In the article, “Cybercrime is now a booming industry,” the new Global Risks for 2012 report says that along with a steady increase in cyber attacks on businesses and governments around the globe, the top concern for illegal digital data sellers is maintaining trust with their customers.

According to an ethical hacker in India, the digital black market has become so competitive that entrepreneurial cyber criminals depend on their trustworthiness, along with free trials, discounted offers and money-back guarantees on stolen goods, to succeed in the shady underworld.

“Today, the main concern for the data sellers is to generate trust among their clients.”

Any legitimate business knows the importance of building and maintaining a high level of trust and confidence with their paying customers. Without it, we have no customers. Turns out, the cyber underground is no different. In order to sell stolen goods to their customers, cyber criminals, whose livelihood is based on creating a web of lies to steal other people’s information, also have to establish and preserve an upstanding reputation among their likeminded clients.

At iovation, we’ve always understood the power of reputation — both good and bad. In fact, our business is built on the experiences and expertise of more than 2,000 fraud analysts from leading brands worldwide, who have all contributed to our device reputation database of over 800 million unique devices, including PCs, laptops, smartphones, tablets and consoles.

Unlike anti-fraud solutions that rely on personally identifiable information (PII), iovation’s advanced device reputation technology focuses on the user’s device to identify and stop fraud in real time, as well as make quicker decisions on legitimate online orders and business transactions. By including a fraud prevention service like iovation’s ReputationManager 360 to any multi-layered security strategy, organizations don’t have to rely solely on potentially stolen or misrepresenting information provided by criminals to perpetrate fraud over the Internet.

While there’s no arguing that trust is essential for doing business — apparently between cyber criminals, as well — having a trusted resource like iovation to uniquely recognize known fraudulent devices, expose hidden fraud rings and identify good customers before the transaction takes place, can play a pivotal role in any business’s ongoing challenge to reduce online fraud rates.

While monetary gains are always the ends to the means for cyber thieves, the digital goldmine appears to be personal and financial information stolen from email accounts and bank accounts, as well as intellectual property, all of which hackers can sell on the cyber black market. Some additional points in the Global Risks for 2012 report included:

• Cybercrime, cyber-espionage and cyberwarfare are on the rise
• Credit card cloning is flourishing in India, conducted by Nigerians living in India who are using card data received from Russian underground forums
• Hackers are launching chance attacks on individual users and more targeted attacks on businesses and governments to exploit system security flaws
• Corporate source codes for products, intellectual property and defense data is extremely valuable to competitive organizations and governments
• Enterprises leveraging social media tools should consider the risks of employees accessing social media sites while on the corporate network

Here are some of tonight’s 2012 Totally Gaming Award winners:

• 888.com for Best Online Product of the Year (iovation was a finalist)
• Betfair for iPhone for Best Mobile Gaming Product
• Holland Casino Amsterdam for Best Casino Operator
• Jan Jones and Ron Goudsmit for Outstanding Service to the Land-Based Industry
• Wes Himes for Outstanding Service to the Remote Industry
• Novomatic for the Media Award
• Inspired Gaming Group for Best Betting Product
• Casinos Austria for Best Marketing Campaign
• Casino Cosmopol Sun vaal for Best Casino 
• Raff Ltd for Best Lottery Product
• JMC Global for Best Street Supplier 

Next up on the ICE agenda is the Combating Cybercrime in Gaming conference at Earls Court. Starting Tuesday, January 24th, attendees will find a great line-up of topics, including jurisdictional approaches to investigating cybercrime, knowing “who” and “where” your gaming customers are, implementing strategies to reduce data leakage from your network, cybercrime hotspots and forecasting future threats, and staying ahead of mobile gaming fraudsters.

iovation’s vice president of global sales, Max Anhoury, leads the mobile gaming fraud panel at 2:00 pm, titled Staying One Step Ahead of Mobile Fraudsters, to help attendees understand the latest cybercrime threats and how gaming operators can better protect their business, brand and customers.  Joining Mr. Anhoury will be Darwyn Palenzuela, Chief Technology Officer at Smart Gaming Group and Christina Thakor-Rakin, Head of Operations at Virgin Games. iovation will be sharing worldwide mobile device trends from its global reputation database of more than 800 million unique devices, which includes PCs, laptops, smartphones, tablets and consoles. 

iovation offers mobile fraud protection by uniquely identifying mobile devices that touch its clients websites or applications. The company employs a “defense-in-depth” approach to identifying, recognizing and developing a reputation for each mobile device, which includes multiple components and strategies that work in concert to help online businesses fight fraud effectively. iovation’s device reputation service includes both web and native device recognition, with SDKs for iOS and Android available globally. Managing the associations between devices provides opportunities for device re-identification even when evasion techniques are in play.

Those attending iovation’s Mobile Gaming Fraud Panel will learn:

• Mobile gaming offerings available and the progress and challenges posed
• Mobile fraud schemes and how gaming sites detect and prevent them
• Popular real-time rules that gaming operators are using to detect and deny fraudulent transactions
• Advanced technologies that will impact your strategy today and in the future
• Regulatory and compliance issues with regard to managing fraud on mobile devices
• Mobile application development and experiences with iOS and Android approval and distribution systems
• Future trends and mobile gaming growth expectations by operators

If you are unable to attend the presentation, but would like to learn how to protect your gaming site from chargebacks, identity theft, bonus abuse and collusion, stop by the iovation booth #5117 during the exhibition and speak with our team!

In the article, “Why Internet crimes go unpunished,” security expert Roger Grimes breaks down some interesting numbers around cybercrime, and how hackers are (to put it mildly) beating the odds. According to the FBI’s 2011 Internet Crime Report, of the more than 300,000 complaints that netted criminals $1.1 billion in 2010, law enforcement agencies convicted an average of one crook for every 50,635 victims. In other words, as Grimes eloquently states:

Steal someone’s identity and your odds of being caught are almost infinitesimal.

With all the hacks and fraud headlines 2011 will be remembered for, that’s definitely not the way we want to ring in the New Year. But as Grimes also warns, if we aren’t careful we could see history repeat itself as criminals not only continue defrauding computer users, but launch recycled attacks against the explosion of worldwide mobile device users, who could fall victim to the same old PC tricks.

While law enforcement certainly has its challenges in tracking down and prosecuting cyber criminals, nobody will argue that we can always be doing something on our part to help reduce the risk of fraud where the criminal is utilizing a computer, as well as emerging mobile platforms like smartphones and tablets.

Whether you’re an individual, small to mid-size business, or even a large international corporation, in many ways you’re sort of on your own in cyberspace. This is why taking matters into your own hands and implementing defense-in-depth fraud preventative strategies is so critical to protecting yourself, your employees and business from both evolving and old-school scams targeting every form of Internet-connected device that we use.

This is the time of year when most businesses are setting their budgets and determining business goals for 2012. While improving customer service and increasing revenues are certainly at the top of any CEO’s to-do list, mitigating costly fraud risks that can take a hefty bite out of annual profits (not to mention cause significant reputation damage) requires organizations to deploy effective security tools like iovation’s ReputationManager 360 solution to reduce the risk of fraud or abuse over all devices and platforms connecting to their online business environment.

It’s been a busy year with a ton of new features and enhancements ranging from big to small. We thought we’d take a moment to share with you some of the highlights from 2011.

As with any technology, there are many, many things that go into a new feature including design, development, testing, documentation, integration and other operational requirements. We won’t go into that amount of detail here, but instead will focus on the primary achievements within each of the four principle areas of specialization at iovation, which include:

Take, for example, a fraud prevention service like iovation’s ReputationManager 360. Using advanced device reputation technology, we work behind the scenes in many of the world’s largest and most respected gaming environments to provide protection from all forms of fraud and abuse. In the past year, we’ve provided invaluable intelligence on more than 475 million gaming transactions.

At iovation, we’re happy to play the role of the unsung hero. But every now and then it’s an honor to be recognized by industry leaders who call out the important work that we do. This is why we are so proud to announce that the distinguished ICE Totally Gaming panel has named iovation a finalist for the Best Online Gaming Product of the Year.

The award, which judges applicants on five criteria and their achievements over the past year, recognized iovation for our work in protecting billions of online transactions for our international gaming clients. Since 2004, we’ve successfully helped gaming businesses minimize chargebacks, account takeover, arbitrage betting, player collusion and affiliate abuse. Our customers also use iovation for their KYC requirements like managing customer request exclusions and geo-fencing.

The Totally Gaming Awards banquet takes place on Monday, January 23, 2012, at 8 Northumberland, London. After the ceremony, we will be exhibiting at Clarion Event’s ICE Totally gaming international exhibition in booth #5117 from January 24-26 at Earl’s Court in London.

It’s truly an honor to follow in the footsteps of some of the most recognizable technology companies in the world such as Google, YouTube, Skype and eBay, who have all been previously selected to Red Herring’s prestigious Top 100 Global list.

This recognition is a direct result of years of hard work evolving our fraud protection service into a full spectrum device reputation solution that supports native and web integrations for mobile and desktop devices, tagged and tagless device recognition, real-time transparent risk scoring, and on-demand and scheduled reporting. Our remarkable growth is attributed to the collaborative work and effectiveness of our global device intelligence network, which today protects billions of transactions for our clients representing multiple industries around the globe.

Red Herring Chairman, Alex Vieux, elaborated on the difficulty the editorial staff goes through each year in selecting the Global Top 100.

“Choosing the best out of the previous two years was by no means a small feat. After rigorous contemplation and discussion, we narrowed down our list from 1,100 potential companies to 100 winners. It was an extremely difficult process. iovation should be extremely proud of its achievement, the competition for the Top 100 was fierce. The Top 100 Global are truly the best of the best.”

