File size: 5,370 Bytes
b3112c7
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
{
  "version": 1,
  "seed": 42,
  "histories_path": "data/synthetic/token_ids.npy",
  "stage_names": [
    "pre_attack",
    "probing",
    "monetization",
    "exfiltration",
    "dormant"
  ],
  "type_names": [
    "victim_fraud",
    "account_takeover",
    "scam_redirected",
    "declined_legit"
  ],
  "cast": [
    {
      "pattern": "probing_then_takeover",
      "display_name": "Customer A \u2014 card just got tested",
      "customer_idx": 16,
      "flagged_idx": 39,
      "stage_label": 1,
      "stage_label_name": "probing",
      "type_label": 1,
      "type_label_name": "account_takeover",
      "description": "3+ small-amount CNP transactions in the 6-tx window before tx39, and the flagged transaction uses a device that appears nowhere else in the history. Probing in progress on a compromised card.",
      "context_text": "Upstream fraud detector escalated transaction 39 at score 0.84. Assess pattern stage and type.",
      "diagnostics": {
        "probe_density": 5,
        "post_attack_density": 0,
        "novel_device": true,
        "signature_clean": false,
        "recent_authorize_density": 7
      },
      "original_customer_idx": 147105
    },
    {
      "pattern": "exfiltration_takeover",
      "display_name": "Customer B \u2014 full attack chain",
      "customer_idx": 6,
      "flagged_idx": 11,
      "stage_label": 3,
      "stage_label_name": "exfiltration",
      "type_label": 1,
      "type_label_name": "account_takeover",
      "description": "Probing cluster preceding the flag AND multiple large unfamiliar-merchant charges around tx11. Novel device. Mature account takeover, attacker is harvesting.",
      "context_text": "URGENT: tx 11 flagged at 0.92. Pre-decline window closing \u2014 classify now.",
      "diagnostics": {
        "probe_density": 0,
        "post_attack_density": 3,
        "novel_device": true,
        "signature_clean": false,
        "recent_authorize_density": 0
      },
      "original_customer_idx": 34242
    },
    {
      "pattern": "monetization_victim",
      "display_name": "Customer C \u2014 handed over card info",
      "customer_idx": 0,
      "flagged_idx": 22,
      "stage_label": 2,
      "stage_label_name": "monetization",
      "type_label": 0,
      "type_label_name": "victim_fraud",
      "description": "Probing-then-big-purchase pattern at tx22, but the device fingerprint matches the customer's normal devices. Customer likely shared credentials under social engineering.",
      "context_text": "Investigation requested for transaction 22. Upstream model score 0.78. Stage + type?",
      "diagnostics": {
        "probe_density": 3,
        "post_attack_density": 1,
        "novel_device": false,
        "signature_clean": false,
        "recent_authorize_density": 0
      },
      "original_customer_idx": 7105
    },
    {
      "pattern": "scam_redirected",
      "display_name": "Customer D \u2014 romance scam pattern",
      "customer_idx": 7,
      "flagged_idx": 22,
      "stage_label": 1,
      "stage_label_name": "probing",
      "type_label": 2,
      "type_label_name": "scam_redirected",
      "description": "Customer's last 16 transactions show 5+ CNP charges to unfamiliar merchants on the customer's own device. Pattern consistent with customer-authorized scam payments.",
      "context_text": "Hey, tx 22 pinged the fraud detector at 0.66. What's going on?",
      "diagnostics": {
        "probe_density": 4,
        "post_attack_density": 0,
        "novel_device": false,
        "signature_clean": false,
        "recent_authorize_density": 5
      },
      "original_customer_idx": 44699
    },
    {
      "pattern": "dormant_false_positive",
      "display_name": "Customer E \u2014 false alarm",
      "customer_idx": 10,
      "flagged_idx": 28,
      "stage_label": 4,
      "stage_label_name": "dormant",
      "type_label": 3,
      "type_label_name": "declined_legit",
      "description": "Flagged transaction matches the customer's normal signature: home country, CVV match, AVS match, familiar merchant, no probe cluster, no exfil density. Likely an upstream rules false-positive.",
      "context_text": "Investigator review on tx 28 (detector 0.61). Need stage + type.",
      "diagnostics": {
        "probe_density": 0,
        "post_attack_density": 0,
        "novel_device": false,
        "signature_clean": true,
        "recent_authorize_density": 0
      },
      "original_customer_idx": 75149
    },
    {
      "pattern": "pre_attack_signal",
      "display_name": "Customer F \u2014 early warning",
      "customer_idx": 13,
      "flagged_idx": 25,
      "stage_label": 0,
      "stage_label_name": "pre_attack",
      "type_label": 1,
      "type_label_name": "account_takeover",
      "description": "Single anomalous transaction at tx25 with no chain evidence yet (no probe cluster, no exfil density). Device is novel. Step-up auth + watch.",
      "context_text": "tx25 flagged @ 0.71. Classify.",
      "diagnostics": {
        "probe_density": 0,
        "post_attack_density": 0,
        "novel_device": true,
        "signature_clean": false,
        "recent_authorize_density": 3
      },
      "original_customer_idx": 96744
    }
  ],
  "subset_note": "customer_idx values have been remapped to [0, N) for HF Space deployment. original_customer_idx preserves the source pool index."
}