The latest articles on Forem by Versal (@versal). https://forem.com/versal https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3818854%2F131f6dcd-8fe1-44ca-bcf0-2d2cc64f733c.png https://forem.com/versal en Versal Wed, 11 Mar 2026 18:46:32 +0000 https://forem.com/versal/just-published-a-post-on-how-graph-intelligence-can-detect-fraud-in-real-time-a-transaction-18f5 https://forem.com/versal/just-published-a-post-on-how-graph-intelligence-can-detect-fraud-in-real-time-a-transaction-18f5 <div class="ltag__link"> <a href="/versal" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3818854%2F131f6dcd-8fe1-44ca-bcf0-2d2cc64f733c.png" alt="versal"> </div> </a> <a href="https://dev.to/versal/the-fraud-that-was-two-hops-away-1dbp" class="ltag__link__link"> <div class="ltag__link__content"> <h2>The Fraud That Was Two Hops Away</h2> <h3>Versal ・ Mar 11</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#fintech</span> <span class="ltag__link__tag">#neptune</span> <span class="ltag__link__tag">#graph</span> <span class="ltag__link__tag">#fraud</span> </div> </div> </a> </div> algorithms cybersecurity database security Versal Wed, 11 Mar 2026 18:38:30 +0000 https://forem.com/versal/the-fraud-that-was-two-hops-away-1dbp https://forem.com/versal/the-fraud-that-was-two-hops-away-1dbp <p>At 2:17 AM, a payment request hit our system.</p> <p>Everything looked clean.</p> <p>New phone number.<br> New email.<br> New card.</p> <p>Any normal fraud system would approve it instantly.</p> <p>Ours almost did too.</p> <p>But before the transaction completed, our graph engine performed a relationship traversal — and within <strong>50 milliseconds</strong>, it uncovered something surprising.</p> <p>This “clean” transaction was secretly connected to a <strong>known fraud case through two hops</strong>.</p> <p>And that’s when the transaction was blocked.</p> <h2> The Problem With Traditional Fraud Systems </h2> <p>Most fraud systems treat transactions like <strong>isolated events</strong>.</p> <p>A payment comes in and we ask questions like:</p> <ul> <li>Has this card been reported before?</li> <li>Has this email been used in fraud?</li> <li>Is this phone number suspicious?</li> </ul> <p>If everything looks new, the transaction usually passes.</p> <p>And fraudsters know this.</p> <p>So they don't reuse the <strong>exact same details</strong>.</p> <p>Instead, they build <strong>networks</strong>.</p> <p>They reuse parts of their identity across different transactions — sometimes a phone number, sometimes an email, sometimes a device.</p> <p>Individually, these transactions look harmless.</p> <p>But together, they tell a different story.</p> <h2> Thinking in Relationships Instead of Rows </h2> <p>To uncover these hidden connections, we started modeling transactions differently.</p> <p>Instead of storing everything in tables, we built a <strong>relationship graph</strong> using <strong>Amazon Neptune</strong>.</p> <p>In this system:</p> <ul> <li>Every <strong>transaction</strong> is a node</li> <li>Every <strong>entity</strong> (phone, email, card, device) is also a node</li> <li>Relationships connect them</li> </ul> <p>So a transaction might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>T1 ├── Phone: P1 └── Email: E1 </code></pre> </div> <p>If another transaction uses the same phone number, it connects to the same node.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>P1 ├── T1 └── T2 </code></pre> </div> <p>Over time, transactions stop being isolated records.</p> <p>They become part of a <strong>network of identities</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz2dku4z8il75pumclxvm.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz2dku4z8il75pumclxvm.jpeg" alt="Image" width="800" height="493"></a></p> <blockquote> <p>Fraud rarely happens alone. It usually exists inside a network of relationships.</p> </blockquote> <h2> The First Fraud Case </h2> <p>Let’s go back to the real example.</p> <p>A transaction <strong>T1</strong> happened earlier.</p> <p>It used:</p> <p>Phone → <strong>P1</strong><br> Email → <strong>E1</strong></p> <p>Later, the customer reported it as fraud.</p> <p>So we marked <strong>T1 as fraudulent</strong> in the graph.</p> <h2> A Suspicious But Allowed Transaction </h2> <p>Later another transaction appeared.</p> <p>Transaction <strong>T2</strong></p> <p>Phone → <strong>P1</strong><br> Email → <strong>E2</strong></p> <p>This shared the same phone number as the fraudulent transaction.</p> <p>But we didn't block it.</p> <p>Why?</p> <p>Because blocking everything with a <strong>single connection</strong> can create too many false positives.</p> <p>So the system allowed it.</p> <p>But the graph remembered the relationship.</p> <h2> The Transaction That Exposed the Network </h2> <p>Now comes the interesting part.</p> <p>A third transaction arrived.</p> <p>Transaction <strong>T3</strong></p> <p>Phone → <strong>P3</strong><br> Email → <strong>E2</strong></p> <p>At first glance, it looked completely unrelated to the fraud.</p> <p>Different phone.<br> Different email from the fraud case.<br> Different card.</p> <p>But the graph engine performed a traversal.</p> <p>And it found this path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>T3 → E2 → T2 → P1 → T1 (Fraud) </code></pre> </div> <p>T3 was <strong>two hops away from a confirmed fraud transaction</strong>.</p> <h2> Why This Works </h2> <p>Fraudsters rarely operate using a single identity.</p> <p>They build <strong>fraud infrastructures</strong> using:</p> <ul> <li>burner phone numbers</li> <li>disposable emails</li> <li>shared devices</li> <li>mule accounts</li> </ul> <p>Each transaction may look legitimate on its own.</p> <p>But the <strong>network behind it tells the real story</strong>.</p> <p>Graph intelligence lets us detect:</p> <ul> <li>fraud rings</li> <li>shared infrastructure</li> <li>hidden identity connections</li> <li>multi-hop fraud relationships</li> </ul> <p>And it does this <strong>in milliseconds</strong>.</p> <h2> Real-Time Fraud Detection </h2> <p>When a new transaction arrives:</p> <ol> <li>It is inserted into the graph</li> <li>The system explores nearby relationships</li> <li>It checks if the transaction connects to known fraud patterns</li> <li>The decision happens <strong>before authorization</strong> </li> </ol> <p>All of this happens in about <strong>50ms</strong>.</p> <p>Fast enough to stop fraud <strong>before the payment completes</strong>.</p> <h2> Final Thought </h2> <p>Fraud isn't just about suspicious transactions.</p> <p>It's about <strong>suspicious relationships</strong>.</p> <p>The most dangerous transaction isn't always the one directly linked to fraud.</p> <p>Sometimes it's the one <strong>two hops away</strong>.</p> <p>And unless you're looking at the network, you'll never see it.</p> fintech neptune graph fraud