Companies were evaluated on both quantitative and qualitative criteria such as financial performance, technology innovation, management quality, strategy and market penetration.

The full list of 2011 winners is located at: http://www.herring100.com/RHG/2011/top100.html.

We all know that the top priority for any IT fraud team is to ensure their good customers can safely and easily communicate and do business within their online environment. However, because many business websites have networking communities that bring likeminded individuals together to socialize, the potential for users or criminals to act inappropriately towards others can create problems that can impact the user experience.

For the verticals we serve, including online dating and Internet gaming and gambling websites, the social interaction that goes on between their members is core to their business and daily revenue stream. If somebody gets out of line or breaks corporate policy, it not only impacts the user’s experience, but can put the organization’s reputation at risk.

If any online business fails to maintain the trust and confidence of their paying subscribers, those customers can simply take their business elsewhere. This is why online romance sites and Internet gaming environments need to be aware of the impact member abuse can have on their bottom line.

One of the challenges of protecting networking sites from abusive behavior is stopping it before it happens. But how? While most anti-fraud measures still focus on the person connecting to a site, iovation’s ReputationManager 360 solution checks the device being used to log onto a site or request transactions against a dynamic database of more than 700 million unique devices and their reputations to give businesses deeper insight to those connecting to their network. Understanding when a device on your network — whether it’s a PC, smartphone or tablet — has been used to perpetrate abusive or fraudulent behavior on another site is valuable information fraud teams can use to prevent unwanted behavior against their members.

The bottom line is, when it comes to online services, consumers have more choices than ever. If their trust and confidence has been violated as a result of online fraud or abuse, they can walk away at any time. Organizations leveraging device reputation technology to protect their social communities have an additional layer of intelligence needed to prevent both fraudulent and abusive behavior before it impacts the user experience or results in a financial loss.

The Westin Building is easily the best connected facility in the Northwest United States. Via our patch panel in the meet-me-room we can rapidly connect to dozens of global telecommunications carriers serving the US, Asia, Canada, Europe, and the rest of the world with a simple fiber optic jumper cable. This facility is also home to the Seattle Internet Exchange on which we are a member.

If you are an iovation customer and would like to directly connect to us within this facility or across the SIX please contact me.

From an infrastructure point of view, keeping the iovation service online at all times and keeping the “bad guys” from harming our customers is always Job #1. To do this, we employ many levels of redundancy, both within a given facility, and between multiple facilities. As with any data center, this starts with the electrical power feeding the facility. Every piece of iovation equipment is fed from dual power sources which are completely redundant all the way back to the power utility. It should also be noted that power failures in Seattle are nearly nonexistent as the grid is extremely robust (fed largely by hydro-power).  

Here you can see the generator bank backing up our “A” side power bus:

Here you can see the generators backing up our “B” side power bus:

After the generators, the power flows through a pair of “Automated Transfer Switches” that will cutover from “utility” power to “generator” power should their be a disturbance on the power grid. Unfortunately, I don’t have a picture of these transfer switches handy, but here is a picture of the main electrical switchgear that is downstream of the transfer switches for both the “A” side bus and the “B” side bus.

After the main switchgear, the power is fed into a pair of 500KVA UPS units (again, completely separate “A” side and “B” side units) which provide super-clean output power at all times due to their double-online-conversion design. They also provide battery back up during power outages until the generators start up and take the load:

From the UPS units, the power is sent out at 480 volts to step-down transformers located on the data center floor (the black cabinet in the middle of the picture is one of the two that feed iovation):

After being stepped down to 208 volts, iovation receives one three phase 225 amp power feed from the “A” side power bus and another 225 amp power feed from the “B” side power bus into a pair of RPP panel units (circuit breakers):

From these RPP panel units we provide every cabinet with one 208v 30amp 3 phase connection from the “A” unit and another from the “B” unit. All power capacity planning is done with the assumption that we can lose either the “A” side or “B” side power and everything will just seamlessly shift over to the still-functioning power leg without any impact.

So that should provide a pretty good overview of our power infrastructure, now let’s talk about cooling for a bit. While the Westin Building has numerous redundant evaporative cooling towers, here is a snapshot of a few of them:

I don’t have a picture handy, but needless to say, the cooling loop system has fully redundant pumps for water circulation. Here you can see a very important feature of the cooling system – The Westin Building stores thousands of gallons of emergency water on site to keep their cooling system operational even in the event of a water utility outage:

Here you can see an example of the many redundant cooling units that actually provide cool air to our servers by moving heat from the air into the cooling loop. There are a pair of these units dedicated to the iovation cage (not shown):

And last but not least, here is a picture of the iovation cage (though this was taken before all the servers were installed):

I could continue on about the layers of fire protection systems, multi-factor access control, 24×7 engineering and security staff, etc, but perhaps those will be topics for future blog posts. We here at iovation are very excited about the addition of this facility to our tool set as it allows us to scale up to handle ever increasing customer demand while continuing to provide the highest level of service to our clients.

As always, please send me an email if you have any questions!

-Eric
Sr. Infrastructure Architect

“We are proud to be a new entrant to the Portland Business Journal’s Top 100 list and look forward to being a regular member of this outstanding group of companies. We fully intend to move up the list in the coming years as our growth continues to accelerate,” said Doug Shafer, CFO at iovation Inc. “We are very excited about the growth opportunities in all of the key vertical markets that we serve across the globe.”

In any economy — but even more so in today’s slow economic recovery — the key to business growth is all about customer satisfaction. Driven by a “customer first” mentality, we provide much-needed fraud protection services to online businesses around the globe. This powerful combination has played a central role in not only earning new business, but also achieving a 96% customer retention rate.

For any fraud prevention company, knowing you are delivering highly innovative and effective fraud-fighting solutions that are improving the safety and financial well-being of your customers and business partners makes all the difference. That’s what makes us tick at iovation. And we couldn’t have done this without the hard work and dedication of our amazing team, partners and customers. Thanks for working with us to make the Internet a safer place.

The Visionary section of the Magic Quadrant recognizes security vendors whose products are easy to implement and have successfully reduced online fraud for their customers.  According to Gartner’s description:

The Visionaries’ products are relatively easy to implement (when compared with many of their competitors) and have achieved very good results in reducing online fraud for their clients, often using software-as-a-service (SaaS)-based models. Often, they are more innovative than their competitors and tend to offer superior customer service, which they can afford to do, given their smaller customer base and their dedication solely to fraud detection.

Our revolutionary device reputation technology uniquely identifies and re-recognizes individual devices, including computers, smartphones and tablets, that log onto business websites and checks it with our shared global fraud and abuse database to help customers assess the transaction risk based on the likelihood that the device will commit online fraud or abuse.

In fact, Gartner’s description of Web fraud detection nearly describes what iovation’s ReputationManager 360 fraud prevention solution does to a tee: detects account takeover, detects fraudulent accounts created by a stolen or fictitious identity, and detects the use of a stolen financial account when making a financial transaction.

“We’ll stop over 50 million fraud attempts this year as we continue on our mission to make the Internet a safer place”, said Greg Pierson, founder and CEO of iovation. “We are honored to be positioned by Gartner as a Visionary and recognized in the web fraud detection market. We take pride in providing superior customers service and delivering meaningful results in the fight against online fraud and abuse.”

With criminals targeting online casinos around the clock (we’ve got the data to prove it!), gaming sites need all the help they can get to rid their tables of costly criminal activity such as credit card fraud, chargebacks, account takeover and player collusion. Leveraging iovation’s global database of over 600 million unique devices, our gaming customers gain deep insight into every device, whether it’s a PC, smartphone or tablet, attempting to login or play on their site. Using customizable business rules that allow them to assess risk at various integration points, online gaming providers will spot characteristics that are consistent with fraud and abuse to stop criminals before they strike.

Based on the online gaming transactions iovation has checked since January 1, 2011, here’s a sample of what we’ve stopped and what we’ve seen:

This prestigious award is a testament to our continued commitment to reduce fraud and abuse in the online gaming industry. For 7 years now, we’ve been helping gaming sites detect cyber criminals and shut down global fraud rings so our customers can improve their business profits and maintain a reliable, trustworthy reputation with their good players.

On Monday, we were named by AlwaysOn and industry experts as one of the 2011 OnDemand Top 100 winners, which recognizes leadership and game-changing approaches and technologies likely to disrupt existing markets and entrenched players. iovation was chosen for our unique ability to detect online fraudulent activity in real-time and keep our clients’ businesses and customers safe.

By leveraging our knowledge base of half a billion device reputations to prevent fraud loss and protect our customers, iovation helps many of the world’s leading brands representing financial services, retail, travel, dating, social network and gaming industries stop 150,000 online fraudulent activities each day.

But we couldn’t do this alone. This is a highly collaborative effort. We work with more than 2,000 fraud analysts worldwide, who report and share their unique fraud experiences through our Device Reputation Authority database. The information we share on Internet devices (computers, smartphones and tablets) and their associated online accounts provides our clients with upfront intelligence they can use to recognize who is attempting to make fraudulent payments or request suspicious transactions so they can proactively stop fraud or abusive activities before they happen.

I’d like to again thank the AlwaysOn editorial staff and other industry peers for recognizing the hard work and dedication that we and all of our partners are doing to make a difference in the anti-fraud landscape.

In order for the business rules engines to be productive, the rules they operate on need to reflect the particular risks the organization faces. When it comes to customizing business rules, this is not a “one size fits all” model. Giving a retailer, financial institution, or gaming company the ability to easily create and manage rules that are run against their transactions requires a tool that makes it simple to see, add, edit, and experiment with rules.

