Fraud Detection (Velocity Limits)

Stopping credit card testing scripts by looking at the speed of actions, not just the action itself.

The idea

A legitimate user logs into your site, adds an item to their cart, and pays with a credit card. It takes about 2 minutes. A hacker who bought 10,000 stolen credit cards will write a script to test them all on your checkout page. The script will attempt 100 payments per second. Even if the individual transactions look normal, the speed (or Velocity) is completely inhuman. Velocity Limits track how often a specific entity (an IP address, a User ID, or a Credit Card Fingerprint) performs an action within a time window, instantly blocking abusive spikes.

Step 1: A legitimate user makes a payment.

How it works (Sliding Windows in Redis)

Velocity rules are usually enforced at the API Gateway using a fast, in-memory store like Redis. When a payment attempt occurs, the server increments a counter for that user's IP address. If the counter exceeds the threshold (e.g., 5 attempts in 1 hour), the request is rejected with a 429 Too Many Requests error, protecting the payment processor from spam.

// Example: Velocity Limit (Max 3 payments per hour per IP)
const ipAddress = req.ip;
const redisKey = `payments:velocity:${ipAddress}`;

// Increment the counter. If it's a new key, it starts at 1.
const attempts = await redis.incr(redisKey);

if (attempts === 1) {
    // Set the key to expire in 3600 seconds (1 hour)
    await redis.expire(redisKey, 3600);
}

if (attempts > 3) {
    return res.status(429).send("Velocity limit exceeded. Try later.");
}
processPayment();

Cost

Velocity tracking requires storing state for every single user on your platform. If you have millions of users, tracking 5 different velocity rules (logins/hr, payments/hr, password-resets/day) requires a massive, highly available Redis cluster. If Redis goes down, you must decide whether to "Fail Open" (allow potentially fraudulent transactions) or "Fail Closed" (block all legitimate payments until Redis recovers).

Watch out for