Building risk control system, stepping on the road 03 – blocking risk | a CPO experience sharing


In the last series of articlesRisk analysis of the pit on the road of building risk control systemWe introduce how to analyze these data and produce risk events after collecting information, and the generated alarm has been separated from the business system and can not be used.

To put it bluntly:The analysis of things can not only look at high, but also to block these risks in order to truly generate business value

Before we start, let’s review the four main things that business risk control does:

1. Get enough data
2. Do enough flexible analysis platform to analyze data

3. The output risk event is used to block the risk
4. Quantifying the value of risk interception and continuously analyzing cases for strategy optimization

In the third step, we are only one step away from building the core framework of the whole system. Let’s take a look at what to consider in this link:

1. Finally presented to the business R & D straightforward judgment results

When accessing these results, analysts often think that there are many information that can be provided, such as what rules are hit, what are these rules, when they hit, and when they are expired. Among them, the most annoying one is the risk score In the R & D of multi access risk control, we can see that these scores are the same

What do you want me to do, stop or not? At this time, if you lose more than a few points to block, R & D will mostly tell you to give me the results directly.

Yes, many risk control interfaces are designed to be cumbersome. There is so much useless information that R & D will feel that you are deliberately wasting bandwidth. In fact, a code list should explain the operation they want to do. You must package the intermediate results that you think are very powerful into the final results and then give them out.

2. T + 0 or T + 1

Take an example to explain the difference between real-time (T + 0) and asynchronous (T + 1) risk judgments.


When you are in a boxing match, player a can only fight in the face. When he comes up, he hits you in the face. You analyze that it is very painful and unscientific. When the second punch comes to the face, you suddenly tell the other party that you can’t fight in the face, and the other party is successfully restrained by you. This is the characteristic of T + 1, which can take effect at least in the second risk attack;


In the second boxing match, player B was also beaten in the face. After being beaten, you said you can’t fight in the face. The other side said yes, and then you punched him in the stomach. You said it was forbidden to hit the stomach, and the other side punched the armpit again. At this time, you find that you should prohibit it before the opponent hits you immediately.
This is t + 0.

Because t + 0 has to bear a lot of extra calculation costs when accessing, and the results need to be calculated on site, and the delay requirement is very high, so the attacker usually only takes real-time judgment (such as order payment or withdrawal request) when the attacker has mastered the key steps. For other scenarios, you can choose t + 1 mode, such as login or order submission.

3. Blocking logic to blocking product

We have introduced this point a lot in our speeches. When blocking risks, the incident points are different, but it is impossible for business R & D to access risk blocking in all places in the short term?

Therefore, we need to consider several basic minimum protection measures, such as a unified verification code verification page to prevent any crawler script behavior in the IP layer, and to intercept any risk behavior of a single account after login (Global forced logout) through login management in the account layer.

Maybe these measures are not the best in experience, but when there are special problems, we have to wait for R & D to temporarily add blocking logic to you. This time can’t be controlled.

Pit position

1. Access to the logic position of risk control blocking

When logging in, if the mouse in the account input box is out of focus, it will go to risk control. It is meaningless to judge after the login results come out. For funds related, you will find that the general risk judgment is before the results come out (before collecting the entire log of this behavior). Therefore, if you want to make t + 0 judgment, R & D is required to make risk judgment When you need to provide more complete information, rather than just give an IP or account name (often t + 1 is enough).

2. Fully investigate and pay attention to the business flow

For a business that may have a small amount of traffic at ordinary times, suddenly, because of a large increase in traffic of a certain activity (such as seckill), in addition to understanding the request for risk judgment at the beginning of access, you should also prepare for subsequent activities in advance. Otherwise, if the resource estimation is insufficient, you will suddenly catch up with this point. There are a lot of logic for on-site calculation when connecting the T + 0 interface. The sudden increase of business traffic will teach you how to be a person in minutes.

3、bypass ! bypass ! bypass

The most basic principle of risk control risk judgment is not to affect the business logic, so the timeout mechanism should be strictly agreed and implemented at the beginning. Once the risk control interface exceeds the expected response time, the business request will be released immediately.

4. Let front-line colleagues know what you’re doing

The accuracy rate of any risk control is not 100%. Therefore, after communicating with the R & D team, we must tell the front-line colleagues about the possible appearance of risk control blocking and the general reasons, so as to avoid the front-line customer service from not knowing how to explain the risk interception complaints, and give specific blocking response measures (add white list, delete blacklist, etc., God in some days, such as 315 The awareness of safeguarding rights is very strong.


What’s more, it’s the real part that scares me? Production environment is for you to play Please protect this vital trust, and you will be more and more successful in the future.

Finally, please look forward to our final words in this series: the value of quantitative risk interception and continuous analysis of cases for strategy optimization.

Anti reptile

Introduction to the author

Liu Ming, co-founder and chief product technology officer of Ma’an Technology
With more than 6 years of experience in risk control and product, he once worked in Netease and was responsible for the account system security of world of Warcraft in China. Now he leads the risk control team of Huaan Internet business to provide customers with risk control services including star products warden and red. Q.