iovation has seen first-hand mobile transactions increase by more than 300% annually. With merchants expecting more fraud as a percentage of sales from their mobile channel, I look forward to participating alongside with other leading mobile security authorities in the panel, “Mobile Security: Improving Systems to Mitigate Fraud,” at the Mobile Contactless Payment Innovations Summit in Chicago.

I will be joining Marc Washawsky, SVP Mobile Channel Executive at Bank of America, Kevin Gillick, Executive Director at GlobalPlatform, Jack Jania, SVP GM Secure Transactions at Gemalto, and moderator, James Wester, Editor of Mobile Payments Today, as we share with executives from retailers, banks, card issuers and payment networks insights on assessing risk and detecting fraudulent behavior from mobile devices, including smart phones and tablets. Some of the topics we will cover include: 

• The importance of mobile security
• Common perceptions customers have towards mobile devices
• Mobile standards, practices and identity issues
• The security and fraud implications for consumer vs. business devices
• The future of mobile security

Each year, iovation assesses billions of online transactions for our customers, most notably in financial services, online retail and online communities like social networks and dating sites. Of the mobile transactions we’ve assessed for risk to date, 35% were from Android devices, 32% from iPhones, 24% from iPads, and 9% have been from Blackberry and other mobile devices.

The mobile fraud panel will take place on Tuesday, October 18th, beginning at 11:15 a.m. at the W Hotel City Center, Chicago, Illinois. If you are attending this conference, I hope you can join us for this very important presentation.

In 2010, we screened nearly 2 billion transactions and stopped over 35 million fraud attempts. The collaboration we support and the meaningful impact we have in stopping all types of online fraud and abuse are part of what makes us proud of what we do here at iovation.

This was our most successful year ever and we have even higher expectations for next year. Thanks for working with us to make the Internet a safer place. Here’s to seeing what we can accomplish together in 2011.

Happy holidays and best wishes for the New Year.

Sincerely,
Greg

AlwaysOn asserts that the selected companies are developing game-changing approaches and technologies that are likely to disrupt existing markets. Selection criteria include innovation, market potential, commercialization, shareholder value and media buzz. Quoting Tony Perkins, founder and editor of AlwaysOn:

“As the digital information created by businesses continues to explode at astronomical rates, the need to store, manage, and share this information is becoming extremely challenging. By providing innovative technologies that help enterprises better compete in this new era of information complexity, the OnDemand 100 represent some of the highest growth opportunities in the private company marketplace.”

It’s an honor to be recognized by industry experts for pioneering the use of device reputation to help online businesses fight fraud and abuse. The only thing better is recognition from customers that use our service every single day.

Along with the more obvious benefits of a growing customer base, more customers means more feedback. Just this morning I was checking in with one of our newest financial services customers. They were very happy with the ROI on our service and highly complimentary of our team. And last week I ran into the CIO for the Portland Trail Blazers at a business function – GO BLAZERS! Seeing ‘iovation’ on my name tag he went out of his way to explain how much he appreciates our service and how we have helped them significantly reducing fraudulent ticket sales.

It’s always great to hear that we have a valuable service and even better to hear customers compliment our people. We really do have a great team that genuinely cares and will do whatever it takes to help our customers. While most of the praise is heaped on our client services organization – which makes sense since this is the part of the organization that fights the good fight side-by-side our customers every day – it’s deserved across the board.

And speaking of positive energy, I love that our customers are sending us pictures of their fraud teams from around the world all wearing our coveted iovation ‘virtual crime fighter’ shirts. For a growing number of folks on the iovation team here in Portland, this has also become the unofficial Friday uniform.

A little recognition, happy customers and happy employees. Nice.

We’re going into 2010 with a lot to be excited about, including the announcement of our new VP of Technology, Scott Waddell.  Scott joined iovation in April 2008 as our Director of Research, a role to which he has brought amazing insight and innovation.  I love his ability to keep sight of a strategic vision while being pragmatic about getting there.  Starting this month, he’s taking over the helm of our entire technology organization and we’re confident he will continue our positive momentum into the new year and beyond.

