In the article, “Why Internet crimes go unpunished,” security expert Roger Grimes breaks down some interesting numbers around cybercrime, and how hackers are (to put it mildly) beating the odds. According to the FBI’s 2011 Internet Crime Report, of the more than 300,000 complaints that netted criminals $1.1 billion in 2010, law enforcement agencies convicted an average of one crook for every 50,635 victims. In other words, as Grimes eloquently states:

Steal someone’s identity and your odds of being caught are almost infinitesimal.

With all the hacks and fraud headlines 2011 will be remembered for, that’s definitely not the way we want to ring in the New Year. But as Grimes also warns, if we aren’t careful we could see history repeat itself as criminals not only continue defrauding computer users, but launch recycled attacks against the explosion of worldwide mobile device users, who could fall victim to the same old PC tricks.

While law enforcement certainly has its challenges in tracking down and prosecuting cyber criminals, nobody will argue that we can always be doing something on our part to help reduce the risk of fraud where the criminal is utilizing a computer, as well as emerging mobile platforms like smartphones and tablets.

Whether you’re an individual, small to mid-size business, or even a large international corporation, in many ways you’re sort of on your own in cyberspace. This is why taking matters into your own hands and implementing defense-in-depth fraud preventative strategies is so critical to protecting yourself, your employees and business from both evolving and old-school scams targeting every form of Internet-connected device that we use.

This is the time of year when most businesses are setting their budgets and determining business goals for 2012. While improving customer service and increasing revenues are certainly at the top of any CEO’s to-do list, mitigating costly fraud risks that can take a hefty bite out of annual profits (not to mention cause significant reputation damage) requires organizations to deploy effective security tools like iovation’s ReputationManager 360 solution to reduce the risk of fraud or abuse over all devices and platforms connecting to their online business environment.

It’s been a busy year with a ton of new features and enhancements ranging from big to small. We thought we’d take a moment to share with you some of the highlights from 2011.

As with any technology, there are many, many things that go into a new feature including design, development, testing, documentation, integration and other operational requirements. We won’t go into that amount of detail here, but instead will focus on the primary achievements within each of the four principle areas of specialization at iovation, which include:

It’s truly an honor to follow in the footsteps of some of the most recognizable technology companies in the world such as Google, YouTube, Skype and eBay, who have all been previously selected to Red Herring’s prestigious Top 100 Global list.

This recognition is a direct result of years of hard work evolving our fraud protection service into a full spectrum device reputation solution that supports native and web integrations for mobile and desktop devices, tagged and tagless device recognition, real-time transparent risk scoring, and on-demand and scheduled reporting. Our remarkable growth is attributed to the collaborative work and effectiveness of our global device intelligence network, which today protects billions of transactions for our clients representing multiple industries around the globe.

Red Herring Chairman, Alex Vieux, elaborated on the difficulty the editorial staff goes through each year in selecting the Global Top 100.

“Choosing the best out of the previous two years was by no means a small feat. After rigorous contemplation and discussion, we narrowed down our list from 1,100 potential companies to 100 winners. It was an extremely difficult process. iovation should be extremely proud of its achievement, the competition for the Top 100 was fierce. The Top 100 Global are truly the best of the best.”

Companies were evaluated on both quantitative and qualitative criteria such as financial performance, technology innovation, management quality, strategy and market penetration.

The full list of 2011 winners is located at: http://www.herring100.com/RHG/2011/top100.html.

We all know that the top priority for any IT fraud team is to ensure their good customers can safely and easily communicate and do business within their online environment. However, because many business websites have networking communities that bring likeminded individuals together to socialize, the potential for users or criminals to act inappropriately towards others can create problems that can impact the user experience.

For the verticals we serve, including online dating and Internet gaming and gambling websites, the social interaction that goes on between their members is core to their business and daily revenue stream. If somebody gets out of line or breaks corporate policy, it not only impacts the user’s experience, but can put the organization’s reputation at risk.

If any online business fails to maintain the trust and confidence of their paying subscribers, those customers can simply take their business elsewhere. This is why online romance sites and Internet gaming environments need to be aware of the impact member abuse can have on their bottom line.

One of the challenges of protecting networking sites from abusive behavior is stopping it before it happens. But how? While most anti-fraud measures still focus on the person connecting to a site, iovation’s ReputationManager 360 solution checks the device being used to log onto a site or request transactions against a dynamic database of more than 700 million unique devices and their reputations to give businesses deeper insight to those connecting to their network. Understanding when a device on your network — whether it’s a PC, smartphone or tablet — has been used to perpetrate abusive or fraudulent behavior on another site is valuable information fraud teams can use to prevent unwanted behavior against their members.

The bottom line is, when it comes to online services, consumers have more choices than ever. If their trust and confidence has been violated as a result of online fraud or abuse, they can walk away at any time. Organizations leveraging device reputation technology to protect their social communities have an additional layer of intelligence needed to prevent both fraudulent and abusive behavior before it impacts the user experience or results in a financial loss.

