It will be interesting to see how this law plays out and whether it turns into simple grandstanding by lawmakers or if it will be able to have a real affect. The most likely impact of this law will be to address bullies or even families who use fake profiles to intimidate or harass others, as in the case that culminated in the suicide of a young girl. This law is unlikely, however, to have any impact on organized criminals who create multiple phony accounts to target and defraud users on social networks.

At iovation, many of the questions we field revolve around how we do device fingerprinting. Rather than get into a detailed definition of device fingerprinting, I will address the basic choices available to companies and explain how iovation uses them. Essentially, device fingerprinting is used online to identify and then re-recognize a PC or other Internet device that visits an online site. There are really 4 different ways that this can be accomplished:

1. Download device print – In this case the online user must accept a downloaded device print, which is usually in the format of some sort of DLL or other executable. In general, this technique is used by online businesses that already download other software and this becomes a component of that download. For example, game companies may include this in their game downloads. At iovation a small percentage of our customers use this form of device recognition. Its advantages are that it is the most accurate device print available. Additionally, because it can look deeper at system attributes, such as the MAC address, it can often re-identify a PC even if the user completely reloads the operating system and is thus more resistant to bypass. The drawback is that it does require a download and for many businesses, this is simply not acceptable.
2. Web device print – In this case, there is no change to the user experience on the web, but a unique identifier is left as a cookie in various places. For example, this could be as simple as a standard cookie, or it could take advantage of various other applications like a flash cache. This print still retains the ability to uniquely and accurately identify a PC but isn’t as resilient to bypass as a downloaded print.
3. Device profiling – In this instance there is no unique identifier left on the system, but rather a collection of the device attributes that are visible through the web. This technology answers the question, how likely is this PC to be one that I have seen before. There are many of these attributes, such as operating system, browser OS and version, etc. that taken individually are non-unique, but when looked at in aggregate can provide a high re-recognition rate for PCs. The advantage of this technique is that it is very resilient to bypass in that there is no unique identifier to be cleared. The drawback is that the more aggressive you are with recognition techniques, you risk false positives in the recognition of devices.
4. Risk profiling – In the true sense of device recognition this is not device fingerprinting because the goal is not to match devices uniquely to a device a business has seen before. Rather, this is used to aggregate risk characteristics for a PC that may include the fact that it looks like devices that have been associated with fraud in the past. This type of technique can include the device profile risk, IP address risk, and common risky attributes (i.e. the PC is coming through an anonymizing proxy).

All of these techniques are used by iovation to provide a comprehensive device reputation service and to match our customers needs and business environment. The choice of technology reflects our customers sensitivities to fraud, customer experience, false positives and review queues, and the type of customers that visit them online.

This attack is even more relevant to me personally as I witnessed this attack on a friend of mine this past weekend. My friend received a voice message telling him that his debit card account had indications of fraud and to call the 800 number immediately to get details. Once he connected to this number he was directed to enter his card number to get details on the incident. It so happened that he didn’t have his card with him so he hung up intending to call back later. When he did call back, he called the number of his financial institution on his card instead of the number left on voice mail. It was a good thing he did. There they indicated that there was no fraud activity on his account and that he had been a victim of a vishing attack.

In this incident it turned out ok because he never entered his personal information, but it could have easily turned out differently. The lesson from this incident is that as with websites, you shouldn’t trust messages directing you to a phone number that requests personal or financial data. If you receive an indication of fraud or some other problem with a financial, or other account, you should dial the actual company number and have them direct you to the appropriate department. Do not trust phone numbers left to you in a voice mail that ask you for personal information.

When personal identities have such value to scammers, individuals must be increasingly vigilant about protecting this data and ensuring that they do not deliver it into the hands of the bad guys.

This is an interesting concept, but the execution of this with online businesses will make all the difference. The key here is the merchants and their adoption of this technology. If adoption is slow, then the card company may be forced to allow use of this card at sites without the pin. If this is the case, the improved authentication is rendered useless because a scammer could still steal the card information and use it online. If, on the other hand, the card issuer continues to require the use of the pin in order to complete an online transaction despite slow adoption by merchants, this could doom the use of the card by consumers as they won’t find enough places to use it.

Online merchants are the key to the success of this experiment and they have incentives to make this work. CNP fraud is a big problem and costs online companies billions of dollars per year. If they can band together to speed adoption of this technology, it will go a long way to changing how online fraud occurs.

Botnet and malware based reputation. There are device reputation services that derive online reputation for devices or IP addresses through detection of malware infection or botnet characteristics. A good example of a service like this is Cisco’s Ironport Senderbase service. Here this reputation is used to fight spam, phishing, and malware propagation. The question for online businesses is how relevant is this data when used to combat fraudulent purchases or bogus account setup. In evaluating this question it is helpful to look at the various uses of botnets. There is a good submission on botnets in Wikipedia that describes the various uses of botnets. The top uses of botnets in this article are as follows:

1. Botnets are used to propagate denial of service attacks.
2. They are used for spam and phishing distribution. This use of botnets is so prevalent that they call them spambots.
3. Finally, they are used to harvest data usually either account information, personal information, or credit data.

While botnets can have correlation to online fraud, a large collection of computers that have been associated with an infection or malware is not the same thing as an online fraud reputation database. Think of botnets as the miners of the raw materials to commit online fraud. Typically that data is sent off the compromised PC to a central location where the identity data is collected and resold on the Internet. The actual fraud occurs on different PCs.