To provide a bit of an introduction, Scott has nearly two decades of technology experience with an emphasis on security.  Before joining iovation, he spent a number of years at Cisco, serving in a variety across engineering, network security and research. Prior to that, Scott co-founded WheelGroup, a network security company that was later acquired by Cisco.  He also served as a charter member of the Air Force Information Warfare Center, pioneering tools and techniques for automated vulnerability assessment and incident response.

Due to his wealth of experience and the clear contributions he has already made to our business, everyone on our executive team and board of directors agrees that Scott is absolutely the right person to lead our technology team.  We’re fortunate to have someone who is extremely knowledgeable, passionate, dedicated, and already familiar with what we do. No one would be in a better position to help strengthen our core technologies and work on building new services to leverage our unique knowledge of the reputation of hundreds of millions of computers.

Here’s to building great teams.  Happy New Year!

It is amazing to me to look back and see how much we have accomplished in just a few years. Through collective hard work and the loyal support of our customers, we have become leaders in device reputation and device fingerprinting solutions. We now protect over 300 websites and have profiled over 180 million computers. We perform over 4.0 million device reputation checks and stop over 30,000 fraudulent transactions every single day.

Thanks to everyone who is working together to protect online commerce and fight online fraud. We couldn’t have done it without you.

Happy Thanksgiving to you and your family.

Greg

Botnets are an increasingly difficult problem to address and are becoming an important part of the Fraud as a Service value chain.  There are a number of uses for botnets but Messmer’s post supports that the three primary threats are theft of data, propagation of spam or malware, and execution of coordinated denial of service attacks.

With respect to online fraud, the first threats are the most concerning and are directly related to each other. Distribution of spam and malware is usually a means to an end of stealing personal data which can easily be monetized in the cyber black market. The number of effective botnets is growing. What this means to online businesses is that comprehensive databases of credit and identity information are readily available and getting cheaper, allowing fraudsters easy access to stolen identities. The result is that fraud management systems relying entirely upon identity checks are becoming less effective and need to be accompanied by a solution based on information independent of identity. This is where device reputation systems excel and provide the perfect complement to existing fraud management tools and processes.

In looking at this problem and the relationship of botnets to online fraud, some companies are attempting to provide device-based risk scores based primarily on association with malware infection and botnet participation. This focus is flawed.

Fraud and abuse, but particularly financial fraud, is becoming increasingly decentralized and independent. The device used to steal information (generally the good guy’s machine) is often different than the device used to pass stolen identities and financial instruments (generally the bad guy’s machine). Can they be one in the same, i.e. good guy’s personal machine by day and the bad guy’s remote machine by night? Of course. But more often malware and botnets are sending sensitive information elsewhere which may then be sold and shared with multiple independent parties.

This is why device reputation based upon actual history of fraud and abuse excels at stopping fraud and abuse in the real world.

The difference between reputation and risk is significant and the best providers of device-based fraud management solutions should offer both. Reputation asserts definitively that a unique PC, or other internet device, has been seen before and has actually been associated with a type of fraud or abuse that the online business cares about. Risk, on the other hand, says that a device profile shares characteristics similar to other device profiles associated with risk and that associated transactions should be scrutinized. Reputation and risk systems are both valuable, but without a foundation of reputation, risk is less effective. We have written about this in past blogs as well.

iovation will always be the first device reputation service. Hopefully we will continue to be THE Device Reputation Authority, the largest repository of device reputations available on the internet and the most effective risk system that takes into account both real history of fraud and abuse as well as characteristics and behaviors highly correlated with fraud or abuse.  iovation has performed over 2 billion fraud checks for our subscribers and has used this information to provide the most sophisticated and comprehensive device reputation system available.

Instead of relying on data harvested by networks focused entirely on malware and botnets, the best way to fight fraud that stems from botnets is to track the actual devices that are being used to commit online fraud and abuse.

Over two billion times, our subscribers have used one of our device printing technologies while interacting with end-users and then reached out to our service with device printing data plus their unique account or transaction identifier. In real-time (sub-second response times) our service then follows business rules that are unique to each subscriber and leverages terabytes of information in our global fraud database, the Device Reputation Authority (DRA).  We can tell subscribers if they have ever seen a given device and if any related accounts and devices have a history of fraud or abuse at their site. We can also tell subscribers if any related devices are associated with fraud or abuse at other subscriber sites.