The iovation business rules editor provides great flexibility in managing the set of rules to be reviewed for transactions such as login, account creation, account change, and checkout. Rule sets are the collections of rules for each end-customer touch point. Rules can be added with a familiar drag-and-drop, enabled and disabled with one click, parameters can be adjusted, and lists of common items can be managed and included. An example of a list is a ‘risky ISP list’, where the user can create a list of risky ISPs and use that same list in multiple rules. If the list changes, all rules leveraging that list will be immediately updated. New rules can be evaluated without impacting scoring results by giving them a zero weight and tracking how frequently they are triggered.

The iovation rules editor provides additional flexibility to help you keep up with the evolution of fraud while protecting your business.

The same cyber criminals targeting banks and retailers working hard to collect and sell stolen personal data, including names, addresses, Social Security numbers, and credit card details, are using those stolen identities to win big in defrauding online gambling sites.

And as more people turn to online poker, bingo, sportsbooks, and betting sites, cyber criminals are developing more sophisticated ways to take advantage of legitimate players and the gambling sites themselves. Financial fraud such as chargebacks and money laundering are major issues for gambling operators, not to mention player collusion and bonus abuse. Plus, the operators have the responsibility of keeping problem gamblers (self-excluders) from re-entering their sites.

Bonus incentives, as explained in this case study on WagerWorks, are offered to attract new players to games and to increase overall play time, but these incentives also attract the attention of cyber criminals since they can set up multiple accounts under stolen identities, and take advantage of the free money offered for each new account.

Gambling sites, like banks and retailers, are forced to deal with a wide spectrum of Internet crimes and other in-game abuses that cost the industry hundreds of millions of dollars in fraud losses each year.

Many gambling sites have increased efforts to detect suspicious players, but Internet-savvy criminals have learned to mask their true identities, changing account information to circumvent conventional methods of fraud detection.

It is increasingly necessary for online casinos to deploy more effective solutions, which analyzes information beyond that which is supplied by users. By starting the fraud detection process with a device reputation check from companies like iovation, gambling sites can stop problem players within a fraction of a second and avoid further checks and fees when the device is known to be associated with fraud. According to Chrystian Terry, Director of Casino Operations at WagerWorks, “iovation helped us shut down 20 sophisticated rings. Imagine the lifetime value of bonuses on nearly 300 accounts – that’s tens of thousands of pounds! The service paid for itself on the first day.”

At the recent Caribbean Gaming Show and Conference in Santo Domingo, Max Anhoury, Vice President of Global Sales at iovation, shared in his presentation to attendees that 350,000 fraudulent attempts within gambling sites alone have been reported and shared in their global knowledge base in the last 12 months. And while iovation’s database of half a billion devices typically sees about 2% of devices within most industries associated with negative behavior, within the online gambling industry, that number increases to 5% of devices associated with fraud. That’s approximately 500,000 “known unique devices” trying to defraud gambling sites. Sites armed with device reputation know when these bad devices touch their gaming sites and can keep them out.

The online casino industry has an opportunity to work in tandem with merchants, banks, travel sites and even shipping companies to share data that helps pinpoint the devices responsible for fraudulent activity. Shared device reputation intelligence makes this possible for the first time.

There is a great recent article in Government Info Security that examines this change titled appropriately, “The Evolution of Risk.” It gives a nice look at the role risk managers play in key strategic decisions and how stopping and analyzing the sources of fraud has been escalated in importance over the past couple of decades. The article looks at what it takes to be a Risk Manager today, and has this to say:

“The role demands new skills. Today’s risk management professionals really need to take a strategic view of managing risk to be relevant in achieving the organization’s expected outcome.”

One thing we at iovation feel is essential to a Risk Manager’s success is working with their risk management peers outside their company to stop fraud. It is simply no longer enough to work solely within your own data silo to stop fraud when the fraudsters use collaboration and communication so extensively. iovation facilitates the creation of thousands of Virtual Crime Fighters sharing device reputation data and working together to stop fraud at the companies they are responsible for.

Thousands of Risk Managers use iovation ReputationManager 360 every day to identify and shut down fraud.

The drop in account takeover may be due in part to a few different things.

Less breaches. There was a drop in data breaches from 221 million records in 604 breaches during 2009 to 26 million records breached in 404 reported breaches during 2010. Criminal hacker Albert Gonzalez and his gang were responsible for many of those hacked records and he and many of his cohorts are now in jail.

PCI standards. All those responsible for accepting credit cards are now under strict Payment Card Industry Standards rules and regulations that require a level of security that took about 5 years to implement. Today many of those merchants are doing a much better job of protecting data.

Device reputation management. Technology that checks an Internet transaction by looking at the PC, smartphone or tablet to see if it has a history of bad behavior or is high risk based on device characteristics and behavior. iovation is one such company that has blocked 35 million fraudulent transactions of this sort just last year.

Javelin reports “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

If device reputation was integrated at the “profile update / account update” website integration point, a flag would go up when:

It’s no secret that it’s often a few bad apples that upset the bunch. Here’s where the 90/10 rule applies. 90% of people are honest whereas maybe 10% aren’t. And it’s the 10% that do 90% of the stealing. Device reputation knows who is good and who isn’t. Identity thieves are stopped cold and can’t use the hacked data to commit fraud.

On Super Sunday weekend much of the scamming taking place is designed to separate the public from their money using the Big Game as the lure. People are seeking information on the Game and are being tackled by criminals who steal the ball.

The promise of cheerleader-filled videos along with downloadable player pictures or even Big Game memorabilia will dominate the scamverse.

Don’t get taken:

Ticket scams abound: Auction sites and Craigslist are ground zero for Scammers who buy up a few expensive tickets and, because many tickets are printed at home, the scammer just makes copies and resells the fakes to desperate buyers online or at the game.

Social media scamming: Bad guys who pose as legitimate individuals or businesses offering up Super Sunday media and post infected links that will infect the victim’s PC or network with a virus that gives hackers backdoor access.

Search poisoning: Scammers lure victims to their scam sites via search engines. When a website is created and uploaded to a server, search engines index the scam sites as they would any legitimate site. Doing a Google search can sometimes lead you to a website designed to steal your identity.

Zombie PCs: A botnet is a group of Internet-connected zombie personal computers that have been infected by a malicious application, which allows a hacker to control the infected computers without alerting the computer owners.

Scott Waddell, Vice President of Technology at iovation states, “Criminals will lure Internet users to malicious sites where malware can compromise their computers, making their systems ‘zombies’ in a global botnet. Identity data on these systems can be stolen and remote fraudsters can monitor the systems to compromise online accounts.”

Solutions like iovation’s ReputationManager 360 can identify fraudulent use of stolen accounts through geolocation rules, velocity indicators associated with identity thieves trying to quickly leverage stolen credentials, and the shared reputation view across more than 2,000 fraud fighting professionals strengthening the system every day.

There are situations where a mismatch between presented IP address and actual IP address does not indicate risk. These include certain ISPs, corporate networks, and CDN services that either require their users’ web traffic to pass through proxies or have service configurations that result in proxy-like behavior. If the IP addresses don’t match but the locations do, that can help filter out some of these false positive, lower risk scenarios. Likewise, if the IP addresses differ but the ISP is the same, proxy risk is typically low. When the IP addresses don’t match, the geolocated country or region differ, and the ISPs are not the same, that is much more likely to be an example of intentional proxy use by the end user.

Of course, legitimate site visitors sometimes use proxies too. So, proxy risk should be considered in conjunction with device reputation and other risk indicators for balanced real-time transaction decisioning.

iovation has been providing fraud prevention and anti-money laundering services to the gaming industry for the past 6 years.

In 2010 alone, iovation screened nearly 2 billion transactions and stopped over 35 online fraud attempts. The IGA has recognized iovation’s fraud prevention service for the strong results it has provided to gaming operators such as William Hill, Entraction and WagerWorks. The IGA technology provider award recognizes innovative services that have helped gaming operators increase their profitability, productivity and efficiency.

In the case of WagerWorks, iovation has helped identify hundreds of fraudulent accounts that prevented tens of thousands of pounds in lifetime losses. With Entraction, the ability to stop repeat offenders reduced chargeback rates to nearly zero, providing a 5x return on investment with iovation.

The IGA awards will be announced at a January 24th ceremony that kicks off the annual ICE Totally Gaming Conference in London. If you plan to attend this year’s event, look us up at booth #5117 and learn more about how iovation protects online gambling sites from financial fraud, player collusion, bonus abuse and more.

There are many facets to building a highly available, lightning fast infrastructure (which we will cover in more depth in future blog posts), but today I would like to start at the very beginning with our DNS architecture.

The first thing that happens when an iovation ReputationManager 360 customer (or a customer’s end user) tries to connect is a DNS (Domain Name System) lookup to convert a name (like www.iovation.com) to an IP address (74.121.28.140).  This DNS query must complete before any further interaction with the service can proceed.

To make this as fast and reliable as possible, iovation leverages IP Anycast technology. Anycast allows DNS requests to be handled by the closest member of a global cluster consisting of 17 distributed nodes (with 5 more on the way).   Without IP Anycast technology, requests are randomly routed to a single server, which may be half way around the globe.

Beyond the speed aspect, Anycast DNS also has a number of other advantages over Unicast.  With Anycast, the loss of a single node does not impact the ability to resolve DNS. Requests are simply routed to the next closest node.  This distributed architecture helps protect against Denial of Service attacks by spreading the load among the entire cluster and by limiting attacks to the region from which they originate.