Fraud and abuse based device reputation. These reputation services, like iovation’s, track actual histories of fraud and abuse that are associated with a given device by its device fingerprint. iovation tracks over 30 types of online fraud and abuse ranging from credit card fraud to affiliate fraud and customer harassment. Tracking the actual abuses reported for a given device gives our customer actionable information with a very low false positive rate and information that is specifically relevant to their business. iovation has profiled well over 1 billion devices and tracks the unique reputation of over 120 million online devices allowing us to provide unique insight that is unmatched by other services.

Botnet and malware based reputation services are no doubt valuable at combating enterprise security exploitations, but their value simply doesn’t extend to protecting online businesses in the same way. If you are thinking about evaluating a device fingerprinting or device reputation service, be sure to ask the following questions:

1. How many devices do you profile on a daily basis and how many have you profiled in the past year?  This will give an important sense of the scale of the organization.
2. Do you track device reputations, or are you entirely risk based? Device reputation is distinct from device risk in that it identifies a device and its fraudulent history with certainty instead of assigning a likelihood that it is fraudulent.
3. If you say you have identified a fraudulent device, what type of fraudulent activity have you verified? Is this a history of an actual fraud, i.e. a credit card chargeback, or is it simply an infected PC?
4. Can you provide granularity to the reputation that is specifically relevant to my business? Is your fraud reputation one-size-fit all or do you track specific categories of fraud?

Many businesses are looking at this new category of device reputation and seeing how it can help their business. It is important to consider how that reputation is built and how effective it will be in stopping online fraud and abuse.

A growing number of online gaming companies continue to join iovation’s global fraud network. By focusing on the reputation of the user’s computer and sharing evidence of fraudulent devices with other online businesses, iovation uncovers hidden relationships and proactively exposes fraudsters and abusers in real-time.

Read the Ntreev case study, titled, “Ntreev USA Tackles Chargebacks and Terms of Service Violations” or visit our gaming industry page to learn more.

While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned:

1. Social networking sites are driven by links. Where e-mail is about easy and quick communication, social networking sites are driven by shared links to interesting news propagating on the web. In the case of Twitter, probably more than 90% of tweets contain links to articles on the web.
2. Browser exploits are THE method of propagation for malware. Worried about the latest self propagating worm exploiting a zero day vulnerability? The threat from a worm pales in comparison to the volume of attacks coming through your browser. TippingPoint’s Pwn2Own contest highlights browser vulnerabilities and the results from this year’s contest were scary. On the first day Safari, Firefox and Internet Explorer all hit the dust with new zero day exploits. This contest actually saw the first official exploit for IE8. Today, scammers take advantage of the weakness of the browser by linking users to infected sites through phishing and link postings. URL shortening complicates this because the user has no idea of what site they are really linking to.
3. Social posts are far less filtered than e-mail. The e-mail spam and virus filtering market has matured and most users have some rudimentary form of filtering for one or both of these items in e-mail. With social networks there is no such filter other than choosing who you befriend and follow. If you are following the latest #trend on Twitter, you will get the good, bad and ugly of links including links to phishing sites.

Link quality poses a serious threat to social networking sites. With numbers demonstrating that the effectiveness of malware attacks in social networks is 10 times as effective as e-mail you can be sure that scammers are taking notice. The inherent nature of social networks makes this a difficult problem to combat. The best advice for all users today? Think before you click and keep your anti-virus software up to date.  Social networks need to identify scammers, ban their accounts and prevent them from creating new ones in order to ensure the future of their sites. This, coupled with greater user awareness, should help reduce the problem.

Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.

Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.

The argument against this type of technology, however, is that the device information could be collected and sold, constituting a violation of privacy of the online user. What needs to be taken into consideration, however, is how device fingerprinting compares with existing identity-based fraud prevention techniques. Device fingerprinting solutions, such as the device reputation system offered by iovation, ideally work to reduce fraud while simultaneously protecting the privacy of the individual. iovation’s ReputationManager service, as an example, collects and requires no personal information from our customers. Our online service is completely incapable of assigning any online activity to an individual and we market it that way.

The reality is that device fingerprinting systems provide online businesses with some of the only fraud management tools that don’t rely heavily on personally identifiable information. Instead of decrying privacy violations, privacy advocates should be looking to embrace systems that achieve the purpose of reducing online fraud while still protecting the privacy of good online users.

1. ROI for security vendors is more important than ever. The time when businesses make investments on loose Fear, Uncertainty and Doubt (FUD) is coming to a close. Companies are looking to solve real, existing problems and more than ever are being held accountable to the impact of their investments on the bottom line of their company.
2. Fraud as a Service resonates. I blogged a couple of weeks ago about a podcast from RSA where they referred to Fraud as a Service to describe the way online criminals are specializing and working together to commit online fraud.  I am officially changing to this term in preference to the Fraud Value Chain.  I spoke to reporters, analysts and security professionals about this concept and it really resonated.  I had an interview with Bank Info Security that included this topic and here is the podcast.
3. Application Whitelisting vs Blacklisting. I spent some time with the folks at CoreTrace and I think that Application Whitelisting may finally be hitting the market at the right time. Eric Ogren, from the Ogren Group, and I spoke about this and we both agreed that blacklisting systems, in other words anti-virus, provide little to no value in preventing attacks and more than ever are relegated to clean up tools that identify infection after the fact and remove it.  Whitelisting has a way to go before it completely replaces anti-virus, but it has a good future.