But gold farming doesn’t refer to literal gold. Rather, gold farmers accumulate virtual currency by playing massive multiplayer online games. That virtual currency, or “gold,” is then sold to other players, despite the fact that most game operators explicitly ban the exchange of in-game currency for cash. Gold farming is so lucrative, people in China and other developing nations can support themselves as full-time gold farming ring operators.

The Washington Post recently reported, “Low-educated laborers in Asia spend hours each day advancing through levels of an online game, picking up gold, swords and gems that enhance a player’s status. Then gaming studios, which employ the players, sell those virtual goods to online retailers. Finally, the retailers sell those items to more than 120 million players worldwide, many of them in North America and Europe, who are unwilling to play the games all day to gather the items on their own.”

Some argue that in certain developing countries, gold farming is tantamount to slave labor. The New York Times reports that in China, gold farmers often work twelve hours a night, seven nights a week, with only two or three nights off per month. “For every 100 gold coins farmers gather they make about $1.25, earning an effective wage of 30 cents an hour, more or less. The boss, in turn, receives $3 or more when he sells those same coins to an online retailer, who will sell them to the final customer (an American or European player) for as much as $20.”

Meanwhile, a recent report by the World Bank suggests that online gaming has a positive impact in Asia because 70% of the industry’s revenue remains in the gaming countries, with most of that money going to studios.

I don’t know. 12-hour days, for 30 cents an hour? What do you think?

The bottom line is that gold farming negatively affects game play in that legitimate players are now unable to enjoy the full game experience. Being unsatisfied, they leave for other games (and often take their friends with them) and this damages the brand reputation and reduces the gaming publisher’s profits.

Many leading MMOs are finding it increasingly necessary to deploy a layered defense to protect against gold farming, chargebacks and increasingly, account takeovers within gaming environments. By leveraging the power of device reputation, which looks at the computer, smart phone or tablet connecting to the games, the gaming publisher can easily connect together players working together and shut down entire rings in one sweep. In one case, a major gaming publisher saw the marvel of Oregon-based iovation’s fraud protection service and took action against 1,000 fraudulent accounts shortly after implementing the SaaS-based service.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Online games often reward players who accumulate a certain quantity of in-game points with cash payouts. Guards at this particular prison camp forced prisoners to do 12-hour shifts playing games, on top of their manual labor.

One former Jixi prisoner told The Guardian, “If I couldn’t complete my work quota, they would punish me physically. They would make me stand with my hands raised in the air and after I returned to my dormitory they would beat me with plastic pipes. We kept playing until we could barely see things.”

These prisoners were “gold farming,” monotonously repeating basic tasks within online games like World of Warcraft, in order to build up virtual currency. Gamers around the world are willing to pay real money in exchange for online credits, speeding up their progress within the game.

People in many developing countries have turned to gold farming in order to support themselves, but up to 80% of the world’s gold farmers are based in China, where as many as 100,000 people work around the clock to earn virtual points.

Game operators lose profits due to forced labor gold farming, and while they certainly want to stem their losses, they also have a humanitarian responsibility to the victims of this crime. iovation’s ReputationManager 360 is a proven service that helps protect against chargebacks, virtual asset theft, gold farming, code hacking, and account takeovers. The service identifies devices and shares their reputation as they are interacting with the game – setting off alerts that could relate to velocity triggers, geolocation, device anomalies, past gold farming abuse, financial fraud and lots more.

Many leading gaming publishers have been using iovation’s device reputation service for years to prevent game abuse upfront and ensure that their players have a safe and fun experience. These gaming publishers and iovation continually share information, the latest trends and best practices in order to stay one step ahead of the bad guys.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

Scammers resell stolen points to gamers, who use the points to play more games or to purchase equipment or accessories for their avatars. According to Seoul police, the cybercriminals behind this particular scheme made $6 million in less than two years. 55% of that went to the team of hackers, while some went to Kim Jong-il’s multibillion-dollar slush fund, which American and South Korean officials say is at least partially used to fund a nuclear weapons program.

South Korean officials blame the North Korean government’s Computer Center, an IT research venture, for orchestrating the fraud.

Many of the world’s largest gaming publishers and digital goods providers rely on iovation’s ReputationManager 360 to detect fraud upfront through its extensive, globally-shared database of 700 million devices seen connecting to online businesses and the 6 million fraud events already associated with many of these devices.

iovation has already flagged more than 13 million activities within gaming sites for gaming publishers to either reject as completely fraudulent, or to send for manual review as high-risk activity was detected in real time. This has saved gaming publishers millions of dollars in fraud losses by not only stopping a fraudulent activity (such as a cyber criminal setting up a new account in the game, or a purchase from the in-game store using stolen credentials), but it connects cyber criminals working together so that the publisher can identify entire fraud rings and shut them down at once.

