I have recently answered several questions from individuals asking about device reputation. They have asked about the value of reputation data built by identifying infected PCs, i.e. botnets, as opposed to identifying PCs that have been used to commit actual online fraud or abuse. iovation pioneered the use of device fingerprinting in a shared database to build device reputations in 2004 and we have a lot of experience with this issue. There is a big difference between the two types of reputations and their relevant value.

Botnet and malware based reputation. There are device reputation services that derive online reputation for devices or IP addresses through detection of malware infection or botnet characteristics. A good example of a service like this is Cisco’s Ironport Senderbase service. Here this reputation is used to fight spam, phishing, and malware propagation. The question for online businesses is how relevant is this data when used to combat fraudulent purchases or bogus account setup. In evaluating this question it is helpful to look at the various uses of botnets. There is a good submission on botnets in Wikipedia that describes the various uses of botnets. The top uses of botnets in this article are as follows:

1. Botnets are used to propagate denial of service attacks.
2. They are used for spam and phishing distribution. This use of botnets is so prevalent that they call them spambots.
3. Finally, they are used to harvest data usually either account information, personal information, or credit data.

While botnets can have correlation to online fraud, a large collection of computers that have been associated with an infection or malware is not the same thing as an online fraud reputation database. Think of botnets as the miners of the raw materials to commit online fraud. Typically that data is sent off the compromised PC to a central location where the identity data is collected and resold on the Internet. The actual fraud occurs on different PCs.

Fraud and abuse based device reputation. These reputation services, like iovation’s, track actual histories of fraud and abuse that are associated with a given device by its device fingerprint. iovation tracks over 30 types of online fraud and abuse ranging from credit card fraud to affiliate fraud and customer harassment. Tracking the actual abuses reported for a given device gives our customer actionable information with a very low false positive rate and information that is specifically relevant to their business. iovation has profiled well over 1 billion devices and tracks the unique reputation of over 120 million online devices allowing us to provide unique insight that is unmatched by other services.

Botnet and malware based reputation services are no doubt valuable at combating enterprise security exploitations, but their value simply doesn’t extend to protecting online businesses in the same way. If you are thinking about evaluating a device fingerprinting or device reputation service, be sure to ask the following questions:

1. How many devices do you profile on a daily basis and how many have you profiled in the past year?  This will give an important sense of the scale of the organization.
2. Do you track device reputations, or are you entirely risk based? Device reputation is distinct from device risk in that it identifies a device and its fraudulent history with certainty instead of assigning a likelihood that it is fraudulent.
3. If you say you have identified a fraudulent device, what type of fraudulent activity have you verified? Is this a history of an actual fraud, i.e. a credit card chargeback, or is it simply an infected PC?
4. Can you provide granularity to the reputation that is specifically relevant to my business? Is your fraud reputation one-size-fit all or do you track specific categories of fraud?

Many businesses are looking at this new category of device reputation and seeing how it can help their business. It is important to consider how that reputation is built and how effective it will be in stopping online fraud and abuse.

Tags: botnet, device fingerprint, device reputation, identity theft, Online Fraud, Phishing, spam

This entry was posted on Thursday, May 14th, 2009 at 7:29 am and is filed under Financial Services, Online Communities, Online Gambling, Online Gaming, Online Retail. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.