Build the pit trodden on the road of risk control system 03 – block the risk | share the experience of a CPO


In the last article of this series, we set up the risk analysis of pit 02 on the road of risk control system. We introduced how to analyze these data output risk events after collecting information, and the output alarm has been separated from the business system and cannot be used.

It goes without saying:We can’t just look at high by ourselves, but we have to stop these risks to really generate business value

Before we start, let’s review the four main things that business risk control does:

1. Get enough data
2. Make enough flexible analysis platform to analyze data

3. Output risk events to block risk
4. Quantifying the value of risk interception and continuously analyzing cases for strategy optimization

In the third step, we are only one step away from the construction of the core framework of the whole system, so let’s see what to consider in this link:

1. Finally presented to the decision result of business R & D straightforward

The alarms and problems we finally find in the data are ultimately blocked in the business logic. When accessing these results, analysts often feel that there are many information available, such as what rules are hit, what rules are hit, when they are hit, and when they expire. The risk score that most bothers the access party is the risk score. It’s very In the research and development of multi access risk control, these scores are all in one head:

What do you want me to do, stop or not? At this time, if you throw more than one score to stop, R & D will mostly tell you to give me the result directly.

Yes, many of the risk control interface designs are very cumbersome. As there is so much useless information, you will feel that you are deliberately wasting bandwidth in R & D. in fact, a code list is good to explain the corresponding operations you want to do. You must pack the intermediate results you think are very awesome and so on into the final results and then give them out.

2. T + 0 or T + 1

Take an example to explain the difference between real-time (T + 0) and asynchronous (T + 1) risk judgments.


When you are fighting in a boxing match, player a can only fight in the face. When you come up, you give you a punch in the face. You have analyzed that it’s very painful and unscientific to fight in the face. When you wave the second punch in the face, you suddenly tell the other party that you can’t fight in the face, and the other party is successfully restrained by you. This is the characteristic of T + 1. At least the second risk attack can take effect;


In the second match of boxing match, you said you can’t fight with player B. the other side said you can’t fight with him, but he punched him in the stomach. You said it was forbidden to hit the stomach, and the other side hit the armpit again. At this time, you find that it is forbidden before the opponent hits you immediately.
This is t + 0.

Because t + 0 needs to bear a lot of extra computing costs when accessing, and the results need to be calculated on the spot with high delay requirements, it usually only takes real-time judgment (such as order payment or withdrawal request) when the attacker has access to key steps. For other scenarios, you can select the T + 1 method, such as logging in or submitting an order.

3. Block logic to block product

We have introduced a lot of this point in our external speech. When blocking risks, events happen at different points. But in the short term, it is impossible for business research and development to block access to risks in all places. What should we do?

Therefore, we need to consider several basic measures to ensure the bottom line. For example, the unified verification code verification page can prevent any crawler script behavior in the IP layer, and the account layer can block any risk behavior (Global forced logout) of a single account after login through the login state management.

Maybe these measures are not the best in experience, but in case of special problems, it is impossible to control the time when R & D temporarily adds blocking logic to you.

Pit position

1. Logic position of access to risk control block

When logging in, the mouse in the account input box will go to risk control if it is out of focus. It’s meaningless to judge after the login result comes out, while the fund related problem is usually before jumping to the cashier’s desk. You will find that the general risk judgment is before the result comes out (before collecting the whole log of this behavior). Therefore, if you want to make a T + 0 judgment, R & D is required to make a risk judgment It’s time to provide more complete information, rather than just an IP or account name (often t + 1 is enough).

2. Fully investigate and pay attention to business flow

In normal times, the traffic of a business that may have very small traffic suddenly increases because of a certain activity (such as seckill). In addition to knowing the risk judgment request at the beginning of access and preparing for the follow-up activities in advance, otherwise, if the resource estimation is insufficient, suddenly catch up with this point to connect the T + 0 interface and have a lot of logic to be calculated on site. The sharply increasing traffic will teach you to be a person in minutes.

3、bypass ! bypass ! bypass

The most basic principle of risk judgment of risk control is not to affect the business logic, so the timeout mechanism must be strictly agreed and implemented at the beginning. Once it is found that the risk control interface exceeds the expected response time, the business request will be released immediately.

4. Let front-line colleagues know what you are doing

The accuracy rate of any risk control is not 100%, so after communicating with R & D and connecting well, we must tell the front-line colleagues about the possible appearance of risk control blocking and the general reasons, so as to avoid the front-line customer service not knowing how to explain the complaints about risk blocking, and give specific blocking response measures (add white list, delete black list, etc., God in some days like 315 The sense of safeguarding rights is very strong.


Blocking is the link that ultimately produces real value, and it is also the most sensitive link of related departments (frightening me for half a day to force me to connect with risk control, and then causing me problems all day long? Production environment is for you to play?!) , please protect this vital trust, you will do more smoothly later.

Finally, please look forward to our final words in this series: “quantifying the value of risk interception and continuously analyzing cases for strategic optimization”.

Anti reptile

Author introduction

Liu Ming, co founder and chief product technology officer of Yao’an Technology
More than 6 years of risk control and product related experience, once worked in Netease, responsible for the security of China account system of world of Warcraft. Now, he leads the risk control team of Yao’an Internet business to provide customers with risk control services including star products warden and red. Q.