Gaming operators can customize business rules around geolocation, velocity, and negative device histories (including gold farming, code hacking, virtual asset theft, and policy violations) to identify nefarious accounts activity, or fraudulent use of stolen accounts. More than 2,000 fraud-fighting professionals contribute to iovation’s global database every single day, continuously strengthening the system while maintaining a safe and inviting environment for their players.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

iovation is a bronze sponsor talking with gaming publishers and payments providers about effective methods for preventing fraud and abuse – such as chargebacks, gold farming and account takeovers.  Organized crime in online gaming is a serious and growing problem.

Many online gaming publishers are stopping fraud with iovation’s ReputationManager 360 fraud prevention and device reputation service.  Customers like Gravity Interactive, Nexon and SG Interactive (previously Ntreev) share fraud and abuse histories within our globally shared knowledge base of more than 650 million devices, keeping their games safe and their players happy. If you are attending the Seattle show, please stop by to see us in Benaroyal Hall, Table 23.

The Westin Building is easily the best connected facility in the Northwest United States. Via our patch panel in the meet-me-room we can rapidly connect to dozens of global telecommunications carriers serving the US, Asia, Canada, Europe, and the rest of the world with a simple fiber optic jumper cable. This facility is also home to the Seattle Internet Exchange on which we are a member.

If you are an iovation customer and would like to directly connect to us within this facility or across the SIX please contact me.

From an infrastructure point of view, keeping the iovation service online at all times and keeping the “bad guys” from harming our customers is always Job #1. To do this, we employ many levels of redundancy, both within a given facility, and between multiple facilities. As with any data center, this starts with the electrical power feeding the facility. Every piece of iovation equipment is fed from dual power sources which are completely redundant all the way back to the power utility. It should also be noted that power failures in Seattle are nearly nonexistent as the grid is extremely robust (fed largely by hydro-power).  

Here you can see the generator bank backing up our “A” side power bus:

Here you can see the generators backing up our “B” side power bus:

After the generators, the power flows through a pair of “Automated Transfer Switches” that will cutover from “utility” power to “generator” power should their be a disturbance on the power grid. Unfortunately, I don’t have a picture of these transfer switches handy, but here is a picture of the main electrical switchgear that is downstream of the transfer switches for both the “A” side bus and the “B” side bus.

After the main switchgear, the power is fed into a pair of 500KVA UPS units (again, completely separate “A” side and “B” side units) which provide super-clean output power at all times due to their double-online-conversion design. They also provide battery back up during power outages until the generators start up and take the load:

From the UPS units, the power is sent out at 480 volts to step-down transformers located on the data center floor (the black cabinet in the middle of the picture is one of the two that feed iovation):

After being stepped down to 208 volts, iovation receives one three phase 225 amp power feed from the “A” side power bus and another 225 amp power feed from the “B” side power bus into a pair of RPP panel units (circuit breakers):

From these RPP panel units we provide every cabinet with one 208v 30amp 3 phase connection from the “A” unit and another from the “B” unit. All power capacity planning is done with the assumption that we can lose either the “A” side or “B” side power and everything will just seamlessly shift over to the still-functioning power leg without any impact.

So that should provide a pretty good overview of our power infrastructure, now let’s talk about cooling for a bit. While the Westin Building has numerous redundant evaporative cooling towers, here is a snapshot of a few of them:

I don’t have a picture handy, but needless to say, the cooling loop system has fully redundant pumps for water circulation. Here you can see a very important feature of the cooling system – The Westin Building stores thousands of gallons of emergency water on site to keep their cooling system operational even in the event of a water utility outage:

Here you can see an example of the many redundant cooling units that actually provide cool air to our servers by moving heat from the air into the cooling loop. There are a pair of these units dedicated to the iovation cage (not shown):

And last but not least, here is a picture of the iovation cage (though this was taken before all the servers were installed):

I could continue on about the layers of fire protection systems, multi-factor access control, 24×7 engineering and security staff, etc, but perhaps those will be topics for future blog posts. We here at iovation are very excited about the addition of this facility to our tool set as it allows us to scale up to handle ever increasing customer demand while continuing to provide the highest level of service to our clients.

As always, please send me an email if you have any questions!

-Eric
Sr. Infrastructure Architect

“We are proud to be a new entrant to the Portland Business Journal’s Top 100 list and look forward to being a regular member of this outstanding group of companies. We fully intend to move up the list in the coming years as our growth continues to accelerate,” said Doug Shafer, CFO at iovation Inc. “We are very excited about the growth opportunities in all of the key vertical markets that we serve across the globe.”

In any economy — but even more so in today’s slow economic recovery — the key to business growth is all about customer satisfaction. Driven by a “customer first” mentality, we provide much-needed fraud protection services to online businesses around the globe. This powerful combination has played a central role in not only earning new business, but also achieving a 96% customer retention rate.

For any fraud prevention company, knowing you are delivering highly innovative and effective fraud-fighting solutions that are improving the safety and financial well-being of your customers and business partners makes all the difference. That’s what makes us tick at iovation. And we couldn’t have done this without the hard work and dedication of our amazing team, partners and customers. Thanks for working with us to make the Internet a safer place.

