Velocity-based rules have long been used by merchants to help identify potentially fraudulent online behavior. Typically, velocity-based rules function by looking at commonalities in personal information, across accounts and transactions. For example, a warning may be set off if multiple accounts, or multiple orders, all have different names but the same shipping address. Another example might be if multiple accounts were all set up using the same password.

Unfortunately, these kinds of velocity checks are of limited value against more sophisticated fraudsters who have the information, the technology, and the general savvy to set up multiple accounts that all, on paper, look completely different—different names, different credit card numbers, different shipping addresses, different IP addresses. (more…)

We’re going into 2010 with a lot to be excited about, including the announcement of our new VP of Technology, Scott Waddell.  Scott joined iovation in April 2008 as our Director of Research, a role to which he has brought amazing insight and innovation.  I love his ability to keep sight of a strategic vision while being pragmatic about getting there.  Starting this month, he’s taking over the helm of our entire technology organization and we’re confident he will continue our positive momentum into the new year and beyond.

To provide a bit of an introduction, Scott has nearly two decades of technology experience with an emphasis on security.  Before joining iovation, he spent a number of years at Cisco, serving in a variety across engineering, network security and research. Prior to that, Scott co-founded WheelGroup, a network security company that was later acquired by Cisco.  He also served as a charter member of the Air Force Information Warfare Center, pioneering tools and techniques for automated vulnerability assessment and incident response. (more…)

Well it’s been a good year for our blog. We’ve tried to address a number of topics all relevant to helping businesses fight online fraud. As the year wraps up, I thought it would be a good time to summarize some of the themes from the year and highlight some of our posts. While we touched on a number of topics, a few main themes remained consistent:

Device reputation is an important component of best practice fraud management – 2009 was a difficult year for business, but one trend that emerged was an increased visibility into how valuable device fingerprinting and reputation solutions can be as part of any sophisticated fraud prevention architecture. Some of our articles on this topic:

• The First Five Benefits You Will See From Device Reputation
• Not All IP Addresses are Created Equally
• Device Fingerprinting Techniques – Several Choices

Online retailers are under attack – Online retailers continue to find themselves under attack and we touched on this topic a number of times this year. Here are some of the highlights: (more…)

Yesterday, President Obama took an important step toward putting cyber security front and center by appointing Howard Schmidt as cyber security coordinator. Not only will this significantly aide in advancing the current administration’s cyber security initiatives—it’s also a critical step forward in the private sector’s fight against cyber crime.

Given the impact that cyber crime has on our economy, online businesses especially have a lot riding on the success of these government initiatives. A recent report from LexisNexis estimates that U.S. businesses lose $191 billion annually from computer related crimes. This is why Mr. Schmidt’s combined experience in both government and the private sector will hopefully be an important asset, allowing him to simultaneously understand the issues currently facing businesses and be able to cut through the red tape on Capitol Hill to make real change happen. (more…)

There was a blog post recently on Wallet Pop titled “Online theft not the main cause for identity fraud.” In it, author Josh Smith does a good job calling out the differences between identity theft and identity fraud. In short, identity theft is when someone’s personal identity information has been stolen; identity fraud is when that stolen information is used to commit financial fraud or some other kind of crime. While the two are inevitably related to one another, they are not the same thing.

In the case of identity theft, it’s a common myth that malware, botnets, and other internet scams are to blame; however, Smith cites a study done by Travelers Insurance that actually shows that the majority (78%) of incidents of identity theft actually occur offline. This indicates that peoples’ fears may have been, at least in part, misplaced. Individuals would benefit from an increased awareness and vigilance in all aspects of their life, not just online.

This being said, there still remains the question of identity fraud: what happens once someone’s personal information has been compromised? This is where online businesses still need to be on high alert, because online sites (and not physical stores) will likely remain the No. 1 target of identity fraud. Here’s why:  (more…)

I wanted to take a moment this Thanksgiving week to offer up my own personal thanks to everyone involved in making iovation a success and to all those who work with us to combat online fraud and abuse. Our customers, partners and employees have all played an important role helping us finish the year strong. We’re poised for an amazing year in 2010 and looking forward to all that we will accomplish together.

It is amazing to me to look back and see how much we have accomplished in just a few years. Through collective hard work and the loyal support of our customers, we have become leaders in device reputation and device fingerprinting solutions. We now protect over 300 websites and have profiled over 180 million computers. We perform over 4.0 million device reputation checks and stop over 30,000 fraudulent transactions every single day.

Thanks to everyone who is working together to protect online commerce and fight online fraud. We couldn’t have done it without you.

Happy Thanksgiving to you and your family.

Greg

The BBC News has posted a report that the Serious Organized Crime Agency (SOCA), based in the UK, is warning individuals to avoid online money-making schemes that turn them into unsuspecting “money mules.” The article explains:

Fraudsters are using a variety of bogus and legitimate recruitment channels to con job-hunters into thinking they have found genuine employment. But in each case the job comes down to asking the victim to receive relatively small amounts of money into their own account and then move them onwards to another bank.