In processing all these device reputation inquiries, we have stopped over 11 million fraudulent and abusive activities. If the average loaded cost is just $100.00 per incident, then we have saved our customers over $1.0 billion in fraud and abuse losses.  And this, of course, is the whole point. We help our subscribers stop everything from identity theft and stolen credit card use to cheating, posting unwanted content, chat abuse and child predation. Over 11 million times our subscribers stopped a purchase, login or other action with sufficient confidence to avoid any additional review. And this is just the real-time stops. We also help our subscribers identify suspicious activity through real-time notices, Risk Module, scheduled reports, and add hoc queries through our web-based admin console.

I can’t help but think of how far we have come in the past five years as a company and how quickly ecommerce evolves. Internet businesses have undergone a significant transition in general awareness of what device fingerprinting solutions, like iovation’s ReputationManager, have to offer. In the ‘old days’, just a few years ago, we spent considerable time explaining what device reputation was and educating potential subscribers about how using our service could change the way they identified relationships between accounts, orders, or applications. Contrast that with today’s environment, where device fingerprinting solutions are recognized as a best-practice and even a necessary component to any fraud and abuse management system. Nowhere was this more evident than in this year’s Fraud Management report that identified device fingerprinting as the #1 planned technology for implementation over the course of the next year and as one of the top three effective technologies for fighting fraud.

In addition to increasing market awareness of the power of device reputation, we have experienced tremendous growth in our business. It took us about four years to process our first billion transactions and only one year to hit the next billion. We currently track the reputation of over 140 million unique devices, up nearly 500% from just a year ago.  We have grown from protecting a handful of businesses in a single industry to protecting hundreds of web properties, many of which are globally recognized brands, involved in all kinds of e-commerce activities.

What has driven our growth more than anything is that we simply deliver results. Our subscribers have realized remarkable returns, such as our Fortune 100 credit issuer who generated a 321% ROI in the first two years, and Ntreev USA who saw amazing results within a mere 30 days. We are proud of the real value we deliver and delight in stopping fraudsters and helping our subscribers minimize losses and increase profits.

I would like to take this opportunity to thank our employees, our partners, our investors and most of all our subscribers who have made this growth and success possible. We are working together to fight fraud and abuse more effectively each day.

Online businesses are generally focused on the security aspects of this ‘discussion’ with an emphasis on how best to protect themselves and their customers.  Businesses would be well-served to also understand the perspective of privacy advocates. You don’t necessarily have to agree or even have much sympathy for a particular perspective to potentially benefit.

I see two main themes with respect to online privacy concerns. One is more related to identity theft generally directed at how online businesses protect data that could be used to get unauthorized access to an online account or steal someone’s identity. The second theme has more to do with simple invasion of privacy. You will find much controversy here ranging from ownership rights to click stream data to whether or not Google could or does try to determine who you are from search string data.

While most people have real concern about identity theft and genuine sympathy for the victims of this crime, the majority of Internet citizens don’t seem highly concerned over issues related to privacy. Nevertheless, online businesses should not underestimate the passion and strength of the vocal minority here. Keeping this perspective in mind might help keep you out of trouble.  Encourage your employees and customers to point out potential issues. Consider hiring a privacy advocate to review user agreements and potentially sensitive aspects of data security and retention policies.  You don’t necessarily have to address every single issue they might raise, but it might be good to know where you stand and what you’re doing that could potentially create a problem for you at some point.

So what does all of this mean to the perspective on the typical Internet user?

In the world we currently live in, 100% guarantees are hard to come by, and this certainly applies to online security and privacy. However, online and off, there are reasonable steps consumers can take to make it harder for someone to steal their identity. With respect to privacy, there’s what you buy and what you do. In the case of buying something online, you will inevitably need to provide more information about yourself and likely leave a record of your activity.

Aside from making purchases, you can be reasonably anonymous on the Internet. Anyone wanting to surf the Web with an extremely high level of anonymity can simply use an anonymizing proxy service to obfuscate their IP address and apparent location. And there are many other tools and techniques that can be used depending on your level of concern.

I would argue that for the vast majority of Internet citizens there is very little to worry about in the privacy department. Your biggest risks if you’re not careful are target marketing and unsolicited emails. If you would be personally or professionally devastated if someone ever found out that you did a search for X or visited a particular website, or feel very strongly that whatever you do online is absolutely no one else’s business, then take appropriate steps to protect yourself.