When talking to people on the street about fraud and abuse in multiplayer online games, they are often surprised that such a thing even exists! But the reality is that once a game reaches a certain level of popularity, it becomes equally attractive to the dark side.

Nexon America is one gaming publisher that takes this threat very seriously! They not only fight fraud and abuse head-on; they take a proactive approach with the assumption that every possible flavor of abuse will be attempted and they’re armed and ready for it.

At a recent fraud prevention user group for iovation’s gaming clients during E3 in Los Angeles, Nexon led discussions on preventing account takeovers, chargebacks and gold farming with other fraud professionals who attended. Gold farming (stealing virtual goods or using stolen credit cards to obtain them) is a serious abuse that destroys in-game economies and contributes to poor player experience. Additional topics that were covered during the iovation user group included friendly fraud, code hacking, password education, blacklists and biometrics, just to name a few.

Sharing best practices, tools and strategies is essential in the fight against online fraud. iovation facilitates the sharing of information not only through in-person user groups, but directly through its ReputationManager 360 fraud prevention service. For example, if one gaming site is hit with gold farmers or a group of devices involved in a fraud ring, other iovation clients know this information upfront, before incurring chargebacks or other damage. Our customers benefit greatly from this immediate feedback on devices that are new to them, but not new to iovation.

Even when a device touches a gaming site for the first time, and iovation has no previous history for that particular device, we can still leverage what we know about the associated account and its history, the geolocation information of the transaction, and a host of other device-related properties that might indicate risk based on everything we know about similar devices.  Twelve percent (12%) of the transactions iovation flags as high risk are from new devices.  That’s 1.6 million just the first half of this year.

Online gaming companies like Nexon are motivated to ensure their gaming environments are first and foremost fun and safe for players. This not only helps protect their brand; it strengthens the trust between the company and their valued players.

————–

Nexon America, Inc. develops multiplayer online games in North America. It develops Mabinogi, a multiplayer online role-playing game; Combat Arms, a multiplayer online first-person shooter; and PopTag, an arcade-style multiplayer action game. The company was founded in 2005 and is based in Los Angeles, California. Nexon America, Inc. operates as a subsidiary of Nexon Corporation.

The Visionary section of the Magic Quadrant recognizes security vendors whose products are easy to implement and have successfully reduced online fraud for their customers.  According to Gartner’s description:

The Visionaries’ products are relatively easy to implement (when compared with many of their competitors) and have achieved very good results in reducing online fraud for their clients, often using software-as-a-service (SaaS)-based models. Often, they are more innovative than their competitors and tend to offer superior customer service, which they can afford to do, given their smaller customer base and their dedication solely to fraud detection.

Our revolutionary device reputation technology uniquely identifies and re-recognizes individual devices, including computers, smartphones and tablets, that log onto business websites and checks it with our shared global fraud and abuse database to help customers assess the transaction risk based on the likelihood that the device will commit online fraud or abuse.

In fact, Gartner’s description of Web fraud detection nearly describes what iovation’s ReputationManager 360 fraud prevention solution does to a tee: detects account takeover, detects fraudulent accounts created by a stolen or fictitious identity, and detects the use of a stolen financial account when making a financial transaction.

“We’ll stop over 50 million fraud attempts this year as we continue on our mission to make the Internet a safer place”, said Greg Pierson, founder and CEO of iovation. “We are honored to be positioned by Gartner as a Visionary and recognized in the web fraud detection market. We take pride in providing superior customers service and delivering meaningful results in the fight against online fraud and abuse.”

LOGIN features two days of online game development lectures, panels, and roundtables, renowned local and international industry speakers, facilitated networking activities, parties, keynote lunches, and an exhibition area. Based on the excitement in the crowd at last night’s Welcome Reception, we’re in for a terrific show this year.  There’s a great lineup of speakers and some really interesting session titles, including:

• Giving Candy to Babies: Ethical Monetization for the Tween Set
• Gamification Will Eat Itself: How Gamification Can Evolve, and Why It Must
• RTS, RPGVille and FPS World: Does Facebook Suck the Fun Out of Hardcore Games
• Wannabe Farmers Replacing Pretend Mass-Murderers: Are Social Games a Fad?
• The Advercide Hotline
• and surprisingly, MAXIMIZING Fraud in Online Gaming

iovation is a sponsor and exhibitor at the conference and is talking with gaming publishers about effective methods for preventing unwanted fraud and abuse – such as chargebacks, gold farming and account takeovers.  Organized crime in online gaming is a serious and growing problem. Entire businesses have closed due to attacks by cyber criminals, while others not managing chargebacks properly have lost their ability to offer popular payment methods. Fraudsters hijack player accounts, purchase virtual currency using stolen credit cards, sell gaming assets on third-party sites, and create programs that run spam in chat channels from hundreds of fake accounts— all hurting the gaming brand’s reputation and business profits.

