Abuse Detection System Low-Level Design: Multi-Signal Risk Scoring, Account Takeover Detection, and Automated Response

By /
⏱ 6 min read

Abuse Detection System Overview

An abuse detection system protects users and the platform from account takeover, credential stuffing, scraping, fake account creation, and payment abuse. The core mechanism is real-time risk scoring that combines multiple signals and triggers proportional responses — from CAPTCHA challenges to full account lockout.

Abuse Type Taxonomy

  • Account takeover (ATO): Attacker uses stolen credentials to log in as a legitimate user.
  • Credential stuffing: Automated tool tries username/password pairs from leaked databases across many accounts simultaneously.
  • Scraping: High-rate automated data extraction exceeding any legitimate use pattern.
  • Fake account creation: Bulk creation of inauthentic accounts for spam, manipulation, or fraud.
  • Payment abuse: Fraudulent transactions, card testing, chargebacks.

Account Takeover Signals

ATO events have characteristic patterns distinguishable from legitimate logins:

  • New device: Login from a device fingerprint not seen in the last 90 days for this account.
  • New location: Login from a country or city not in the account's location history.
  • Impossible travel: Same account logged in from New York and London 30 minutes apart — physically impossible. Calculated as distance between last login location divided by time elapsed; if result exceeds max human travel speed (~900 km/h for air), flag as impossible travel.
  • High-value action shortly after login: Password change, email change, or large transfer within minutes of a login from a new device — strong ATO indicator.

Credential Stuffing Detection

Credential stuffing targets many accounts, not just one. Detection operates at the population level:

  • Many failed logins across different accounts from the same IP or ASN within a time window.
  • Failed login rate per IP monitored with Redis sliding window counters.
  • Threshold exceeded → rate limit and serve CAPTCHA for subsequent attempts from that IP.
  • ASN-level blocking for persistent attackers using rotating IPs within the same network.

Multi-Signal Risk Scoring

Every authentication event is scored in real time by combining multiple signals:

  • Device fingerprint match score (does this device match known devices for this account?).
  • Geo velocity score (how unusual is this location relative to login history?).
  • Behavioral biometrics score (does typing pattern and mouse movement match the account owner?).
  • Login history score (is this login time/day pattern normal for this account?).
  • Network reputation score (is this IP on abuse databases?).

Signals combine into a risk score from 0 (safe) to 100 (high risk).

Risk-Based Authentication Challenges

Responses are proportional to risk score:

  • Low risk (0–30): Allow without additional friction.
  • Medium risk (31–70): Require 2FA (SMS/TOTP) or CAPTCHA challenge.
  • High risk (71–100): Block the session, invalidate all active sessions for the account, send security alert email to the registered address, require password reset before next login.

Behavioral Biometrics

Behavioral biometrics fingerprint how a user interacts, not just what they know:

  • Typing rhythm and keystroke timing patterns.
  • Mouse movement velocity and click patterns.
  • Touch pressure and gesture patterns on mobile.

A machine learning model trained on each account's historical behavior scores new sessions. Automation (bots) produces very different patterns from human users. Models run passively in the background without adding user friction for legitimate users.

Impossible Travel Detection

Implementation details:

  • Store last login timestamp and geolocation (lat/lng from IP geolocation) per account in Redis.
  • On each new login: compute Haversine distance from last location, divide by time since last login.
  • If implied speed exceeds 900 km/h (commercial air travel), flag as impossible travel.
  • Consider VPN/proxy as a prior: if last IP was a known datacenter IP, suppress impossible travel alert.

Automated Account Protection

When high-risk event is detected:

  1. Block the current session immediately.
  2. Invalidate all other active sessions for the account (force logout everywhere).
  3. Send security alert to the account's verified email and phone.
  4. Require identity re-verification (password reset + 2FA) before restoring access.
  5. Log the full event with all signals for forensic analysis.

Honeypot Accounts and Velocity Controls

Honeypot accounts are fake accounts seeded into the system. Any attempt to scrape, follow, or message a honeypot is a definitive abuse signal — no legitimate user knows these accounts exist. Attackers who interact with honeypots are immediately flagged.

Velocity controls impose hard limits: maximum N login attempts per account per minute, maximum M accounts per IP per day. These are enforced at the load balancer or API gateway layer before authentication logic runs.

See also: Meta Interview Guide 2026: Facebook, Instagram, WhatsApp Engineering

See also: Twitter/X Interview Guide 2026: Timeline Algorithms, Real-Time Search, and Content at Scale

See also: Snap Interview Guide

Scroll to Top