That’s it from RSA, now it’s time to head back and fight the bad guys.

Independent of those issues, we at iovation have actually been studying the correlation of use of a proxy to online fraud and abuse. The early results are that for online businesses, users who utilize an anonymizing proxy have a higher rate of fraud and abuse than those that don’t, but it isn’t a sufficient independent indicator of fraudulent activity. In other words, for analyzing the risk of a given online transaction, checking for the use of a proxy is one of many important checks in assessing the overall risk, but it is not sufficient independently to determine whether an online user is bad. This also varies by industry. For example, the use of proxies is rarer at mainstream sites like online banks and retail sites as opposed to online dating sites where individuals may be more concerned about maintaining anonymity.

One thing remains certain, however, and that is the use of proxies to mask their true IP address remains extremely high. We have found that if an online criminal, for example, is using stolen French credit cards to defraud businesses from the Ukraine, the criminals will often go to the extent to ensure that they use a proxy that identifies their machine as originating from France to bypass many of the fraud checks that online businesses use.

In my 17+ years in security I have often heard and repeated that security is a process, not an event, and in the high stakes games of online fraud, this is no different.

This is a good of an example of the way that Fraud as a Service is enabled which I talked about in my previous blog post. Now that Conficker has established a botnet, it can be used for a variety of ends. Here are a few to consider:

• Spam distribution – many of this morning’s articles have focused on the first use of this botnet to distribute spam. Spam can be for illegal services or can also be links to phishing sites.
• Identity theft – any botnet or trojan horse can simply be used to steal and transmit personal information. The way it generally works is that the user’s online web activity is monitored to capture user IDs and passwords from targeted sites like online banks, massively-multiplayer online games (MMOs), or commerce sites. That stolen data is then transmitted back to the scammer’s database.
• Hosting phishing websites or download sites – Many times individual’s PCs can be turned into hosting sites for phishing websites or illegal data download sites.

Botnets continue to be a big problem and are an important part of online criminal activity. Certainly individuals need to ensure their anti-virus software is up to date, and the industry needs to take steps to make account takeover more difficult, through more common use of authentication tokens and personal information less valuable online through the use of other fraud detection techniques like device fingerprinting and device reputation.

1. There is an emerging trend toward “Fraud as a Service” FaaS.  This is a takeoff on Software as a Service (SaaS), but the speaker primarily highlighted the moving trend toward collaboration among the scammers.  There are trojan horse kits with promised patch releases once they are detected by anti-virus.  There are launch kits that allow online criminals to target organizations.  I also highlighted this movement toward an underground fraud value chain in previous blogs.
2. New account fraud is on the rise.  Whether it is enabled by identity theft or by synthetic identities, fraudsters are creating more new accounts than ever online.  This is actually one of the top frauds that we prevent for our customers.  Whether this is targeting credit issuers for online credit accounts, MMOs for new account creation for gold farming and spam, or scammers that target online dating sites and create repeat accounts, new account fraud is a real problem made worse by the fact that identity information is so easy to obtain.
3. Cross channel fraud.  This was highlighted as the trend to play off different channels such as web, phone and mobile environments against each other to enable fraud.

All in all, I found this to be a great podcast and worth a listen.

Predictably representatives from the PCI council and the cards industry defended the standard and said that any company that had been shown to be breached was in violation of one of the standards at the time.

The reality of this all is that evidence of a breach doesn’t invalidate a standard. No regulation is going to stop online fraud, but it can dramatically reduce the risk as opposed to the absence of the standard. The real question should be how many breaches would have occurred without the standard and how must the standard evolve to be more effective and meet the worlds changing threat.

Before these mobile applications, sites could either provide a separate hardware token for multi-factor authentication which was expensive and difficult to manage, or it could provide this capability through a text message on the phone which could be costly for both the consumer and the company. This application solves the token problem by attaching itself to something that most users always have in their possession (their mobile phone) and solves the cost problem by bypassing costly text messages and embedding the password generation intelligence in the mobile app. There is a beta version of the Verisign app for some BlackBerry models and for another 40 phones in development. The Blizzard version is currently only available for the iPhone and iPod touch, but other models will likely follow.  The ease of adoption for the iPhone could be the difference make in this instance and it could be a positive step in the direction at combatting online fraud and more specifically account takeovers.

Generally you won’t find the online criminal who commits all aspects of an online fraud independently from stealing the identity, obtaining fraudulent credit, to finally defrauding an online business. Instead, online criminals may specialize in different areas of the fraud process. One criminal may specialize in establishing and utilizing botnets to steal identities. John Pescatore at Gartner Group has been particularly vocal about the rampant threat of botnets on his blog. Another criminal may specialize in hosting phishing sites with guaranteed uptime. Whether it is spam and phishing e-mail distribution, identity theft, credit card databases, or other elements of the fraud value chain, you can find an individual or organization specializing in it.

My point is this. Yes, it is possible and perhaps even likely that online criminals may begin to collaborate and communicate on Facebook and Twitter. The reality of today’s environment, however, is that these criminals have been working together for years in an underground fraud market. That is why it is so essential that legitimate online businesses similarly work together to fight online fraud. That is exactly part of the unique value we bring to our customers at iovation. The chance to work with their peers to establish and share over 100 million unique device reputations to fight online fraud and abuse.