As a quick example, let’s run a traceroute from my house (in Portland, Oregon) to one of iovation’s DNS servers, ns1.p20.dynect.net.

admin@router:~$ traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1 L100.PTLDOR-VFTTP-18.verizon-gni.net (98.108.131.1)  5.044 ms  5.046 ms  5.031 ms
2  184.19.244.32 (184.19.244.32)  4.982 ms  4.969 ms  4.961 ms
3 so-7-3-0-0.SEA01-BB-RTR1.verizon-gni.net (108.57.128.160)  9.898 ms  9.890 ms  9.876 ms
4  0.so-0-3-0.XT1.SEA7.ALTER.NET (152.63.105.169)  37.321 ms  37.308 ms  37.294 ms
5  0.so-6-0-0.BR1.SEA7.ALTER.NET (152.63.105.113)  12.279 ms  12.250 ms  12.233 ms
6  204.255.169.74 (204.255.169.74)  12.218 ms  12.425 ms  12.411 ms
7  po-3.r00.sttlwa01.us.bb.gin.ntt.net (129.250.4.178)  12.398 ms  12.385 ms  12.369 ms
8  fa-4-4.r00.sttlwa01.us.ce.gin.ntt.net (198.104.202.66)  12.355 ms  12.435 ms  12.422 ms

Not bad! Less than 13 ms round trip to the node in Seattle. But we would expect low latency between Portland and Seattle, so let’s go run the same test from a computer located in Chicago to the same iovation DNS server.

[root@prextmon01 ~]# traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1  173-203-80-2.static.cloud-ips.com (173.203.80.2)  21.168 ms  21.425 ms  21.662 ms
2  core1-aggr301a-1.ord1.rackspace.net (173.203.0.168)  0.434 ms  0.526 ms  0.549 ms
3  vlan901.edge1.ord1.rackspace.net (173.203.0.33)  0.317 ms  0.358 ms  0.412 ms
4  xe-7-1-0.edge1.Chicago2.Level3.net (4.71.248.53)  0.795 ms  1.938 ms  1.938 ms
5  ae-2-52.edge4.Chicago3.Level3.net (4.69.138.166)  34.377 ms  0.947 ms  0.961 ms
6  xe-6-2.r02.chcgil09.us.bb.gin.ntt.net (129.250.8.77)  1.203 ms  1.172 ms  1.193 ms
7  ae-3.r21.chcgil09.us.bb.gin.ntt.net (129.250.2.72)  1.239 ms 1.332 ms 1.253 ms
8  po-4.r00.chcgil09.us.bb.gin.ntt.net (129.250.2.208)  1.224 ms  1.191 ms
9  ge-7-15.r00.chcgil09.us.ce.gin.ntt.net (128.242.180.110)  1.325 ms 1.393 ms 1.435 ms
[root@prextmon01 ~]#

This path is actually faster, taking only 1.4ms. This query was handled by the Chicago Anycast node rather than having to come all the way back to Seattle. This is precisely the magic of Anycast.  This same scenario holds true for queries issued in Japan or Germany – they get routed to their closest node.

Without Anycast, just imagine how bad this problem is for customers that have globally distributed users with many outside the United States.  Connectivity from the other side of the globe is a minimum of 250ms round trip (and often times much longer). That delay can add up quickly if you’ve got multiple round trips to your SaaS providers.

It’s important to consider things like globally distributed DNS infrastructure when integrating third party services with your site to make sure the value from the SaaS you’re buying isn’t offset by slower page loads for your users.

Fraudsters excel at hiding their true identity. True professionals in the field of fraud detection and prevention must employ a defense-in-depth approach, and iovation deploys one of the most sophisticated with a multi-tiered approach to recognize trouble when it is near. Our innovative service to recognize risk has been constantly refined over the past six years.

We use tried and true approaches such as tokens, or cookies, along with sophisticated and unique pattern matching that can only be derived from our extensive and unique experience with our shared reputation database, profiling based on billions of device and account relationships, and finally risk models honed over the years and several other strategies that are a part of our secret sauce. All of these contribute to a highly flexible and effective model that is hierarchical and adaptive to both the situation and the customers’ tolerance.

iovation’s Defense-in-Depth Approach includes:

• Native client device recognition for standalone applications downloaded by your end users – A unique capability to add device reputation into our client’s downloaded applications
• Collaboration between the native recognition clients and our web client – To provide a unique “one-two punch” that gives iovation the best device recognition capabilities in the industry
• Pattern matching to provide additional recognition opportunities even when tags like browser and Flash cookies have been cleared (or private browsing features are in use)
• Multi-level risk analysis through configurable and real-time weighted business rules

Tokens, cookies, and local stored objects, are table stakes for any device identification provider and are relatively reliable methods since they can easily be uniquely identified. When leveraging tokens placed from a prior visit, either to your site or another iovation customers’ site, the device is recognized and within milliseconds our risk assessment takes place. But if the bad guys are trying to hide, they might have tried to clean up the crumbs.

Pattern Matching

With iovation, if no tokens are found, the next tier of defense is our industry-leading pattern matching, also known as adaptive logic. As opposed to relying on exact attributes, patterns deliver high confidence while allowing for changes over time. Based on our experience assessing risk for more than 4 billion transactions, we have an extremely large amount of data to build patterns from. Each pattern has a ‘time to live’ and is updated every time we see another device that matches the pattern. If there is no match, the new pattern is automatically evaluated for effectiveness and added to the series. Each pattern has a confidence factor that increases as the pattern proves effective at identifying the device.

Profiling and Real-Time Risk Evaluation

The next tiers are profiles and real-time risk evaluation. Profiles, like patterns, use statistically proven combinations of transaction elements to contribute to risk scores. Real-time risk takes all of the elements into account (including velocity triggers, geographical issues where the true location is masked, device anomalies and more) to produce a final risk score.

Effective fraud prevention is not about collecting cookies or not collecting cookies, and it’s not about relying on any single technology or approach. It’s about using a comprehensive, multi-layered and adaptive approach that our customers find highly effective over the long run, and millions of times each day.

With only three months remaining, iovation has already increased the annual growth rate for processed transactions by 67% over 2009. With more than 3.9 billion cumulative device reputation checks processed for e-commerce, financial, travel, gaming and online communities today, we expect to break 4 billion early in Q4.

We’ve also increased the overall number of unique devices by 110% over last year. Starting in 2006 with 5 million devices in our system, we now manage more than 390 million unique devices (including PCs, Macs, iPads, iPhones, Blackberries, Android, etc.). Surpassing 400 million unique devices is just on the cusp.

With cybercrime fraud losses more than doubling in 2009, Internet-based businesses need security solutions that allow them to proactively identify and make educated decisions on all incoming transactions. Through fraud and abuse evidence submitted by our worldwide, cross-industry subscriber base, iovation ReputationManager 360 combines device and account profiles, analytics, custom reporting, real-time business rules, device anomalies, and the experience and expertise of over 2,000 fraud analysts to help customers make quick, confident decisions on every online transaction request.

Risk scoring, when you boil it down, is the simple process of taking the data you have available about a given transaction and the device requesting that transaction, and measuring characteristics that would lead you to believe that it is either valid or risky. Most device-based risk scores, including those offered by iovation, incorporate common types of risk elements in their scoring. These may include:

• Velocity-based Rules – Measuring device activity in a given time frame
• Transaction Anomalies – Device characteristics that indicate the device is masking its identity, such as using an anonymizing proxy, or disabling technologies like flash

What sets iovation apart is the growing network of businesses it protects that leverage and contribute to the Device Reputation Authority (DRA). This database of over 350 million device reputations is queried more than 5 million times per day by iovation clients.

The Device Reputation Authority contains historical information about specific fraud and abuse occurrences by the device used. We use this information to further assess transaction risk for our customers in the following unique ways:

• Global Account Associations – Looking at extended relationships between devices and shared accounts that are evident in fraud rings and targeted fraud
• Factual Evidence of Fraud – Whether the information comes from a close partner, a peer, or a company in a completely unrelated industry, direct evidence of fraud on a given device is one of the strongest correlations to transaction risk a customer can have.
• Profile Risk – Profiling harnesses the power of shared factual evidence in the reputation system to measure the similarity of the device in the current transaction to those devices that have been seen across iovation subscriber sites in the past. A high ratio of known bad devices in the set of similar devices is a very strong risk indicator.

These three risk elements are tremendously valuable to our customers who find over time that either factual evidence or profile risk are so strongly correlated with fraud that it can cut their review time down substantially for those transactions.

In the world of risk scoring, cloud services, and crowdsourcing, it is proven that leveraging information from larger affinity groups provides unmatched effectiveness. When a company is combating highly sophisticated fraudsters determined to defeat their defenses, what risk analyst wouldn’t want to know that a device trying to create an account or make a purchase had previously been flagged for fraudulent activity? Adding this data to risk scores increases their ability to shine light on fraud that might otherwise remain hidden.

Join us for a live webinar, “Detecting High-Risk Transactions,” on Tuesday, July 20th. Learn how you can proactively assess risky transactions to better protect your business from more sophisticated schemes and elaborate fraud rings. Along with discussing the various techniques today’s cyber criminals use to hide their identities, you’ll learn more about the top 5 methods of detecting transaction risk, including:

Transaction Anomaly — Check mismatches, proxies and disabled components.
Velocity Rules — Know when activity counts have been met or exceeded.
Profile Risk — Check against aggregate profiles of risky accounts or devices.
Factual Evidence — Identify when known bad devices touch your website.
Account Associations — Identify and shut down fraud rings for good.

Register today at iovation.com/risk-mitigation.

We look forward to a very insightful, interactive discussion.

One of the most effective ways to defend your enterprise is by working together and sharing information with other fraud teams across multiple industries. Interacting with a centralized, global network of fraud intelligence arms you with information upfront to minimize your chances of having to take that first hit.

Fraud management solutions such as iovation ReputationManager draws upon the power of fraud teams working together with a common goal — to proactively defend their enterprises against a variety of sophisticated forms of fraud and abuse. Instead of trying to recognize every changing identity or device profile used by fraudsters on your own, with iovation once a device has been identified and submitted to the shared  database (containing  more than 300 million devices), fraud analysts are alerted in real-time when a suspect device accesses their website, even if the computer’s configurations changed since its previous visit.