Stop by the booth and ask fraud prevention representatives Cory Swick and Paul Vorvick about protecting your gaming site from credit card fraud, account takeovers, gold farmers and in-game spammers. And while there, get your very own Virtual Crime Fighter t-shirt.

In the Internet Retailer article, “Sony data breaches highlight the fraud risks online retailers face,” it was first disclosed that hackers made off with customers’ names, street addresses, email addresses and dates of birth. However, updated reports now say that up to 10 million credit cards may have been compromised.

While the theft of personal information can lead to more phishing email, fraudulent accounts, and a host of other social engineering schemes, David Montague, president of The Fraud Practice LLC, a consulting firm that specializes in card-not-present (CNP) and online fraud prevention, said the real threat to Internet retailers would be if the criminals stole credit and debit card numbers.

“When large numbers of credit card numbers are stolen, there are more available for sale and fraud attempts increase.”

In recent years, there has been so much theft of payment card numbers that retailers now have to consider every card number as suspect, said Forrest Research analyst, Jonathan Penn. To protect their businesses and customers from an array of fraudulent activity such as credit card fraud, phishing attacks, account takeovers and identity theft, Penn says that merchants should avail themselves of the latest innovative fraud-fighting solutions like Ethoca, which aggregates data about fraud from many retailers, and iovation, which compiles a database of computers associated with fraud.

This will not be the last that we will hear of breaches of this sort. In the past, identity thieves would “dumpster dive” and clone cards at restaurants or at pumps. Today, they steal millions of cards at a time from online retailers. The sad reality is that the vast majority of the victims of this crime most likely did everything right, and yet they are still going to bear the consequences of this breach.

Many gaming sites have increased efforts to detect suspicious players, but savvy criminals have learned to mask their true identities, changing account information to circumvent conventional methods of fraud detection.

When players conspire to hack one game, they compromise the integrity of the entire website. Other players eventually realize that the deck is rigged against them and that the website’s fundamental security has been compromised. The website becomes useless to honest players, who take their business elsewhere.

Earlier this month, six buses transported online entrepreneurs to Austin for the South by Southwest conference, as part of the Startup Bus project.

As reported by CNET, “The coders and would-be Mark Zuckerbergs [took] part in a high-paced competition” in which they formed teams and competed to come up with “the best, and most viable, tech start-up” during the 48-hour drive to Texas. As it turns out, some “buspreneurs” collaborated (or conspired, depending on your perspective) to create automatic scripts that would effectively stuff the ballot box on behalf of three of the teams.

Elias Bizannes, who founded the Startup Bus project, explained, “The good news is that this exploit is no longer a problem and the fake accounts will be penalized. We’ve identified 1,300 fake accounts, with 900 from the same IP address, so not exactly done smartly by them. It’s a problem not with technology, but identity – which to be honest, is just a problem across the Internet.”

It is increasingly necessary for online gaming sites to deploy more effective security solutions, including analysis of information beyond that which is voluntarily provided by users. By leveraging a device reputation check from services like Oregon-based iovation, gaming websites can reject problem players within a fraction of a second, and avoid further problems from users whose devices are already known to be associated with fraudulent behavior.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another data breach on Good Morning America. (Disclosures)

As part of our effort to expand our device identification, device reputation and real-time risk mitigation services for online businesses in France, I am pleased to announce that Philippe Mazurier has joined iovation as Country Manager, heading up sales and business development and is based in Montpellier.

Philippe brings strong business relationships and deep, in-market experience that will be instrumental in helping us meet online fraud protection demands in this market. He understands the serious and damaging impacts that cybercrime has on online businesses.

As we continue to serve the French market, protecting e-commerce, financial services, gaming and online communities from fraud and abuse, having a seasoned veteran in authentication and fraud prevention services representing iovation will help us serve this market even better.

To arrange meetings with Philippe to talk about any fraud or abuse issues your company is experiencing, please email france@iovation.com or call +33 (0)6 69 79 12 33.

Virtual currency includes the points customers receive from retailers, merchants, airlines, hotels, and credit card companies through loyalty reward programs. These reward points are supposedly the second most traded currency on the planet.

Gizmodo reports that hackers have targeted Microsoft points, the currency used to purchase digital goods and gift cards for the Xbox and Zune. Someone cracked the algorithm Microsoft uses to generate codes for those gift cards, and released that information online. A website was used to generate more than a million Microsoft points worth of free gift cards, as well as other Xbox items, before Microsoft was able to shut it down.

In 2009, Facebook created a virtual currency called Credits, which users spend on games and other Facebook content. Facebook has worked with fraud fighters to test and structure this currency so as to avoid attracting criminals, but as with any virtual currency, criminal activity is inevitable.

Hackers even steal carbon credits. European carbon traders were fooled by a phishing email, which allowed hackers to access the victims’ online accounts and then transfer more than $50 million in carbon credits into their own accounts. Of course, the hackers promptly resold those credits for profit.

