iovation is continually developing new features to meet customer business challenges, keep pace with the constantly changing Internet environment, respond to great customer ideas, and meet our own internal strategic goals.

It’s been a busy year with a ton of new features and enhancements ranging from big to small. We thought we’d take a moment to share with you some of the highlights from 2011.

As with any technology, there are many, many things that go into a new feature including design, development, testing, documentation, integration and other operational requirements. We won’t go into that amount of detail here, but instead will focus on the primary achievements within each of the four principle areas of specialization at iovation, which include:

Fraud prevention requires layers of defense. Mature fraud organizations often have several layers that interrogate the transaction details such as name, address, and credit card details, device reputation that starts with device identification, and risk scoring on rules developed over time to detect fraud attempts as well as predict new types of attacks.

In order for the business rules engines to be productive, the rules they operate on need to reflect the particular risks the organization faces. When it comes to customizing business rules, this is not a “one size fits all” model. Giving a retailer, financial institution, or gaming company the ability to easily create and manage rules that are run against their transactions requires a tool that makes it simple to see, add, edit, and experiment with rules.

The iovation business rules editor provides great flexibility in managing the set of rules to be reviewed for transactions such as login, account creation, account change, and checkout. Rule sets are the collections of rules for each end-customer touch point. Rules can be added with a familiar drag-and-drop, enabled and disabled with one click, parameters can be adjusted, and lists of common items can be managed and included. An example of a list is a ‘risky ISP list’, where the user can create a list of risky ISPs and use that same list in multiple rules. If the list changes, all rules leveraging that list will be immediately updated. New rules can be evaluated without impacting scoring results by giving them a zero weight and tracking how frequently they are triggered.

The iovation rules editor provides additional flexibility to help you keep up with the evolution of fraud while protecting your business.

Distinguishing transactions with real risk from those that only appear risky is one challenge of effective fraud management. False positives can dramatically degrade fraud catch while increasing operational costs. Risk rules based on IP address, including the ability to see through proxies to unmask the real source IP address, are a good example. It’s well known that many fraudsters use web proxies to hide their source IP address. They may use proxies simply to evade recognition, to source transactions from locations that match stolen identities they wish to exploit, or to overcome rules blocking transactions from high fraud rate countries. At first blush, a transaction may seem risky if the ‘stated’ IP does not match the ‘real’ ip address. But let’s look a little closer.

There are situations where a mismatch between presented IP address and actual IP address does not indicate risk. These include certain ISPs, corporate networks, and CDN services that either require their users’ web traffic to pass through proxies or have service configurations that result in proxy-like behavior. If the IP addresses don’t match but the locations do, that can help filter out some of these false positive, lower risk scenarios. Likewise, if the IP addresses differ but the ISP is the same, proxy risk is typically low. When the IP addresses don’t match, the geolocated country or region differ, and the ISPs are not the same, that is much more likely to be an example of intentional proxy use by the end user.

Of course, legitimate site visitors sometimes use proxies too. So, proxy risk should be considered in conjunction with device reputation and other risk indicators for balanced real-time transaction decisioning.

Relying on a single prevention technique for anything is risky because either the technique doesn’t work for every situation, or someone will figure out how to get around it. This certainly applies to Internet fraud, where prevention specialists work around the clock to stay multiple steps in front of the bad guys.

Fraudsters excel at hiding their true identity. True professionals in the field of fraud detection and prevention must employ a defense-in-depth approach, and iovation deploys one of the most sophisticated with a multi-tiered approach to recognize trouble when it is near. Our innovative service to recognize risk has been constantly refined over the past six years. (more…)