Sharing device information across a large, centralized shared network utilizes fraud intelligence effectively and exposes otherwise hidden device and account relationships  across networks and across industries, so you can make fast, educated decisions for accepting, denying, or flagging online transactions for review.

Subscribers of iovation see on average, 17% of their devices cross between multiple industries.  For example, the same computer that accessed an online dating site and committed fraud, may then access an online retail site and later a massively multiplayer online gaming site. As today’s fraudsters use personal information they’ve stolen from social networks to commit fraud against other industries, having a tool that provides the intelligence needed to stop fraud across multiple industries is a critical component to a comprehensive fraud prevention strategy.

This past week, iovation has seen a rapid adoption of the iPad being used at our customer sites. We’ve seen the number of iPad transactions grow by thousands every single day since the new device was made available. And these transactions aren’t just occurring within the same industry. In fact, we’re seeing iPad transactions on a multitude of verticals including travel sites, social networks, sportsbooks, dating sites, credit issuers, MMOs and online social games. And our job is to make sure that the transactions processed are from legitimate, good customers.

Topping the list of industries where we’ve seen the most online transactions this week is online communities at 45%, with the majority on social networking sites as opposed to dating sites. The second largest group was online retail, accounting for 28% of total iPad transactions. Most of those transactions occurred on travel sites. And lastly, international gambling sites such as sportsbooks came in third, at 23% of all iovation-protected iPad transactions.

So that’s where we’re helping customers, but what information do fraud teams share within our database in order to reduce fraud losses and ensure good customers have a positive experience on their site?

iovation tracks over 30 different types of bad behavior and this segmentation is important to our customers. How they treat evidence (specific types of fraud and abuse) changes across various industries. For example, an online retailer cares about mitigating chargebacks and catching criminal activity before product goes out the door, whereas an online community cares more about stopping spam, solicitations, predators and phishing attempts, in order to protect community members and maintain a safe and trusted environment.

Our customers can customize our fraud protection service to gain control over the specific transactions and activities that they correlate with high risk. This allows them to take more business with confidence and spend less time conducting costly manual reviews.

Believe it or not, within the first week of iPad sales, we have already uncovered fraudulent activity. Over half of all transactions denied from iPads were specifically related to credit card fraud. In other words, they were fraudsters attempting to monetize stolen identities on our customers’ websites.

As iPads connect to online businesses to create accounts, submit applications and make purchases, it is very important for organizations to know whether or not the device:

• has committed fraud or abuse on their site
• has committed fraud or abuse at another business
• has relationships with other devices or accounts that have been involved with fraud or abuse
• has not been seen before, but matches the profile of other high-risk or suspect devices

As iovation’s global shared database of over 275 million devices grows, so do the reputations of iPads used to request transactions. This is important information that companies can use to determine whether or not a transaction requested by an iPad, or any other Internet device, can be trusted and just the kind of information iovation provides to its valued customers.

For example, Coders write the malware. Hackers are actively searching for vulnerabilities to exploit. Fraudsters create and deploy social engineering schemes. Hosters provide safe hosting of content on servers and sites. Techies maintain the infrastructure. And Leaders are the managers who keep the team together.

As these well-organized and highly efficient cyber gangs continue to steal U.S. public and private sector information “for the purpose of undermining the stability of our government or weakening our economic or military supremacy.” Chabinsky said:

“The cyber threat can be an existential threat, meaning it can challenge our country’s very existence, or significantly alter our nation’s potential.”

Undercover FBI agents who became trusted members of criminal organizations found that self-reliance is rare among cyber criminals. “Almost every cyber criminal is a member of at least one online forum, website or chat room,” said Chabinsky. They use these virtual meeting places to discuss techniques, share tools and tips, and evaluate other users.

As the FBI builds out its network of cyber security experts, it is also strengthening its international efforts by collaborating with law enforcement in more than 60 countries to fight cyber crime.

Creating a worldwide cyber security network mirrors the efforts of iovation’s device reputation network, which allows subscribers access to the world’s largest database of device intelligence. These subscribers benefit from information gathered from billions of transactions across multiple industries. Users tap into information on over 250 million computers which helps them fight fraud and expose sophisticated, highly-organized cyber gangs.

In the article, “Cybersecurity Partnerships are Absolutely Critical, says Gen. Dale Meyerrose,” Meyerrose, now the VP for Cyberspace Solutions at Harris Corporation, expressed his concerns surrounding cybersecurity and the economic impact of cyber crime:

“The [issue] of most concern to me is cyber crime… elements of cyber crime, particularly economically for our country, have come to the point where we need to really be concerned. There have been estimates that we’ve lost over a trillion dollars a year to cyber crime in the last couple years. And it now exceeds all other crime in terms of the amount of money.”

The question is, whose responsibility is it to deal with the mounting issue? Despite the fact that 90% of the Internet’s critical infrastructure in the U.S. is privately owned, Meyerrose believes that the government holds many of the resources necessary to help businesses protect their assets and also has a responsibility to help educate its citizens. “I think that this …needs to become a national priority and a priority of companies and citizenry. There are no pedestrians in cyberspace. Everyone is a victim, a user, a threat to somebody else because you may be passing a malicious code along inadvertently.”

Unfortunately, even with increased government involvement, cyber crime is still inherently borderless—a fact which limits the effectiveness of both law enforcement and the policies of individual governments. Businesses from all countries, however, may have a much easier time collaborating and affecting global change in the realm of cybersecurity. By voluntarily working together to share intelligence, technology, and experience, businesses have the opportunity to better protect their own assets at the same time as contributing to increased internet security for everyone, something we all can benefit from.

In a similar vein, we can see that any single device recognition strategy on the Web is going to run into some serious limitations, mostly related to the quality and the variety of the data that can be collected from a browser.  There are a number of sources of data that we can use to construct a view of a device on the Web, but most of them can be manipulated, and all of them have problems with uniqueness.  How to build a system that is resilient to so much data uncertainty?  Yeah, I know you’re already a step ahead of me – we design in depth.

The easiest method of identifying a device may be to simply write a cookie to the browser.  But we all know how easy it is to defeat that method when you’re aware of it – you just delete them.

IP address also sounds like a decent attempt at identifying a client.  For a good number of home broadband users, IP address isn’t bad, and even for corporate users, you may luck out and only find a few computers lurking behind any given firewall.  There are many ISPs like AOL) that are known for their use of proxy servers, however, and any decent size organization could be hiding thousands of machines behind any given IP address.

Browsers also publish a User-Agent string, a description of the type and version of browser being run.  These user-agent strings can provide a good deal of rich information about the browser, but they are pretty blunt hammers, narrowing down the range of possible matches to somewhere north of one in a thousand.

Each of these sources of data – browser cookie, IP address, and User-Agent string – is interesting by itself, but using them in concert to begin to build a view of the client computer from a number of different angles starts to look promising.  Each one is spoofable to varying degrees, and each one has issues with uniqueness, but each operates through a different channel to provide its information, and thus requires a different strategy to avoid detection.

All of this is to say that there is no single unique value (or simple combination of values) hiding on the Web – device recognition requires a multi-layered solution.  As iovation’s business has grown over the last five years, we’ve evolved from a native library device recognition service into a full spectrum reputation service supporting native and web integrations, business rules, pattern matching, and risk scoring. The capabilities we have in place have been built with the future in mind to support collection and analysis of reputation tracking on new transaction elements, and discovery of new risk indicators to continually improve real-time decision making for our subscribers while growing the Internet’s definitive online reputation authority.

The end result of such a multi-layered approach, an approach of “recognition-in-depth”, is that we don’t have to rely on any one technology to provide us with enough information to confidently recognize devices on the Web.  In the ever-evolving landscape of Internet technology, that layer of insulation is a must – reliance on a single strategy means brittleness in the face of change.  For example, Gartner Research recently published a research brief titled, Privacy Collides with Fraud Detection and Crumbles Flash Cookies,  suggesting that companies avoid reliance on Flash stored objects completely, as the technology may be short for this world.  Multi-layered device recognition means that we can still sleep at night when Flash fades away – and that means you can, too.

According to a recent article,  “Number of identity fraud victims jumps,” a Javelin Strategy & Research survey found that the total number of ID fraud victims in the U.S. rose to last years to 11.1 million—a 12% increase over the year before. The study also found that 2009 losses due to ID fraud totaled  $54 billion (in comparison  $48 billion in 2008).

But why, with so many anti-fraud management solutions and techniques available, does ID fraud continue to climb year-over-year? According to James Van Dyke, president and founder of Javelin, the continual evolution of technology is one of three main factors contributing to the increase of Identity fraud. Van Dyke sees online crime continuing to escalate, due to:

1. Rapidly evolving technology. Technology has become the livelihood of today’s cyber criminals who make it their business to keep up with the latest trends in technology so they can devise increasingly complex schemes to defeat anti-fraud defenses.

2. More people online. The fact that there are more people—both businesses and consumers—spending time making connections and conducting financial transactions over the Internet means there are more prospective victims out there for criminals to target.

3. More information online. The increase in personal and financial information available on the Web provides hackers with more useable information to steal online. A person’s online information is the lifeblood of everything hackers do.

This survey isn’t news to most of our customers. Fighting online fraud is a serious endeavor and is of strategic importance to any online business. That’s why, as online crime continues to rise, businesses that implement best-practice technology for fighting fraud not only save their company time and money, but gain a competitive advantage in their industry.

The harsh reality is that today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. That’s why, when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers.

