Velocity Features: Measuring Rate and Acceleration

Definition: Velocity features measure the rate of activity over time—transactions per hour, dollars spent per day, login attempts per minute. Acceleration features measure how velocity itself is changing—is the user speeding up or slowing down compared to their baseline?

Why Velocity Matters

Fraudsters must act quickly—stolen credentials expire, accounts get locked, victims notice. This creates velocity spikes: rapid account creation, burst transactions, fast fund transfers. A legitimate user might make 3 purchases in a day; a fraudster drains the account in 30 minutes. Velocity separates the two even when individual transactions look normal.

Velocity Feature Examples

Transaction velocity: transactions per hour, per day. Amount velocity: dollars spent per hour. Login velocity: login attempts per minute. Geographic velocity: unique cities accessed per hour (impossible physical travel indicates account sharing or compromise). Device velocity: unique devices used per day.

Velocity Ratios

Compare current velocity to historical baseline: current_hour_txns / avg_hourly_txns_30d. A ratio of 5x means the user is transacting 5 times faster than usual. Ratios normalize across users with different activity levels—a power user with 50 daily transactions and a casual user with 2 both show 5x ratio when they spike to 250 and 10 respectively.

Acceleration Insight: First derivative (velocity) catches current spikes. Second derivative (acceleration) catches emerging spikes. If velocity is normal but acceleration is high, the user is ramping up—potentially useful for early intervention before velocity thresholds trigger.

Impossible Travel

Geographic velocity detects physically impossible patterns: transactions from New York and London 30 minutes apart. Compute distance between consecutive transaction locations divided by time elapsed. Velocities exceeding airplane speed indicate compromised credentials or VPN usage.