But be aware that, like many things in life, tradeoffs are involved. Being more anonymous than the typical Internet user does come with a price. If you use throw-away email addresses, anonymizing proxies and other tools to increase privacy, you shouldn’t be surprised if you have to jump through a few extra hoops to use certain online services, just as you might reasonably expect to get a little extra attention if you walk into a bank to make a legitimate withdrawal wearing a ski mask.

The judge wrote,

“In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer, and can do that only after matching the IP address to a list of a particular Internet service provider’s subscribers.”

The second sentence could definitely be more clear. It is not accurate to say that an IP address identifies a unique computer. While you could say that for a moment in time an active IP address is associated with a specific Internet device, and the next moment, the same IP address could represent a completely different Internet device that may or may not be associated with the first device.

I don’t think this distinction changes the point the judge was making. It does, however, bring up an important point for online businesses using IP addresses to identify fraud and abuse.

Few consumers have static IP addresses. Some of the largest ISPs don’t even offer this service.  It’s typically more expensive and few consumers have any real reason for having one.  Most consumers are assigned an IP address from their ISP through DHCP and every time their router is powered on they will be assigned a new address. Bad guys are obviously even less likely to use a static IP address. And most businesses of any size, to help extend the public IP address range and for various security and network management reasons, translate a smaller number of external/public IP addresses into many internal/private email addresses.

The point is that IP addresses are transitory in nature, and therefore have a shelf life. Fraud management systems that utilize IP address to build associations between accounts, profile behavior and screen out bad actors need to be used with caution. If one of your best customers conducts business with the site on Monday from a particular IP address, it isn’t necessarily the same customer or internet device connecting from the same IP address on Tuesday. Conversely, if you get a chargeback notice for a transaction that occurred weeks ago from a particular IP address, blocking that IP address going forward my well deny business from a good customer that has absolutely nothing to do with the previous fraud.

If your fraud management team relies heavily on IP address, use time to weight associations. Different transactions coming from the same IP address within minutes are very likely related, whereas transactions from the same IP address separated by weeks should be considered very weakly associated, if at all. In either case, manual review will help make sure you don’t negatively impact a good customer.

Unfortunately, manual review processes are expensive and not scalable. Layering complementary fraud management approaches can help you reject and accept more transactions with confidence and significantly reduce the need for manual review.

While the never-ending ‘discussion’ about the balance of online security and privacy rages on, what can online businesses learn from this?

Microsoft dodged a bullet here. While the case was dismissed before trial, defending yourself is expensive. While harder to quantify than attorney’s fees, there are other ‘costs’ that are often more significant, including the distraction to the business and all the ripple effects of negative publicity for customers, business partners, employees and shareholders.  Dodging bullets is good, but it’s even better to avoid getting shot at in the first place.

In this particular case, a group of consumers claimed that Microsoft violated its user agreement by collecting IP addresses.  Consumers claimed that Microsoft’s user agreement didn’t give the company permission to gather personally identifiable information. Consumers argued that IP addresses were personal information and pointed to a security glossary on Microsoft’s own website that defined “personally identifiable information” as:

Oops.

If you’re wondering how Microsoft got out of this sticky situation, they argued that IP address is in fact NOT personally identifiable information and that their own security glossary was not referenced in their user agreement and is therefore not relevant. Attorneys reading this are thinking “Makes perfect sense,” and normal individuals (sorry, couldn’t help myself) are thinking, “That makes no sense.”

In Microsoft’s defense, you can see how this could easily happen. User agreements could be written by one part of the organization, in isolation from another part of the organization responsible for writing an online security glossary. The bigger the organization, the more likely these kind of disconnects, and the harder it is to keep everyone on the same page. This may explain it, but it doesn’t excuse it.

BTW, as of the date of this post, this definition of PII on Microsoft’s website remains unchanged.

While big companies with deep pockets have bigger targets on their back, small companies are not immune to these types of problems.

A little common sense goes a long way. Consumers don’t care about technical legal arguments. If you say one thing and do something else, you shouldn’t be surprised when some of your customers are confused or irritated. Try to be consistent and encourage your customers and employees to point out real and apparent inconsistencies.