The same basic principle of creating a more comprehensive defense by layering tools and diversifying methods can (and should) be applied to fighting online fraud. To successfully combat online fraud, a fraud management system should include the following layers of defense: 1) validation of credit data; 2) data mining of personal information supplied by the user (i.e. shipping address, address verification, and in some instances even SSN); and 3) device identification and validation of device reputation.

Combining these fraud prevention methods at multiple locations throughout a website establishes important obstacles to both first-time and repeat offenders. Even if criminals are able to bypass one method of detection by using  fraudulent credit or personal information, they may be identified through device identification as a suspected or known criminal. That’s why the best offensive against cyber crime today is a multi-layered defense.

After a three-year investigation by the FBI and the UK’s Serious Organized Crime Agency (SOCA), British authorities announced they have arrested the sophisticated network of cyber criminals behind DarkMarket, one of the world’s top criminal websites. The site, which operated out of an unassuming London Internet café, was an international cyber supermarket for stolen credit card and bank account information that officials say has cost the banking industry tens of millions of dollars.

According to a recent article, “Welcome to DarkMarket: a global shop for cybercrime and banking fraud,” the DarkMarket site was an online superstore of personal data, viruses, tutorials, and a whole host of other resources for fraudsters. In order to gain access to the site, which was by invitation only, those wanting to become members had to offer up details of 100 compromised credit cards – 50 each to two separate members who would then test the cards in the market to see if the information was valid. If the information was usable, the applicant would gain entrance to the site. If not, access would be denied.

Once in, members could trade everything from credit card details to bank account PIN numbers obtained through hacking, phishing scams, and ATM skimming devices. The site even had a crime “menu,” where for very reasonable prices, members could purchase, among other things:

• Information needed for online transactions ($3-$10 depending on quality)
• Credit card images ($30 each)
• Bank logins (2% of available balance)
• Billing details needed for opening or taking over accounts ($150 for accounts of $10k balances, $300 for accounts with balances of $20k)

Of the estimated 2,000 members who had access to the site, so far the bust has led to the arrest of more than 60 members who are scattered throughout the globe, in countries including the UK, United States, Canada, Germany, France Turkey, Israel and Russia.

The scope and reach of the DarkMarket website underscores the magnitude of such an operation, as well as the growing problem of organized fraud. With more personal information accessible over the Internet, cyber criminals have built thriving illegal networks to buy, sell and trade financial data and share information on how to defraud all types of online businesses. Certainly businesses are dealing with an increasingly sophisticated threat and must continually evolve and be vigilant to defend their businesses from attack.

I commend the National Fraud Reporting Centre (NFRC) for getting the hotline going. The helpline will allow individuals and small businesses to report cyber crime to a central agency, simplifying what would otherwise be a confusing process involving potentially several different government ag encies. A similar effort in the U.S., the Internet Crime Complain Center (IC3), currently allows individuals to file complaints of internet fraud through its website.

In both cases, setting up centralized agencies to manage reports of internet crime allows for greater cooperation among different law enforcement agencies—from local police to state and federal bureaus—so that large-scale operations of identity theft and phishing attacks, for example, can be more easily identified and addressed at the appropriate level. Also, by offering individuals one clear method of reporting internet fraud, as opposed to several, the hope is that more victims and informed third-parties will be inclined to report what they know.

As we’ve mentioned in previous posts, because most cyber crimes are committed across national borders, local law enforcement is severely limited in its ability to catch and prosecute individuals who commit such crimes. While continuing efforts are being made to stop these criminals, engaging the public about online fraud trends is a worthwhile step in helping raise awareness and hopefully prevent more people and businesses from becoming victims of Internet crimes.

Establishing programs such as the Action Fraud hotline and the IC3, can also build alliances and partnerships between individuals, groups and businesses that could benefit from sharing fraud information and intelligence. Collaborating with your peers to fight fraud is the basic concept behind iovation’s fraud management system, which provides a shared environment that allows online businesses to benefit from the thousands of additional resources, tools and experiences to better protect themselves from online fraud and abuse.

Unfortunately, these kinds of velocity checks are of limited value against more sophisticated fraudsters who have the information, the technology, and the general savvy to set up multiple accounts that all, on paper, look completely different—different names, different credit card numbers, different shipping addresses, different IP addresses.

This is why including the device associated with an account or transaction can be an extremely valuable component of velocity-based rules. Even if all the elements of personal data look different among a set of accounts or transactions, if they all have the same device in common, it’s a good indication that something is wrong. With velocity-based rules focused on the device, you can monitor the number of accounts created, or the number orders placed, from one single computer.

In a world where hackers are making it more difficult for online businesses to verify the real identities of the people they’re doing business with, device fingerprinting combined with velocity-based rules provides a powerful one-two punch for identifying suspicious activities and stopping fraud that operates under the radar of many fraud detection systems. For many of our customers, having visibility into this activity is one of the biggest advantages they gain from including device fingerprinting as part of their fraud prevention process.

We’re going into 2010 with a lot to be excited about, including the announcement of our new VP of Technology, Scott Waddell.  Scott joined iovation in April 2008 as our Director of Research, a role to which he has brought amazing insight and innovation.  I love his ability to keep sight of a strategic vision while being pragmatic about getting there.  Starting this month, he’s taking over the helm of our entire technology organization and we’re confident he will continue our positive momentum into the new year and beyond.

To provide a bit of an introduction, Scott has nearly two decades of technology experience with an emphasis on security.  Before joining iovation, he spent a number of years at Cisco, serving in a variety across engineering, network security and research. Prior to that, Scott co-founded WheelGroup, a network security company that was later acquired by Cisco.  He also served as a charter member of the Air Force Information Warfare Center, pioneering tools and techniques for automated vulnerability assessment and incident response.

Due to his wealth of experience and the clear contributions he has already made to our business, everyone on our executive team and board of directors agrees that Scott is absolutely the right person to lead our technology team.  We’re fortunate to have someone who is extremely knowledgeable, passionate, dedicated, and already familiar with what we do. No one would be in a better position to help strengthen our core technologies and work on building new services to leverage our unique knowledge of the reputation of hundreds of millions of computers.

Here’s to building great teams.  Happy New Year!

Device reputation is an important component of best practice fraud management – 2009 was a difficult year for business, but one trend that emerged was an increased visibility into how valuable device fingerprinting and reputation solutions can be as part of any sophisticated fraud prevention architecture. Some of our articles on this topic:

• The First Five Benefits You Will See From Device Reputation
• Not All IP Addresses are Created Equally
• Device Fingerprinting Techniques – Several Choices

Online retailers are under attack – Online retailers continue to find themselves under attack and we touched on this topic a number of times this year. Here are some of the highlights:

• Online Merchants Are the Real Victims of Identity Theft
• Interview with Merchant Risk Council Executive Director, Tom Donlea
• Fighting Friendly Fraud With Device Reputation

Online games continue to attract attackers – Massively Multiplayer Online (MMO) games continue to be a favorite target of hackers. Financial fraud coupled with theft of accounts, virtual assets and exploitation of in-game economies through gold farming all pose serious threats to the online gaming industry. Some of the highlights:

• iovation Interviewed at Casual Connect on Protecting MMOs from Fraud
• Virtual Money is the Most Popular Digital Good
• Fighting MMO Fraud and Abuse isn’t Child’s Play

Online dating scams threaten virtual communities – Online romance scams are a prevalent and serious threat to online dating sites. Stopping scams and preserving the customer experience are necessary in order to ensure a healthy future for online dating industry as a whole. Some of our articles on this topic:

• Online dating scams, the biggest threat to a growing industry
• Social networks and malware, a potent combination
• Online Dating – Blocking the Bad Guys

Fraudsters and scammers continue to organize – Fraudsters are working together more than ever to defraud online businesses. We have touched on this topic a number of times throughout the year:

• Exposing Online Fraud Rings – Untangling the Web
• Botnets – Propagating Threats, DoS, and Identity Theft
• Conficker Starts Up Botnet to Enable Online Fraud

We hope you have found some (or all) of these posts interesting and valuable. We look forward to exploring many new topics relevant to the fight against fraud in 2010.

Given the impact that cyber crime has on our economy, online businesses especially have a lot riding on the success of these government initiatives. A recent report from LexisNexis estimates that U.S. businesses lose $191 billion annually from computer related crimes. This is why Mr. Schmidt’s combined experience in both government and the private sector will hopefully be an important asset, allowing him to simultaneously understand the issues currently facing businesses and be able to cut through the red tape on Capitol Hill to make real change happen.

Of his appointment, Mr. Schmidt remarked:

Because ultimately no one—not government, not the private sector, not individual citizens—can keep us safe and strong alone. When it comes to cyber security, our vulnerability is shared. I’m committed to bringing all these stakeholders together around a new, comprehensive cyber strategy that keeps America secure and prosperous.

The President and Mr. Schmidt clearly see eye-to-eye regarding the importance of cyberspace on our economy, homeland security, and the U.S.’s ability to remain competitive in a global economy. More importantly, by appointing Schmidt, President Obama is following through on his remarks about securing our nation’s cyber infrastructure: “America’s economic prosperity in the 21st century will depend on cyber security. For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”

For government and online businesses alike, protecting sensitive information is a shared obligation and needs to continually be addressed. I’m glad President Obama and Mr. Schmidt understand this. I hope that they are successful in leading a coordinated effort to combat this threat. With our personal experience in stopping literally millions and millions of online fraudulent transactions, iovation understands the seriousness of cyber crime.

In the case of identity theft, it’s a common myth that malware, botnets, and other internet scams are to blame; however, Smith cites a study done by Travelers Insurance that actually shows that the majority (78%) of incidents of identity theft actually occur offline. This indicates that peoples’ fears may have been, at least in part, misplaced. Individuals would benefit from an increased awareness and vigilance in all aspects of their life, not just online.