The net results? Online banking fraud rose by 132%. The article itself highlights the fact that most of this fraud occurred online and particularly speaks to the need for global adoption of multi-factor authentication. Whether or not the world can agree on a standard for multi-factor authentication remains to be seen, but I certainly agree that many of the methods employed to stop online fraud are woefully inadequate especially those that require the input of identity information.

This was a good example of how cyber attacks have shifted to target the online user and not enterprise exploitations. None of the winners even tried to brute force attack the OSX or Microsoft Vista operating systems as by this time, those systems are locked down pretty well. Instead they focus on the browser environment and this highlights why Phishing, which I talked about in my last blog post, is the first step of the fraud value chain in obtaining personal information.

How many people can honestly say they haven’t linked to a site that they aren’t 100% certain of the content? Have you ever linked to something through a social media site, a chat group, a support forum, through a friend in e-mail? It is no mystery why botnets are such a problem. This has become big business and harvesting identities is the first step to much of today’s online fraud.

What can you do personally? That’s a good question. First, stay up on all the latest patches of your operating system and browser technology. In general, security professionals find Firefox to be better than IE as a browser technology. I use Safari, but as you can tell from the above article, they were all compromised. Second, I think it is wise for anyone to regularly monitor both their credit card statements to protect against unauthorized charges as well as subscribe to a credit monitoring service. Lifelock is an example of a well known service. Finally, as I mentioned many times before, we need to move away from using identity based information in legitimate systems. The one time I have been a potential victim of credit card theft is when my university, who used my SSN as an ID, had these records stolen out of their database. The less we rely on this personal information online, the less valuable it will be and the less it will be stolen.

There are two problems with this.  First, we are training online users that providing personal information in addition to credit credentials, i.e. color of your first car, your pet’s name, etc. is required to complete a transaction.  As this has become the norm it  is harder to spot phishing attacks.  Second, we are feeding the online databases created by botnets with increasingly personal information that the scammers can use to bypass these same checks.

I truly believe that the long term viability of solutions that require input of substantial personal information is in question.  To fight fraud, account takeover and identity theft, we should move more to systems that do not require this information like a variety of multi-factor authentication tokens, device fingerprinting, and smart cards.

One of the more interesting sections for us here at iovation can be found on page 8 of this report where they report on implemented, planned and most effective online fraud solutions.  For both large and small merchants, device fingerprinting had the largest number of respondents indicating that they planned on implementing this technology in the next 12 months.  Additionally it was ranked as one of the top three most effective technologies available to merchants today.

Device based fraud managment solutions are rapidly moving into merchant best practices for fighting online fraud.  For more information on key findings from the fraud survey, read the Merchant Risk Council press release.

Week at a Glance:

• March 9 – Opening Party at Blush Boutique, Wynn, co-sponsored by iovation
• March 10 – Platinum Member Meeting co-sponsored by iovation
• March 11 – General Conference & Exhibits (iovation booth #304)
• March 12 – General Conference & Exhibits (iovation booth #304)

On Wednesday, March 11th, iovation veteran Cory Swick will demonstrate how fraudsters are extending their scams and what online businesses can do to stop them. Emerging strategies of cybercrime will be discussed—from individuals targeting specific markets and organized rings of collusion to maturing fraud economies.

Presentation Details:

• Title:  Criminal Diversification: A Look at the Emerging Strategies of Cybercrime
• When:  Wednesday, March 11, 2009, 2:15 p.m. – 3:00 p.m. PT
• Where:  Wynn Las Vegas, Room – Lafite 6
• Speaker:  Cory Swick, Senior Enterprise Sales Executive

To meet with iovation at the event, please schedule a meeting through our website.

1. Provide visitors with instant feedback (or matches)
2. Convert visitors from “Just Looking” to “Paid Customers”
3. Deliver high quality connections or matches
4. Keep the quality of the prospect pool high, by weeding out scammers, spammers and fraudsters.

Number four is where iovation comes in.  When we compiled all incidents in our worldwide database from online dating sites that use our services, we found that the top 5 types of abuse on online dating sites are:

1. Identity mining/phishing &/or credit card fraud – 61%
2. Spammers – 14%
3. Profile Misrepresentation – 7.6%
4. General Misconduct – 5.9%
5. Solicitation – 2.9%

Computerworld launched a separate article on February 13th featuring iovation’s technology, titled, “Online Dating: Blocking the Bad Guys”.  Read this article to find out how iovation’s ReputationManager service aims to help online dating sites keep the scammers and spammers at bay.

- Scott Olson, VP of Marketing, iovation

As organized fraudsters spread their operations across a spectrum of vertical markets to increase their return on investment, it’s becoming critical for peers and diverse industries to organize their efforts in order to stop more sophisticated forms of online fraud and abuse that are becoming even more difficult to detect. This type of cross-industry collaboration has also increased the overall number of fraud attacks iovation has helped our customers prevent this year by 79%, compared to 2007. And there’s still a month and a half remaining!

The point is, working independently limits an online company’s ability to identify and stop more fraud and abuse. But collaborating with your peers and sharing information gives every fraud manager involved extra ammo in their fight against fraud, as our YTD increases clearly indicate.