The result is that unsuspecting individuals can become liable for stolen money being funneled through their accounts and end up suffering the consequences. As an essential component of many types of fraud, money laundering is a big problem because it enables criminals to move money around without being traced to the initial theft. This not only affects online banking, but it is also a problem anywhere money changes hands—like online casinos or auction sites. (more…)

When I talk with fraud managers, they often express concern that the benefits of a reputation-based system won’t be instantly apparent. While a reputation service inherently becomes more valuable over time as companies log their fraud experiences into the system, it’s worth pointing out that device recognition and device reputation provide a number of benefits that can have an immediate effect, such as the following:

• Expose relationships between transactions –Device recognition gives fraud management teams instant visibility into the relationships between all online transactions (fraudulent or not). This provides immediate value in assisting with investigations and resolving issues.
• Receive velocity alerts –The number of purchases, applications, account creations, etc. that originate from one user in a given period of time is highly indicative of fraudulent behavior. For example, wouldn’t it be valuable to know that in the span of one hour, ten credit card applications were all submitted by one person? Unfortunately, since most fraudsters use fake or stolen identities, this can be incredibly hard to detect—unless you focus on the device. With device recognition, you can monitor the velocity of transactions coming from a single device, regardless of the identities provided.

(more…)

U.S. President Barak Obama has officially declared October as National Cyber Security Awareness Month and has addressed the Nation detailing the importance of our national infrastructure.

President Obama makes some important points indicating that our networks and IT infrastructure are important national assets and it is imperative to protect them. Acknowledging the growing strength of online spending, President Obama says, “The Internet and e-commerce are keys to our economic competitiveness.”

Cyber thieves are costing the U.S. and other countries billions of dollars in fraud losses every year; this is in addition to the significant impact that individuals suffer as a result of identity theft and the propagation of malware on personal computers. Obama calls on a public/private partnership to address this threat and secure our networks.

Regardless of your political leanings, providing a safe environment for online business is an important goal for our country and the rest of the world. There is no doubt that our online activities are under siege and jeopardized by an increasing cyber threat. Thwarting this threat and providing a safe environment for online businesses and individuals is a key mission for iovation and our customers.

While not often talked about, the malicious use of domain names is becoming a serious problem. Domain names provide a means to an end for criminals attempting all kinds of scams and online fraud. In phishing attacks, for example, a hacker-controlled domain name serves as the redirection point for a fake or infected site. In the case of botnet operations, a domain name replaces a unique IP address as the point of command and control, allowing fraudsters access to a much larger set of data with less risk of detection. (more…)

“More than one in five people (in Australia) have fallen victim to credit card fraudsters or computer hackers.” This statistic comes from an article on Australian news site AdelaideNow, which details the findings of a recent report on credit and identity theft in the country. Apparently credit card fraud is up 23 percent from last year, and the blame is being placed on “Australia’s lapse in deploying anti-fraud technology.” (more…)

When it comes to protecting online accounts, multi-factor authentication—especially the use of tokens—has been considered the strongest protection against password theft and account takeover. A recent article from the NY Times, How Hackers Snatch Real-Time Security ID Numbers, explains the lengths that online criminals will go to in order to steal personal information and takeover accounts.

In the article, they explain a scenario involving an infection called the Clampi trojan, but the success of an account theft or takeover isn’t dependent on any specific trojan. All it takes is some method of infecting a computer in order to provide real time data from that computer back to the online criminal. The NY Times article details the way a trojan spreads and watches for ideal account targets. (more…)

This week the Associated Press reported that a Miami man and two Russian co-conspirators stole over 130 million credit card numbers in the largest theft of credit information ever.

Anyone who doesn’t think that online crime has transitioned into big time business should take note.  Online criminals are coordinated and remarkably well organized. They are becoming increasingly adept and efficient at not only obtaining, but sharing, valuable data: namely credit and identity information.

The extent to which online commerce companies rely on their ability to trust in this very same data cannot be overstated. Today, most online transactions are checked for fraud based upon credit and identity checks. If trust in that data is undermined, then the business models of hundreds of thousands of online retailers will suffer. (more…)

We recently announced an amazing achievement and this is a proud moment for everyone at iovation. Since our inception, we have processed over 2.0 billion real-time device reputation inquiries for our subscribers.

Over two billion times, our subscribers have used one of our device printing technologies while interacting with end-users and then reached out to our service with device printing data plus their unique account or transaction identifier. In real-time (sub-second response times) our service then follows business rules that are unique to each subscriber and leverages terabytes of information in our global fraud database, the Device Reputation Authority (DRA).  We can tell subscribers if they have ever seen a given device and if any related accounts and devices have a history of fraud or abuse at their site. We can also tell subscribers if any related devices are associated with fraud or abuse at other subscriber sites. (more…)

There is a good article on the Internet Retailer site today titled “Fear of debt and fraud change the way online shoppers pay.“ Essentially, online shoppers are looking for the sites they trust the most and are moving to alternative payment vehicles that do not require them to enter their credit card information. According to the article, thirty-seven percent of online shoppers are using their credit cards less, while only ten percent indicate they are using credit cards more. Meanwhile, alternative payment vehicles like PayByCash, Bill Me Later, and PayPal are undergoing rapid growth.

In addition to being good news for the companies who offer alternative payment types, this information also signifies an important development in the realm of fraud prevention. With fewer shoppers using credit cards online, traditional fraud-management tools that rely upon that personal and credit information are going to become less effective. The Internet Retailer article quotes extensively from CyberSource’s most recent fraud report: a report that indicates that device fingerprinting solutions, like iovation ReputationManager™, are at the top of the list for planned implementation in 2009. The trend of online consumers away from payment options that require personal and credit information will only make augmenting fraud prevention with device fingerprinting solutions more important.