This being said, there still remains the question of identity fraud: what happens once someone’s personal information has been compromised? This is where online businesses still need to be on high alert, because online sites (and not physical stores) will likely remain the No. 1 target of identity fraud. Here’s why: 

It’s safer to commit online identity fraud: Taking advantage of the Internet’s anonymity keeps criminals at a safe distance from their victims and the businesses they are trying to steal from. In other words, why would a fraudster risk getting caught red-handed when he could commit fraud in the comfort of his own home?

It’s more efficient: As you would imagine, today’s Internet-savvy criminals work extremely fast. Within minutes, one stolen identity can be used to apply for multiple credit cards or a stolen card can be used to charge thousands of dollars worth of goods at multiple online sites. By the time the theft is reported, the damage can be wide-reaching.

It’s easier to work in fraud rings: For ages, criminals have used whatever tools were at their disposal to organize and run their operations. Today, criminals around the globe are leveraging the Internet to work together, share information, and trade, sell and purchase stolen personal and financial information like never before.

It’s not limited by geography: Criminals that obtain stolen credit or personal information are no longer limited by their geography. With the Internet all but eliminating distance, crime can now occur anywhere, at anytime, making online businesses everywhere equally vulnerable.

While statistics show that most identity theft occurs offline, you can take it to the bank that once an identity has been stolen, fraudsters will turn to their real target – online businesses, to commit identity fraud.

Providing further testimony in favor of regulation, executive director of WiredSafety, Parry Aftab spoke to the House Financial Services Committee on Thursday, arguing that a system which ignores the problem cannot solve it. According to Aftab:

The status quo offers no meaningful assurances that consumers will be protected… Without regulations to handle underage gambling, addictive gambling, fraud, collusion, malware and malicious code, privacy and data protection, criminal involvement, disputes and online security threats, consumers and families are on their own.

As a pioneer in anti-fraud and safety solutions for online businesses including online casinos, we believe that regulation is both desirable and possible. We’ve helped many companies not only combat financial fraud, but also maintain compliance with responsible gambling practices, such as self-exclusion programs and minimum age requirements. If the government chooses to move in favor of regulation, and not prohibition, many would benefit.

It is amazing to me to look back and see how much we have accomplished in just a few years. Through collective hard work and the loyal support of our customers, we have become leaders in device reputation and device fingerprinting solutions. We now protect over 300 websites and have profiled over 180 million computers. We perform over 4.0 million device reputation checks and stop over 30,000 fraudulent transactions every single day.

Thanks to everyone who is working together to protect online commerce and fight online fraud. We couldn’t have done it without you.

Happy Thanksgiving to you and your family.

Greg

Fraudsters are using a variety of bogus and legitimate recruitment channels to con job-hunters into thinking they have found genuine employment. But in each case the job comes down to asking the victim to receive relatively small amounts of money into their own account and then move them onwards to another bank.

The result is that unsuspecting individuals can become liable for stolen money being funneled through their accounts and end up suffering the consequences. As an essential component of many types of fraud, money laundering is a big problem because it enables criminals to move money around without being traced to the initial theft. This not only affects online banking, but it is also a problem anywhere money changes hands—like online casinos or auction sites.

Money laundering is one of the big issues that many of our clients face, and we’ve discovered that there are some key characteristics associated with the problem that device reputation technology can reveal. Here are three things that we help our clients look for to expose organized fraud rings likely to be involved in laundering money:

• Too many accounts accessed by a single PC – One of the first indicators of potential money laundering (as well as several other types of fraud) is a high number of accounts associated with a single computer. For criminals, it is common behavior to be running anywhere from ten to several hundred accounts, so that money can be transferred and moved around without detection.
• Too many devices accessing a single account – The converse of the first indicator can also be a sign of money laundering. Many devices accessing a single account can indicate that several people are all sharing an account, which may be typical behavior of criminals running schemes.
• The web of associations – A web of association shows connections that exist between accounts and computers. With money laundering rings, and other organized fraud groups, this web can grow quite large, encompassing hundreds of accounts and devices.

Any one of these three items can be an indicator of organized money laundering and often you will see all three. It is also important that online banks and online merchants work together and share information to expose this behavior and prevent it from spreading. Money laundering doesn’t limit itself to one bank, so relationships between different banks can bring fraud to light that was previously invisible.

• Expose relationships between transactions –Device recognition gives fraud management teams instant visibility into the relationships between all online transactions (fraudulent or not). This provides immediate value in assisting with investigations and resolving issues.
• Receive velocity alerts –The number of purchases, applications, account creations, etc. that originate from one user in a given period of time is highly indicative of fraudulent behavior. For example, wouldn’t it be valuable to know that in the span of one hour, ten credit card applications were all submitted by one person? Unfortunately, since most fraudsters use fake or stolen identities, this can be incredibly hard to detect—unless you focus on the device. With device recognition, you can monitor the velocity of transactions coming from a single device, regardless of the identities provided.
• Identify risky devices –Using a device reputation service allows you to benefit from an increased understanding of the correlation between device attributes and behavior. At iovation, we’ve processed over 2.4 billion online transactions and we’re able to use that information to profile and analyze which device characteristics are mostly likely to indicate fraudulent behavior. With this kind of device intelligence, you’ll be a step ahead by knowing which transactions to review more closely—even if a device has never visited your site before and doesn’t have a known history of fraud or abuse.
• Recognize scammers who have defrauded your peers –From the time you turn on a device reputation service (if it is a shared system, like iovation’s), you immediately have access to the fraud experiences of other companies who subscribe to the service, so if a device accessing your site has already committed fraud elsewhere, you’ll be able to know about it and protect yourself.
• Expose repeat offenders – The ability to identify repeat offenders—who often successfully evade identity-based checks— is one of the key reasons people adopt device reputation systems. It’s like having a wanted poster for the scammer’s PC. If you have been defrauded, you certainly don’t want to let that user back even if they try to mask their identity.

There are significant benefits from using device reputation and many of these benefits can be seen immediately. Device reputation is an essential component of a best practice fraud management system.

President Obama makes some important points indicating that our networks and IT infrastructure are important national assets and it is imperative to protect them. Acknowledging the growing strength of online spending, President Obama says, “The Internet and e-commerce are keys to our economic competitiveness.”

Cyber thieves are costing the U.S. and other countries billions of dollars in fraud losses every year; this is in addition to the significant impact that individuals suffer as a result of identity theft and the propagation of malware on personal computers. Obama calls on a public/private partnership to address this threat and secure our networks.

Regardless of your political leanings, providing a safe environment for online business is an important goal for our country and the rest of the world. There is no doubt that our online activities are under siege and jeopardized by an increasing cyber threat. Thwarting this threat and providing a safe environment for online businesses and individuals is a key mission for iovation and our customers.

So, for those who don’t know, bonuses are a simple way to encourage either new or returning players to spend time (and money) on a casino site. Restrictions and limitations apply to such bonuses, but there are always those who will attempt to take advantage of the system at the expense of the online sites. Bonus abuse, especially when committed by sophisticated and organized groups, can add up to significant losses; imagine multiplying a 20% bonus by hundreds of accounts.

As WagerWorks can attest to, it isn’t always easy to catch the players who are committing bonus abuse. Online criminals, of all types, are getting more technologically savvy, in addition to the fact that the availability of resources (like stolen credit and identity information) is increasing. So even though WagerWorks conducted comprehensive checks on their players—including asking players to fax in proof of identity—fraudsters were still getting through.

By enhancing their fraud strategy using device recognition and device reputation, WagerWorks was finally able to really tackle the problem, head on. Once iovation was implemented, WagerWorks identified and shut down 20 fraud rings, composed of nearly 300 accounts—all clearly connected and being used to abuse the bonus system. Using iovation’s fraud protection service gave Terry and his team the data points they needed to confidently identify player collusion and keep the bad players out.

To find out more, read the case study, WagerWorks Takes Fraudsters Out of the Game Using iovation Device Reputation.

An article in Network World this month focuses on the importance of domain-name abuse and details the current efforts to stop it. While this problem isn’t exactly new, it is now becoming an increasingly appealing method for fraudsters to carry out attacks. In phishing attacks, for example, the use of hard-coded IP addresses has steadily declined as fraudsters are beginning to favor the use of domain names instead. According to a study done by the Anti-Phishing Working Group, in one six-month period, there were 56,959 phishing attacks occurring on 30,454 unique domain names.

Domain names play an equally important part in botnet attacks, like the highly discussed Conficker worm. Unfortunately, as the article details, disrupting Conficker’s use of domain names isn’t proving to be an easy task:

Attempts by industry to cut off criminal access to domain names is proving difficult. The first globally organized effort to attempt that — Conficker Working Group — sought to disable domains targeted by the Conficker worm for use in its command-and-control system. But after six months of trying, there’s not much to show for it.

Even with the help of many key players in the realm of domain names and internet security—including Neustar, VeriSign, Afilias, Public Internet Registry, Global Domains International, ICANN, Symantec—the Conficker worm is still at large, inhabiting millions of computers around the globe. So what makes it such a complex problem?

One of the most glaring problems is in the domain-name registration process and the lack of sufficient oversight. First, there’s the ease with which an attacker can simply use false information to register the domain—this is the same basic authentication problem that all other online businesses face. Then there’s the fact that the registration and use of domain names happens all over the world, under different rules and regulations depending on the country. Especially with the use of country-code Top Level Domains (ccTLDs such as .fr, or .uk), each individual country controls its own, meaning that in order to combat domain-name abuse, cooperation on a global scale would need to take place.

