Ellen Messmer of Network World had an interesting post recently listing America’s 10 most wanted botnets.  These ten alone are responsible for an estimated 12.4 million infections in the United States.

Botnets are an increasingly difficult problem to address and are becoming an important part of the Fraud as a Service value chain.  There are a number of uses for botnets but Messmer’s post supports that the three primary threats are theft of data, propagation of spam or malware, and execution of coordinated denial of service attacks.

With respect to online fraud, the first threats are the most concerning and are directly related to each other. Distribution of spam and malware is usually a means to an end of stealing personal data which can easily be monetized in the cyber black market. The number of effective botnets is growing. What this means to online businesses is that comprehensive databases of credit and identity information are readily available and getting cheaper, allowing fraudsters easy access to stolen identities. The result is that fraud management systems relying entirely upon identity checks are becoming less effective and need to be accompanied by a solution based on information independent of identity. This is where device reputation systems excel and provide the perfect complement to existing fraud management tools and processes.

In looking at this problem and the relationship of botnets to online fraud, some companies are attempting to provide device-based risk scores based primarily on association with malware infection and botnet participation. This focus is flawed.

Fraud and abuse, but particularly financial fraud, is becoming increasingly decentralized and independent. The device used to steal information (generally the good guy’s machine) is often different than the device used to pass stolen identities and financial instruments (generally the bad guy’s machine). Can they be one in the same, i.e. good guy’s personal machine by day and the bad guy’s remote machine by night? Of course. But more often malware and botnets are sending sensitive information elsewhere which may then be sold and shared with multiple independent parties.

This is why device reputation based upon actual history of fraud and abuse excels at stopping fraud and abuse in the real world.

The difference between reputation and risk is significant and the best providers of device-based fraud management solutions should offer both. Reputation asserts definitively that a unique PC, or other internet device, has been seen before and has actually been associated with a type of fraud or abuse that the online business cares about. Risk, on the other hand, says that a device profile shares characteristics similar to other device profiles associated with risk and that associated transactions should be scrutinized. Reputation and risk systems are both valuable, but without a foundation of reputation, risk is less effective. We have written about this in past blogs as well.

iovation will always be the first device reputation service. Hopefully we will continue to be THE Device Reputation Authority, the largest repository of device reputations available on the internet and the most effective risk system that takes into account both real history of fraud and abuse as well as characteristics and behaviors highly correlated with fraud or abuse.  iovation has performed over 2 billion fraud checks for our subscribers and has used this information to provide the most sophisticated and comprehensive device reputation system available.

Instead of relying on data harvested by networks focused entirely on malware and botnets, the best way to fight fraud that stems from botnets is to track the actual devices that are being used to commit online fraud and abuse.

This entry was posted on Friday, July 24th, 2009 at 8:57 am and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.