As iovation expands our shared device reputation fraud network, our customers continue to reap enormous benefits. Not only are they expanding their individual networks into a shared, global database, but they are benefiting from the tens of thousands of collective resources, tools and experiences of their peers and others across multiple industries.

While device ID is important, much like a real-world fingerprint recognition technology, how you use that information to identify the device makes a big difference. For example, if fingerprint databases had never evolved beyond localized systems into centrally managed systems like the Integrated Automated Fingerprint Identification System (IAFIS), maintained by the FBI, its effectiveness at identifying repeat criminals would be extremely limited. It wasn’t until the sharing of information and records of criminals across the country that the government was able to evolve a proactive system that could catch criminals rather than simply confirm suspects. In much the same way, now that we have a good method of identifying PCs and other Internet devices, we must evolve a system that utilizes that information most effectively.

We now know that online criminals no longer limit themselves to one target. In fact, many cross industries, companies, and share information with their peers and members of more organized fraud rings. So should we. Device fingerprints must go beyond simply recognizing the device that has visited a single site to being incorporated in a broader system that establishes the historical behavior of that device online across multiple vendors and industries.

A recent incident across multiple iovation customers highlights the value of a centralized device reputation system. From July 10 to September 1, we saw a device with confirmed fraud across three different customers in different industries. The device first appeared at one of our customer’s online gaming Web site on July 10 before moving onto one of our integrated payment provider customers on July 13. We finally saw the same device again at an online credit provider on September 1. In this case, all three of our customers sharing device ID benefited from each others’ experiences with the device, not to mention dramatically expanded their fraud management capabilities by gaining their peers’ invaluable insight, tools and fraud expertise to stop the fraudster.

Adding device ID to your fraud management process can make a big difference in stopping fraud, creating significant value and uplift in your fight against fraud and abuse. Shared, centralized device reputations go a long way to unlocking the power of device ID and preventing more fraud and abuse from occurring within your network.

However, more recently I’ve been noticing fraud rings crossing over vertical markets and perpetrating their crimes/scams simultaneously upon multiple Web sites. I’ve seen, for example, criminals who have been committing Internet dating scams now moving into other vertical markets like eCommerce. In one case, a fraudster was buying “items” at an online jewelry site using a stolen credit card. Simultaneously, he/she was creating accounts on an Internet dating site, paying for their subscription using a stolen credit card.

Conclusively, fraudsters are “diversifying” their operations and committing various forms of fraud across a spectrum of vertical markets in order to increase their return on investment. However, I do still see the “old school” fraudsters sticking it out within the same vertical and focusing their efforts to try and overcome deployed fraud prevention tools within that vertical market.

My advice is simply this: don’t limit yourself to fraud strategies specific to one vertical market. The most effective fraud strategies today are the ones that leverage fraud intelligence collected from across the Internet, not just a subset community.

Have you ever stopped to think about how many online businesses have your name, address, email, phone number, and mother’s maiden name? How many times over the past year have you typed in a credit card number online?

BBC News recently reported on the single largest identity theft case in history. Over 40 million credit card numbers were stolen, along with account information, passwords, and other identity information. While “biggest in history” always makes a good headline, this is just another in a series of large security breaches to put millions of consumers at risk. Outsiders have hacked into databases of banks, retailers, universities, and other organizations. Increasingly sophisticated techniques are being used to get identity information from wireless communications. In other cases insiders have stolen, sold access or even lost identity information. There will be more headlines and even bigger cases to come. You can count on it.

In addition to the big newsworthy events, possibly even more damaging in aggregate are the smaller often low-tech identity theft cases that occur with much greater frequency. When you order something over the phone, consider the unscrupulous order taker that simply writes down your credit card number and identity information on a piece of paper that they take home at the end of the day.

With more and more personal information in more and more places, the reality is that all of us are in at increasing risk of having our identities compromised. Independent of the method or scale of the identity theft, the impact to the individual whose identity has been stolen is the same. And we are all paying the price. Even if you don’t personally experience identity theft, you pay for it in higher prices, service fees, and often frustrating and inconvenient barriers that are only in place because of a few bad guys that ruin it for everyone else.

Most online businesses understand the relative ease at which fraudsters can obtain identity information. As you might expect, many online businesses respond by being more careful. How do they know it’s Bob versus a fraudster claiming to be Bob? Ironically, being more careful often means implementing systems that rely on even more identity information.

It’s a vicious cycle. More information in more places increases the chances it will get into the wrong hands. Overreliance on identity information increases the value of stolen identities. Headlines created by this cycle make consumers even more reluctant to shop online.

So, what can be done? One solution to this problem is to augment identity-based approaches with fraud and abuse management systems that use physical, device-based information independent of identity or financial information.

Device Reputation, which provides historical information about how an individual computer has been used in the past, is a good example. For online merchants, consider the value of knowing that an order is being submitted through a computer associated with stolen credit card use or identity theft at other online merchant sites. If the identity and financial information provided “check out” but the computer is either directly or indirectly associated with fraudulent activity, the stolen identity information has little value. And, there is significant value to consumers, as well. If your identity information is associated with the Internet devices you typically use to access a particular site, it is much more difficult for someone else to claim to be you.

Combining identity-based systems with a device-centric approach significantly raises the bar for fraudsters and will lower both the rate and impact of identity theft. Identity information becomes less valuable as more sites look at identity in combination with device data. This is how we break the viscous cycle.