“There are many language and jurisdictional legal issues that make tackling domain-name abuse problems extremely hard,” says Ram Mohan, CTO at Dublin-based registry services provider Afilias and a liaison for the ICANN Security and Stability Advisory Committee (SSAC) on the ICANN Board of Directors… “Some rules in ICANN are just broken,” Mohan says. The overall domain-name registration system “was created at a time of a benign Internet. Today we have no burden of validation and that can be fixed.” He also says it might be a wise move to require some sort of security audit of the registrars and registries.

In the article, GoDaddy was used as an example of a domain-name registrar with one of the better anti-fraud practices. But not without effort: in order to responsibly oversee the 36 million domain names that GoDaddy manages, its fraud team is constantly at work. Once a domain name is identified as being used maliciously, it is shut down. Unfortunately, like many businesses, shutting down bad accounts is an inherently cyclical process when the underlying problem often consists of one criminal opening endless accounts using false information.

It will undoubtedly take a global effort to develop a sufficient system of regulation and oversight, but individual registrars can bear a certain amount of the burden by implementing more thorough security measures. Techniques that complement their existing efforts, like device reputation and stronger authentication, would allow them to put a large dent in this illegal activity and set a standard for their peers in the industry.

In the article, they explain a scenario involving an infection called the Clampi trojan, but the success of an account theft or takeover isn’t dependent on any specific trojan. All it takes is some method of infecting a computer in order to provide real time data from that computer back to the online criminal. The NY Times article details the way a trojan spreads and watches for ideal account targets.

“When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines. Clampi has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network. Mr. Stewart found that each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites.”

The way the attack works is that any time a user logs into their online bank from an infected computer, the trojan recognizes this and sends account information, including one-time passwords, back to the criminal in real time. The criminal can then use this information to log into the stolen account from his own computer or from a remote session on the infected computer. As unlikely as this sounds, we know of confirmed incidents of this attack.

Does this mean that multi-factor authentication is a waste of time? Not at all. Using tokens is still a best practice for account protection and is far more secure than a simple account ID and password combination. Primarily, the use of these trojans simply highlights the increasing sophistication of criminals in collecting and using personal data for their own financial gains. We have highlighted that online crime is far beyond curious kids and is now big business. Criminals are coordinating their efforts, working together, sharing tools and targeting the personal and account data that they need to be successful.

All this should be a reminder that, when it comes to security, companies should be working together—sharing techniques and information, and diversifying their defenses to meet this serious threat. Going it alone online is a losing proposition long term.

When Entraction was searching for a best-of-breed fraud partner for fraud detection and prevention, they wanted a solution that would not interfere with the players’ experience, would provide operational efficiencies within the detection process, and would be both scalable and cost-effective. While evaluating other tools, they found that many did interrupt the user experience, or were unproven, expensive, and lacked sophistication. Only iovation’s fact-based fraud solution met all of Entraction’s criteria, making iovation the clear winner.

After implementing iovation ReputationManager, Entraction has experienced a five-fold return on their investment. Their chargeback rate has also declined close to zero. “Even after the second year of having iovation in place, we still see our chargeback rate on volume of transactions continue to decline,” said Leonid Nezgoda, Entraction Estonia Managing Director.

Device reputation has completely changed how online gambling companies fight fraud. By using device fingerprinting to establish device reputations and reveal previously hidden relationships between accounts and devices, companies realize immediate improvements in their ability to combat fraud and money laundering. Additionally, because iovation tracks over 140 million unique device reputations, customers can work together to identify and block fraudsters from ever using their sites.

As part of iovation’s continued commitment to helping the online gambling industry fight fraud and money laundering, we will be speaking on this topic at the upcoming European i-Gaming Congress and Expo taking place Sept 15-17, 2009 in Copenhagen, Denmark.

Anyone who doesn’t think that online crime has transitioned into big time business should take note.  Online criminals are coordinated and remarkably well organized. They are becoming increasingly adept and efficient at not only obtaining, but sharing, valuable data: namely credit and identity information.

The extent to which online commerce companies rely on their ability to trust in this very same data cannot be overstated. Today, most online transactions are checked for fraud based upon credit and identity checks. If trust in that data is undermined, then the business models of hundreds of thousands of online retailers will suffer.

As we have stated many times before, the use of identity and credit-based checks is an essential part of the online purchasing process, but it is not a complete solution. Businesses need to have a way to check for fraud based on data that is not as easily compromised as credit and identity information. Device fingerprinting solutions, such as our device reputation service, offer that ability.

Device reputation provides significant uplift in fighting fraud because it is independent of the data used in so many of today’s attacks. Things that were previously completely invisible, such as repeat offenders and relationships between organized criminals, now come to light. Device reputation, at its most basic level, uses the ability to identify and re-recognize a PC in order to track that computer’s history of fraud and abuse—all without using any personal information. Those device reputations can then be shared among online businesses so that an entire online community can work together to fight this serious problem. Now, more than ever, the time has come for online businesses to give serious consideration to adopting new technologies to keep in step with an ever-evolving online world.

Over two billion times, our subscribers have used one of our device printing technologies while interacting with end-users and then reached out to our service with device printing data plus their unique account or transaction identifier. In real-time (sub-second response times) our service then follows business rules that are unique to each subscriber and leverages terabytes of information in our global fraud database, the Device Reputation Authority (DRA).  We can tell subscribers if they have ever seen a given device and if any related accounts and devices have a history of fraud or abuse at their site. We can also tell subscribers if any related devices are associated with fraud or abuse at other subscriber sites.

In processing all these device reputation inquiries, we have stopped over 11 million fraudulent and abusive activities. If the average loaded cost is just $100.00 per incident, then we have saved our customers over $1.0 billion in fraud and abuse losses.  And this, of course, is the whole point. We help our subscribers stop everything from identity theft and stolen credit card use to cheating, posting unwanted content, chat abuse and child predation. Over 11 million times our subscribers stopped a purchase, login or other action with sufficient confidence to avoid any additional review. And this is just the real-time stops. We also help our subscribers identify suspicious activity through real-time notices, Risk Module, scheduled reports, and add hoc queries through our web-based admin console.

I can’t help but think of how far we have come in the past five years as a company and how quickly ecommerce evolves. Internet businesses have undergone a significant transition in general awareness of what device fingerprinting solutions, like iovation’s ReputationManager, have to offer. In the ‘old days’, just a few years ago, we spent considerable time explaining what device reputation was and educating potential subscribers about how using our service could change the way they identified relationships between accounts, orders, or applications. Contrast that with today’s environment, where device fingerprinting solutions are recognized as a best-practice and even a necessary component to any fraud and abuse management system. Nowhere was this more evident than in this year’s Fraud Management report that identified device fingerprinting as the #1 planned technology for implementation over the course of the next year and as one of the top three effective technologies for fighting fraud.

In addition to increasing market awareness of the power of device reputation, we have experienced tremendous growth in our business. It took us about four years to process our first billion transactions and only one year to hit the next billion. We currently track the reputation of over 140 million unique devices, up nearly 500% from just a year ago.  We have grown from protecting a handful of businesses in a single industry to protecting hundreds of web properties, many of which are globally recognized brands, involved in all kinds of e-commerce activities.

What has driven our growth more than anything is that we simply deliver results. Our subscribers have realized remarkable returns, such as our Fortune 100 credit issuer who generated a 321% ROI in the first two years, and Ntreev USA who saw amazing results within a mere 30 days. We are proud of the real value we deliver and delight in stopping fraudsters and helping our subscribers minimize losses and increase profits.

I would like to take this opportunity to thank our employees, our partners, our investors and most of all our subscribers who have made this growth and success possible. We are working together to fight fraud and abuse more effectively each day.

At iovation, many of the questions we field revolve around how we do device fingerprinting. Rather than get into a detailed definition of device fingerprinting, I will address the basic choices available to companies and explain how iovation uses them. Essentially, device fingerprinting is used online to identify and then re-recognize a PC or other Internet device that visits an online site. There are really 4 different ways that this can be accomplished:

1. Download device print – In this case the online user must accept a downloaded device print, which is usually in the format of some sort of DLL or other executable. In general, this technique is used by online businesses that already download other software and this becomes a component of that download. For example, game companies may include this in their game downloads. At iovation a small percentage of our customers use this form of device recognition. Its advantages are that it is the most accurate device print available. Additionally, because it can look deeper at system attributes, such as the MAC address, it can often re-identify a PC even if the user completely reloads the operating system and is thus more resistant to bypass. The drawback is that it does require a download and for many businesses, this is simply not acceptable.
2. Web device print – In this case, there is no change to the user experience on the web, but a unique identifier is left as a cookie in various places. For example, this could be as simple as a standard cookie, or it could take advantage of various other applications like a flash cache. This print still retains the ability to uniquely and accurately identify a PC but isn’t as resilient to bypass as a downloaded print.
3. Device profiling – In this instance there is no unique identifier left on the system, but rather a collection of the device attributes that are visible through the web. This technology answers the question, how likely is this PC to be one that I have seen before. There are many of these attributes, such as operating system, browser OS and version, etc. that taken individually are non-unique, but when looked at in aggregate can provide a high re-recognition rate for PCs. The advantage of this technique is that it is very resilient to bypass in that there is no unique identifier to be cleared. The drawback is that the more aggressive you are with recognition techniques, you risk false positives in the recognition of devices.
4. Risk profiling – In the true sense of device recognition this is not device fingerprinting because the goal is not to match devices uniquely to a device a business has seen before. Rather, this is used to aggregate risk characteristics for a PC that may include the fact that it looks like devices that have been associated with fraud in the past. This type of technique can include the device profile risk, IP address risk, and common risky attributes (i.e. the PC is coming through an anonymizing proxy).

All of these techniques are used by iovation to provide a comprehensive device reputation service and to match our customers needs and business environment. The choice of technology reflects our customers sensitivities to fraud, customer experience, false positives and review queues, and the type of customers that visit them online.