Treat all information gathered from your customers with the appropriate level of care. I certainly understand this is a loaded statement. Ask three experts for their opinion on what you should do with various data types and you’re likely to get at least three. But a little common sense goes a long way here too. The greater the likelihood that information could allow access by unauthorized users, reveal individual users or enable identity theft, the more careful you should be.

Review your privacy policies periodically and compare them to other businesses that consumers respect. When in doubt, disclose it. Let’s face it, the vast majority of your users don’t care and are never going to read it.  For the extremely vocal minority that does care, they will appreciate transparency. The individual that actually cares that you “maintain IP addresses associated with site traffic for up to X years” will either appreciate the disclosure (which they knew anyway) or was never doing business with you in the first place.

As Microsoft, Google and many other businesses continue to learn the hard way, even the appearance of improper conduct can be terribly damaging. When in doubt, disclose.

]]> http://blog.iovation.com/2009/07/15/ip-addresses-not-pii-part-2/feed/ 0 http://blog.iovation.com/2009/07/13/us-federal-judge-upholds-ip-addresses-are-not-personally-identifiable-information-%e2%80%93-i-agree/ http://blog.iovation.com/2009/07/13/us-federal-judge-upholds-ip-addresses-are-not-personally-identifiable-information-%e2%80%93-i-agree/#comments Mon, 13 Jul 2009 23:42:58 +0000 Greg Pierson http://blog.iovation.com/?p=322 In a class action law suit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII).  This will undoubtedly contribute to the important, often passionate and sometimes controversial balance between online security and privacy.  There will be countless threads pointing out the legal and technical reasons that an IP address is not personal information.  There will be valid points here.  And there will be countless more threads on what can be done with IP addresses alone and how IP addresses can be used in combination with other types of information for target marketing, behavior analysis and even identifying specific individuals.  There will be valid points here too.

By themselves, very few individual data elements point to a specific individual.  Rather than debating whether or not a particular data element is PII, I think it’s more appropriate, and ultimately more productive, to think about data elements on a continuum from strongly-associated with identity to weakly-associated with identity.  While reasonable people could argue over the precise weight of individual data elements, there would be general agreement that biometric information is more strongly associated with unique individuals than physical address which is more specific than date of birth, etc.  Imagine the ‘fun’ in debating over the relative weights of validated email address versus non-validated email address, or cell versus home versus fax numbers, etc.

On this continuum, IP addresses are very weakly associated with identity.  Of all the information associated with one’s Internet activity, IP address is pretty innocuous.  IP addresses are often transitory, randomly assigned and very easily obfuscated.  With no additional information, it’s extremely difficult at best to associate an individual to an IP address with any degree of certainty.

Moreover, IP addresses are in the public domain and literally part of the fabric of the Web.  They are in every router, web server and internet appliance with audit logs.  Like the to and from addresses on snail mail, IP addresses are an integral part of every TC/IP packet flying around the globe.  Every time you visit a website, post to a message board, or send an IM, tweet or email, you are sharing IP addresses.  It’s not reasonable or practical to treat IP addresses like credit card numbers or other data elements that are more closely associated with unique individuals.

With respect to the balance of security and privacy, there’s another very important aspect to all of this.  Privacy advocates and consumers should consider the potential ramifications of treating all data elements the same, regardless of strength of association to identity.  Online businesses have a right, and shareholders might argue an obligation, to know their customers, understand behavior, and protect themselves and their users from fraud and abuse.  Using IP addresses, session IDs, cookies, tokens, device IDs and similar data elements that are very weakly associated with identity actually protects the identity and privacy of consumers.  As businesses protect themselves with information that is more closely associated with identity, identity and privacy are more at risk.

This ruling is a step in the right direction.  I hope it is the signal of a trend toward a rational view of the value of an IP address.

In addition to being good news for the companies who offer alternative payment types, this information also signifies an important development in the realm of fraud prevention. With fewer shoppers using credit cards online, traditional fraud-management tools that rely upon that personal and credit information are going to become less effective. The Internet Retailer article quotes extensively from CyberSource’s most recent fraud report: a report that indicates that device fingerprinting solutions, like iovation ReputationManager™, are at the top of the list for planned implementation in 2009. The trend of online consumers away from payment options that require personal and credit information will only make augmenting fraud prevention with device fingerprinting solutions more important.