So, are identity-based fraud management systems part of the problem or part of the solution? They are part of the problem when over-relied upon and used independently. They are part of the solution when they work in concert with other fraud management techniques that don’t rely on identity information.

Solid security systems require multiple layers that work together. A breach of one or even multiple layers doesn’t mean a breach of the overall system. Solid Fraud management solutions should follow the same approach.

This is a fair question, but highlights the fact that people really don’t understand the shortcomings of identity based fraud and abuse management systems in the online world.

Yes, iDating sites can do background checks, and some do, like true.com. The problem with these checks is that they are pretty basic and rely on the information provided by their users.

Want to bypass an online background check? Here’s a hint. Don’t use your real information. Change your name. Change your date of birth. Use someone else’s identity. In many cases, simply changing your zip code to another state where you don’t have a record is enough to bypass background checks that are used by online sites.

Why is it so easy to bypass checks? Because validating online identity information is so costly and complicated, and obtaining or manufacturing false identity information is so cheap and easy. Many have even clamored for legislation of online communities to include checks for pedophiles. This may prove to be helpful at catching a few unsophisticated users, but as long as bypassing these checks is as simple as providing false information this isn’t a great use of time or money.

This is why we feel so passionate about device reputation at iovation. The ability to answer the question for our customer, whether or not we have seen a computer before, either at their own site or one of their peers, and whether it has been associated with a history of fraud or abuse is priceless. It is independent of the information provided by the online abuser and can identify both repeat offenders and full blown, organized fraud and abuse rings with ease. It’s time to gain an understanding of how the real world differs from the physical world and act accordingly.

It’s a well-known fact that fraud impact consumers’ online spending habits. According to Javelin, 3 out of 10 fraud victims decrease their online shopping. But for online retailers, the impact doesn’t stop there. Aside from losing valuable customers, fraud victims likely warn others of their experiences with particular sites, which can result in untold profits lost due to a lack of customer confidence, not to mention a devastating ripple effect due to a tarnished reputation.

One of the fraud fighting tools analyst Rachel Kim highlights in the Javelin report is device recognition. This echoes what Gartner’s “Best Practices in New Account Fraud Detection” reported earlier this year, in which analyst Avivah Litan stated client device identification would become a critical element in online fraud management strategies. Identifying and tracking the devices that cyberthieves use to perpetrate fraud provides an additional layer of protection to a business and their customers. No longer are they relying on potentially stolen or false information provided by fraudsters to trick them into thinking they are somebody else. Focusing on the device – and how it has been used in the past – allows online retailers to quickly identify positive transactions, negative transactions, and flag highly suspicious transactions for review.

Unfortunately, today’s threshold for account creation is still too low. Without the ability to positively recognize a device once it connects to your Web site, there is no way to stop fraudsters from creating new accounts or from repeating the same fraudulent activity on a site. The inclusion of device identification augments existing fraud detection solutions and helps online merchants quickly identify a fraudster’s device or account so they can cut them off in their path.

On Wednesday, August 13 (8am PST/4pm GMT), iovation will also host a follow-up webinar, “How Stopping Online Fraud Can Unlock Your Gaming Site’s Potential.” The 30-minute event will discuss how sharing fraud experiences with peers can help online gaming site’s catch more fraud and abuse, reduce operating costs, and increase business revenue and growth.

If you are interested in being part of this insightful discussion, be the first to register for the webinar. We hope to see you soon!

A recent article on TechCentral.ie touches on how even during the dog days of summer – particularly the holidays – when many senior managers take holiday and leave more junior staffers to make decisions, fraudsters are constantly on the prowl attempting new tricks. This is yet another reminder that Internet scammers are working around the clock to stay one step ahead of fraud managers. It is also times like these that online businesses need to know that they’ve proactively taken the necessary steps to safeguard their business assets and legitimate customers.

Managing online fraud and abuse is not about having a fool-proof plan that is basically good as a fraudster’s latest scheme. It’s about having a fraud detection process that allows you to quickly identify more positive and negative transactions and, ultimately, flag fewer transactions for review based on a many different indicators. The key to successfully fighting online fraud and abuse is improving your ability to identify a fraudster more accurately and stop fraud schemes when you least expect it, even when you are on your well-deserved summer vacation.

iovation’s Device Reputation Authority^TM is a comprehensive network of device intelligence that enables online businesses to share information about computers and online accounts that have a history of fraudulent or abusive behavior without collecting personally identifiable information (PII). This information allows online businesses to take immediate action against fraudulent devices that repeatedly try to log on or create new accounts using stolen or false information while still protecting the privacy of the user. As a result, participating sites can take proactive action to prevent the same fraudulent and abusive activity from impacting their business and customers. In other words, when a company in our shared network has seen fraud, everyone else in the network knows about it.

A key feature that makes iovation’s device reputation network so powerful is that it contains collective intelligence from not one, but multiple industries, including online retail, online gaming, financial services, online gambling, and online social and dating networks. But perhaps the most compelling reason for using the shared network is the more companies that participate, the stronger and more effective you become in fighting online fraud and abuse. As a result of sharing device intelligence, iovation has already helped our customers stop more than a million fraudulent activities this year!

As I’ve said before, today’s online criminals are more organized than ever. If businesses are going to successfully thwart new, more sophisticated online attacks, they must work together. Utilizing technology that allows companies to share knowledge with their peers and other industries not only keeps fraud teams one step ahead of the bad guys, it’s an important step in creating a safer, more trusted online environment for businesses and consumers.

