produce a **bot confidence score** for each checkout attempt. We also use a Cloudflare CAPTCHA as an additional layer of protection.

### Anti-Card Testing <a href="#card-testing" id="card-testing"></a>

Card testing attacks involve running large numbers of stolen card numbers against a payment endpoint to identify valid ones. Our system detects this pattern through velocity checks on both the user account and the device fingerprint, regardless of whether a new guest session is opened.

#### Detection rules

```
card_testing:
  max_declined_attempts: 3          # within rolling window
  velocity_window_seconds: 300      # 5-minute window
  distinct_cards_threshold: 3       # unique PANs per session
  small_amount_probe_limit: 2       # ≤ $1 micro-auth attempts
  block_duration_hours: 24         # first offence
  repeat_offence_action: "permanent"
        
```

Detections are keyed on a composite of device fingerprint ID, IP subnet (/24), and account ID (when authenticated). All three keys are checked independently, a match on any single key is sufficient to trigger a block.

### Device Fingerprinting <a href="#device-fingerprint" id="device-fingerprint"></a>

Every checkout session generates a stable device fingerprint that persists across browser sessions, private/incognito mode, and VPN changes. This fingerprint is the primary identity used when evaluating fraud signals and enforcing blocks.

⚠Fingerprints are stored server-side only. They are never exposed to client-side JavaScript and cannot be queried or tampered with by the user.

### Block Escalation <a href="#blocking" id="blocking"></a>

When a fraud signal is triggered, the system applies a progressive block policy keyed to the device fingerprint. The escalation is automatic and requires no manual intervention.

***

### Policy Summary <a href="#summary" id="summary"></a>

| Condition                 | Action                | Duration   | Reversible         |
| ------------------------- | --------------------- | ---------- | ------------------ |
| First fraud signal        | Payment blocked       | 24 hours   | Auto-lifted        |
| Retry during 24h block    | Permanent block       | Indefinite | Manual review only |
| Permanent block + attempt | Silent reject + alert | Indefinite | No                 |
| Card testing velocity     | Payment blocked       | 24 hours   | Auto-lifted        |