Virtual thieves can sell stolen points in online forums or on eBay, or they can try to exchange points for rewards. However, most online retailers, social media, and gaming websites recognize the thieves’ behavior patterns when cashing in stolen points. By analyzing the history of the device being used to access a website, the website’s operator can prevent fraudulent transactions.

iovation’s ReputationManager 360 is getting a lot of attention for preventing chargebacks, virtual asset theft, gold farming, code hacking and account takeovers. The service identifies devices and shares their reputation including alerting businesses to real-time risk. Online businesses use device reputation to prevent fraud and abuse by analyzing the computers, smartphones, and tablets being used to access their websites.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

“Digital goods” are any products that are stored, delivered, and consumed electronically. Within a variety of online communities, including social media and online gaming websites, “virtual currency” is used to purchase virtual goods. Clothing and supplies for Second Life avatars are examples of virtual goods, which sometimes add points and enhance the player’s status within the game.

While it may be “hard to imagine fraudsters’ interest in items like computerized swords for a fantasy game…these goods are often easier to obtain than physical goods and criminals have learned that there are ways to convert them into cash.” Criminals can use stolen credit cards to purchase digital goods, and then sell them at a discount, “the online equivalent of selling stolen Rolexes on the street corner.”

The difficulty for digital goods merchants is the nearly instantaneous delivery. A traditional merchant must physically process and ship an order, which leaves time for more scrutiny. But with virtual goods, there’s little time to investigate the validity of an order.

When a credit card is not physically present, merchants can protect themselves by leveraging device reputation analysis. iovation’s ReputationManager 360 is used by many of the world’s largest gaming sites and digital goods providers. Gaming operators can customize business rules around geolocation, velocity and negative device histories (including gold farming, code hacking, virtual asset theft and policy violations) to identify nefarious accounts activity, or fraudulent use of stolen accounts. More than 2,000 fraud-fighting professionals who contribute to iovation’s global database every single day continue to strengthen the system, while maintaining a safe and inviting environment for their players.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

On Monday, we were named by AlwaysOn and industry experts as one of the 2011 OnDemand Top 100 winners, which recognizes leadership and game-changing approaches and technologies likely to disrupt existing markets and entrenched players. iovation was chosen for our unique ability to detect online fraudulent activity in real-time and keep our clients’ businesses and customers safe.

By leveraging our knowledge base of half a billion device reputations to prevent fraud loss and protect our customers, iovation helps many of the world’s leading brands representing financial services, retail, travel, dating, social network and gaming industries stop 150,000 online fraudulent activities each day.

But we couldn’t do this alone. This is a highly collaborative effort. We work with more than 2,000 fraud analysts worldwide, who report and share their unique fraud experiences through our Device Reputation Authority database. The information we share on Internet devices (computers, smartphones and tablets) and their associated online accounts provides our clients with upfront intelligence they can use to recognize who is attempting to make fraudulent payments or request suspicious transactions so they can proactively stop fraud or abusive activities before they happen.

I’d like to again thank the AlwaysOn editorial staff and other industry peers for recognizing the hard work and dedication that we and all of our partners are doing to make a difference in the anti-fraud landscape.

In order for the business rules engines to be productive, the rules they operate on need to reflect the particular risks the organization faces. When it comes to customizing business rules, this is not a “one size fits all” model. Giving a retailer, financial institution, or gaming company the ability to easily create and manage rules that are run against their transactions requires a tool that makes it simple to see, add, edit, and experiment with rules.

The iovation business rules editor provides great flexibility in managing the set of rules to be reviewed for transactions such as login, account creation, account change, and checkout. Rule sets are the collections of rules for each end-customer touch point. Rules can be added with a familiar drag-and-drop, enabled and disabled with one click, parameters can be adjusted, and lists of common items can be managed and included. An example of a list is a ‘risky ISP list’, where the user can create a list of risky ISPs and use that same list in multiple rules. If the list changes, all rules leveraging that list will be immediately updated. New rules can be evaluated without impacting scoring results by giving them a zero weight and tracking how frequently they are triggered.

The iovation rules editor provides additional flexibility to help you keep up with the evolution of fraud while protecting your business.

With total losses to Internet crime topping $599 million in 2009 (the latest annual statistics), educating others about the current state of fraud, evolving fraud tactics, high at-risk groups, and best practices to identify and prevent fraud, plays a critical role in helping consumers and businesses protect themselves from online fraud.

Fraud Prevention Month is also an indicator of how much still needs to be done for businesses to adequately protect themselves and their customers from today’s growing threats.

In the article, “One in five Canadian small firms insufficiently prepared to handle fraud,” a recent survey found 80% of Canadian small business owners believe their fraud-prevention strategies are enough to protect themselves from fraud. However, 17% responded that they are not prepared to handle new types of fraud tactics.