As I have written before, law enforcement has limited effectiveness on this growing problem and is unlikely to stem the tide of online fraud in the near future. The most important step for online companies to take is to begin to protecting themselves and to employ all best practice technology to reduce online fraud and abuse while keeping their fraud management costs in line.

We believe that device reputation changes the game in fighting online fraud and abuse. By having greater insight into the history of devices within your network, not only does device reputation reduce your total fraud problem, but as online transactions continue to increase, it also helps you reduce the number of transactions that have to be reviewed by your fraud team.

I also explained how iovation’s device-based reputation system allows banks to get more organized – just like the fraudsters – to track the history of fraud and abuse on a particular device and identify the associations between accounts and devices that we’re previously invisible to them.

Fraud management, if it is working properly, ought to be saving more than it costs, both from a fraud reduction and from an operational efficiency perspective. Unfortunately, too many vendors in the security space only provide insurance without clear and measurable ROI.

If you are interested in learning more, I will be hosting a post-RSA Conference webinar on Wednesday, April 23rd that will cover these and other security related issues. Registration is free. Sign up today.

The article then highlights the use of televerification as a next generation of fraud management that raises the bar for combatting online fraud. While this might deter the casual fraudster who decides to commit a single fraudulent purchase, this will do nothing to deter organized criminals who can simply go out and buy a prepaid mobile phone that doesn’t require personal information and is often purchased with a stolen credit card, to get around this technique. It should also be noted that Gartner recently reported in its Best Practices in New Account Fraud Detection study that telephone-based user verification is not foolproof unless the enterprise is sure that the phone number on record belongs to the legitimate user.

Again, the strength of adding shared device reputation to your fraud management processes is two fold. First, you immediately get an improvement of your fraud management techniques by identifying those devices that have previously been associated with fraudulent purchases either at your site or at a peer’s site. Second, because you are identifying devices that both have a negative association, as well as a positive purchase history, your operational review costs can go down significantly as the numbers of accounts delayed and flagged for review reduces accordingly. This will result in both reduced losses from fraud in addition to the reduction of good orders previously rejected because of an over aggressive risk profile due to operational overhead.

Any good fraud management process must take advantage of both the information supplied by the customer, as well as information collected independent of customer interaction. Device-based reputations provide that mechanism to round out best practice fraud management processes.

This poses a significant problem, not only in leadership and technical expertise, but in simple logistical issues such as jurisdiction, common worldwide laws governing e-crime, and the extremely difficult issue of associating online criminal behavior with a real-world individual. And this doesn’t even touch the fact that the volume of online theft and access to stolen personal information or stolen credit card numbers is so abundant that there is simply too much fraud for over-stretched law enforcement officials to pursue.

That is why most companies are defaulting to trying to protect themselves, but they often find themselves implementing a highly manual process that tries to find criminal behavior by looking at the data supplied by the criminals themselves. This is not an efficient model and it simply doesn’t scale with the growth of online business and online crime. Reviewing online orders on a case-by-case basis not only slows down the business process, but it doesn’t stop fraudsters from simply returning to the site under another false identity to repeat the same crime. If online businesses expect to dramatically reduce the amount of fraud that is occurring, stronger preventative measures are needed to raise the difficulty of committing fraud and make it harder for fraudsters to successfully use stolen credit and personal information in the first place.

One of the recommendations from the CIO Jury and by silicon.com is the formation of a dedicated national police e-crime unit for the UK. The problem of course, is that it will face many of the issues faced by e-crime units in the past with respect to a global threat. This will simply be ineffective in stemming the growth of global e-crime.

Establishment of strong, effective e-crime law enforcement can bring some benefits, but online businesses can’t wait for that. There are steps that they can take immediately to protect themselves that mirror the real world when law enforcement is simply not sufficient for addressing a community threat. First they need to work together. They need to have a mechanism for collecting and sharing information about online criminals so that the collective whole can band together to protect themselves against an increasingly organized enemy. Second, they need to use a common point of identification that is not simply supplied by the user.

As long as identity theft exists, relying on personal or financial information will never be a sufficient mechanism for determining the risk of an individual online transaction. Online businesses must associate this growing positive and negative reputation with something more concrete. At iovation, we feel that should be the device used to connect to the online site. Whether it is a PC, Mac or mobile device, establishing reputations for devices used online and then sharing reputations among their peers creates real benefits that are simply not realized by most of today’s fraud management processes and tools.

Be sure to sign-up for our MRC wrap-up webinar on Wednesday, March 19th at 11:00am PST. I will be discussing some of the key issues and challenges facing today’s risk management professionals. Attendance it free. Register today!

Solving the problem is incredibly difficult because blocking accounts identified with fraud doesn’t solve the problem because the threshold for new account creation is low and the fraudsters simply come back with different personal and account information. As we have found many times across our different customer industries, the ability to identify the device where fraud originates pays huge dividends in stopping this type of fraud and prevents organized fraud rings from victimizing online businesses repeatedly. iovation allows our MMO customers to see not only if a device has been previously used or has been associated with chargeback fraud, but also identifies other in-game problems like distributing spam and harassing other legitimate players. The process of fighting online fraud requires information about the source of the transaction. This data can take the form of identity information, financial information, and device information. Unfortunately, most online businesses rely almost solely on financial information and use very little identity information when doing analysis, leaving out the most important element in organized fraud – the fraudster’s PC. As highlighted recently in a Gartner research report by Avivah Litan, awareness of using device reputation to combat fraud is growing significantly.