With cyber attacks becoming more widespread, the annual education and awareness campaign focuses on the growing concerns of online fraud. According to Gail Cocker, senior vice president of commercial banking at BMO Bank of Montreal, businesses that aren’t equipped to prevent evolving fraud tactics face increasing risk that could impact their business operations.

“Fraud is a direct threat to the success of our business customers. In today’s world, business owners must understand and manage multiple risks. Fraud is an operational risk that must be managed proactively.”

While education is key to raising the business community’s awareness of potential fraud risks, regularly assessing your fraud-prevention strategies is essential to making sure you are prepared for evolving fraud techniques that are continually seeking new ways to defraud your business and customers.

With regular events going on around the globe to help organizations protect their businesses and customers from more sophisticated cyber attacks and identity theft, the iovation team spent last week talking with 800 attendees at the 2011 Merchant Risk Council (MRC) e-Commerce Payments & Risk Conference, held at the Wynn Resort in Las Vegas. Take a look at the photos published on iovation’s Facebook page.

iovation provides device reputation and real-time risk evaluation solutions to help businesses representing retail, financial services, gaming and social networking determine the level of risk associated with their Internet transactions including PCs, tablets and smartphones. By performing device reputation checks on over 7.5 million daily online transactions for our customers, we help stop more than 150,00 online fraud and abuse attempts each day.

There is a great recent article in Government Info Security that examines this change titled appropriately, “The Evolution of Risk.” It gives a nice look at the role risk managers play in key strategic decisions and how stopping and analyzing the sources of fraud has been escalated in importance over the past couple of decades. The article looks at what it takes to be a Risk Manager today, and has this to say:

“The role demands new skills. Today’s risk management professionals really need to take a strategic view of managing risk to be relevant in achieving the organization’s expected outcome.”

One thing we at iovation feel is essential to a Risk Manager’s success is working with their risk management peers outside their company to stop fraud. It is simply no longer enough to work solely within your own data silo to stop fraud when the fraudsters use collaboration and communication so extensively. iovation facilitates the creation of thousands of Virtual Crime Fighters sharing device reputation data and working together to stop fraud at the companies they are responsible for.

Thousands of Risk Managers use iovation ReputationManager 360 every day to identify and shut down fraud.

If you’re planning to attend, please stop by booth #611 to tell us about any fraud or abuse issues your business is dealing with.

We’ll share with how iovation’s device identification, device reputation and real-time risk reporting service enables gaming businesses to service their customers more effectively by managing fraud and abuse. We help Massively Multiplayer Online Games and Virtual Worlds keep their players safe and mitigate risk such as chargebacks, code hacking, gold farming, account takeovers, policy violations, chat abuse and virtual asset theft.

iovation protects online gaming sites while protecting the identity and privacy of their players. We stop over 150,000 online fraudulent activities every single day. Most anti-fraud solutions fight fraud by looking at identity information or financial data, but our approach is completely different. We focus on the physical device (computer, tablet or mobile phone) that the player is using to connect to the online game or virtual world.

Our software-as-a service solution, ReputationManager 360, exposes the reputation of devices in real-time as they are connecting to gaming sites. In a fraction of a second we alert publishers whether or not they should proceed, or what level of risk there is in that interaction. iovation manages the reputations of more than half a billion unique devices that have touched our customers from literally every country in the world. What’s more, we help gaming sites understand how those devices and their accounts are related to expose fraudsters working together.

Our clients often begin their anti-fraud checks with a device reputation call to iovation, stopping problem players immediately and avoiding further checks and additional fees when the device is known to be associated with real fraud.

Here is an example of how SG Interactive (previously Ntreev) took immediate action against more than 1,000 fraudulent and problematic accounts after implementing our service.

While at GDC, please stop by iovation’s booth (#611) to say hello to Cory Swick, Greg Zito and Kristin Williams, and while there don’t forget to pick up your Virtual Crime Fighter t-shirt!

As expanding businesses combat an array of online crimes such as credit card fraud, phishing, forgery and money laundering, our customers’ collective experiences are reported and shared in our database of over half a billion unique device reputations, which include computers, tablets and mobile phones.

Besedo’s clients can now become part of the thousands of security professionals who leverage iovation ReputationManager 360’s comprehensive checks that include the device’s history, associations with other accounts and devices, geolocation rules, device anomalies, and worldwide velocity indicators associated with thieves quickly trying to leverage stolen credentials. Deploying our anti-fraud services to their auction, classified, gaming and community clients help businesses identify fraud and abuse activities upfront to stop fraud more effectively and increase their customer retention through safer, more secure sites.

We look forward to partnering with Besedo to help their clients reduce fraud losses and better protect their online environments and brand reputations.

Last year more than 60 of iovation’s online betting, poker, sportsbook and casino customers reported and shared 350,000 fraud and abuse attempts through the ReputationManager 360 device reputation service, including the likes of William Hill, Entraction and WagerWorks. These experiences are shared along with our knowledge base of more than 500 million unique devices (computers, tablets and mobile phones) which online gaming sites leverage to gain insight into suspicious activity to prevent fraud before it happens.