The MMO industry is a great example of where this could change the game in providing tools to fight fraud in an online environment. Without including device information into their fraud and risk management strategies MMO’s are simply limiting their ability to fully protect their networks against some of today’s biggest fraud problems, not to mention repeat fraud, which continues to have a significant impact on a company’s operational efficiencies and business profits. Therefore, the inclusion of device information not only augments an MMO’s existing fraud detection techniques by accurately identifying a fraudster’s computer, it provides online gaming site’s with the additional layer of defense needed to effectively combat ongoing fraud and abuse.

The implication of the article is that since companies don’t have the budget to add staff for increased manual reviews, they will have to let more fraud through than before and make choices about what fraud they really care about, or dramatically increase the efficiencies of their fraud management process to reduce the burden of manual reviews for otherwise good transactions or false positives.

Before online merchants throw in the towel and willingly accept more fraud, they should first re-examine the effectiveness of their automated fraud screening tools and processes. At the root of this problem is the over reliance upon identity information and credit credentials as the only mechanism for assessing the risk of a transaction. There is always going to be a significant problem with basing transaction risk assessments solely on the basis of information provided by the user. First, it is far too easy for the sophisticated fraudster to get valid consumer personal and credit information off shared “carding” databases on the Internet. Second, manual reviews are simply too costly and imprecise to scale. Finally, many of today’s fraudsters are beginning with a fraudulent credit application using a stolen identity rather than stolen credit cards, so standard credit checks simply won’t provide value.

To increase the ability to identify fraudsters and reduce manual review costs by an order of magnitude, there needs to be a shift in thinking in managing risk for online purchases to include device identification and reputation. Gartner analyst, Avivah Litan, points to this need in her recent report “Best Practices in New Account Fraud Detection.” She identifies Client Device Identification as one of the pillars of combating new account fraud online. Adding to this, there is a need not only to recognize the devices that have been used for fraud at your own site, but at peer sites, as well.

Adding device reputation into the fraud management risk provides two immediate benefits. First, it makes the connections between purchases that appear completely unrelated and allows merchants to more quickly identify an organized fraud attempt and hence catch more fraud. Second, it drastically reduces the cost of the review process by flagging more suspicious purchases based on the reputation of the device being used to make those purchases. As an example of this, one of iovation’s customers experienced a 40% reduction in fraud management costs by improving business efficiencies, and in doing so, began catching more fraud and abuse after implementing iovation ReputationManager 360 service.

This article makes the observation that “the survey report estimates that just to keep up with increased demand on order review, large merchants would have to increase fraud management efficiency by about 20%, maybe more, given that such programs may already be operating at levels that are sub-optimal.” The article concludes that more fraud must be let through, but by adding device reputation to the mix, this simply doesn’t have to be the case.

While the report mentions that enterprises can’t rely upon unique identifiers for new accounts that have already been provisioned, in fact they can when those identifiers are used as part of a shared reputation network, or if the new account is being created by a fraudster that has visited the site before but has supplied different personal information. In a shared device reputation network such as is provided by iovation’s ReputationManager^TM service, businesses can benefit from the experiences of their peers and detect devices that have been used for fraud in the past even if that is the first time the business has ever seen that device. Much as has been proven over time with shared information about the validity of credit card data, shared device reputations can provide a strong counter to repeat fraudulent behavior.

iovation is the leader in providing a shared device reputation infrastructure. We currently maintain over 30 million device reputations and process more than 2 million reputation requests per day from our customers. In addition, 2.1 million (7%) of the devices we track for our customers are seen at more than one customer site. This validates the tremendous power in being able to gain insight into the reputation of a device even if it is the first time you have ever interacted with that device online.

But as Internet cupids look to tap into the fertile China and India dating markets to grow business profits, cybercriminals searching match-making sites are posing greater threats as they become increasingly more professional and sophisticated in their tactics. Scambusters.com has recognized this emerging trend in its annual predictions of worst Internet scams. For this first time, “Online Dating Scams” drops in at No. 8 on this year’s Top 10 scams to avoid in 2008. With online dating scams on the rise, now is the time for match-making sites to put a priority on protecting their online businesses by finding and blocking scammers from their site, and subsequently, providing a safer environment for their members.

Online dating fraud and abuse was a hot topic at this week’s Internet Dating Conference in Miami. If you would like to learn more about what was discussed at the show and how match-making sites are joining forces to reduce harmful online fraud and abuse, register to attend iovation’s post-conference webinar on Tuesday, February 19th.

Additionally, this call to action caught my eye, “Efforts to tackle fraud are being hampered by a lack of co-ordination from card companies and the police, and merchants are asking for a central body to co-ordinate fraud reports.”

In particular, it is the desire for online businesses to coordinate their fraud efforts that is essential to their success. This is why the Device Reputation Authority was created by iovation, so that online businesses don’t have to wait for the Government to figure out a strategy to addressing online risk, but immediately provides online customers to identify fraudsters and share that information with their peers while still protecting the privacy of their customers.

The added benefit is evident in the headline of this story in that operational costs will be dramatically reduced as companies join to work together to combat fraud in addition to reducing actual fraud losses.