Many fraudulent transactions can look like a single transaction to an online gaming site, but often times they’re not. By providing customers with a unique view of devices used by criminals to perpetrate online fraud and abuse, iovation gives gaming sites the ability to see if a normal-looking transaction is actually a coordinated attack across multiple sites. We detect these attacks through velocity triggers and shared experiences across our customer base to alert affected businesses and prevent potential attacks.

During the online gaming panel which takes place Thursday, March 3rd at the Sans Souci Ports Conventions Center, I will be sharing experiences I’ve had working closely with many of the world’s largest online gaming sites. I hope to see you there, and please stop by the iovation Booth #26, at get your Virtual Crime Fighter t-shirt!

The drop in account takeover may be due in part to a few different things.

Less breaches. There was a drop in data breaches from 221 million records in 604 breaches during 2009 to 26 million records breached in 404 reported breaches during 2010. Criminal hacker Albert Gonzalez and his gang were responsible for many of those hacked records and he and many of his cohorts are now in jail.

PCI standards. All those responsible for accepting credit cards are now under strict Payment Card Industry Standards rules and regulations that require a level of security that took about 5 years to implement. Today many of those merchants are doing a much better job of protecting data.

Device reputation management. Technology that checks an Internet transaction by looking at the PC, smartphone or tablet to see if it has a history of bad behavior or is high risk based on device characteristics and behavior. iovation is one such company that has blocked 35 million fraudulent transactions of this sort just last year.

Javelin reports “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

If device reputation was integrated at the “profile update / account update” website integration point, a flag would go up when:

It’s no secret that it’s often a few bad apples that upset the bunch. Here’s where the 90/10 rule applies. 90% of people are honest whereas maybe 10% aren’t. And it’s the 10% that do 90% of the stealing. Device reputation knows who is good and who isn’t. Identity thieves are stopped cold and can’t use the hacked data to commit fraud.

After being recognized by the international gaming and online dating communities in January as one of the top technologies for preventing fraud and increasing profitability, productivity and efficiency, we are extremely proud and honored to be recognized by industry leaders in e-Commerce as one of the most innovative fraud fighting tools for online or multi-channel retailers.

To be eligible for the awards, all entrants must be available for online or multi-channel retailers to use for the purpose of measuring, monitoring or mitigating one or more of the following: card-not-present fraud; advancing online data security; improving online payment processes; and advancing the MRC’s vision of making electronic commerce more efficient, safe and profitable.

This week, the Merchant Risk Council (MRC) announced that iovation ReputationManager 360 has been named a finalist for the 2011 MRC Emerging Technology Awards (also known as the METAwards). The awards are judged by a panel of merchants that include the likes of eBay, BestBuy.com, Go Daddy, HP, Microsoft, NCsoft, Tiffany & Co., Urban Outfitters, T-Mobile, among others. The judges recognize the most innovative and effective payment, fraud and security tools on the market. The METAwards are the MRC’s initiative to recognize the best available solutions on the market, and provide their merchant members a window into the future.

The awards will be announced at the upcoming the MRC Annual e-Commerce Payments and Risk Conference, March 23, in Las Vegas. If you are planning to attend the event, stop by our booth #217 and don’t miss our feature presentation on Thursday, March 24th at 11:00 am titled, “Circle of Fraud” with speakers Jim Houlihan of HSN, Michael Peterson of Dell, and Cory Swick of iovation.

While this and the other accolades we’ve received lately have been nothing short of overwhelming, we are extremely proud of being recognized by industry leaders and associations across multiple industries. Because we serve online retail, gaming, social community and financial services companies, the acknowledgements have been a testament to iovation’s ongoing commitment to make the Internet a safer place to interact and conduct business, as well as reinforces the positive impact we make in the everyday lives of our customers by protecting their online transactions to reduce fraud rates.

The 2011 Global Excellence Awards will be announced at an awards gala, February 16th, in San Francisco.

iovation has been providing fraud prevention and anti-money laundering services to the gaming industry for the past 6 years.

In 2010 alone, iovation screened nearly 2 billion transactions and stopped over 35 online fraud attempts. The IGA has recognized iovation’s fraud prevention service for the strong results it has provided to gaming operators such as William Hill, Entraction and WagerWorks. The IGA technology provider award recognizes innovative services that have helped gaming operators increase their profitability, productivity and efficiency.

In the case of WagerWorks, iovation has helped identify hundreds of fraudulent accounts that prevented tens of thousands of pounds in lifetime losses. With Entraction, the ability to stop repeat offenders reduced chargeback rates to nearly zero, providing a 5x return on investment with iovation.

The IGA awards will be announced at a January 24th ceremony that kicks off the annual ICE Totally Gaming Conference in London. If you plan to attend this year’s event, look us up at booth #5117 and learn more about how iovation protects online gambling sites from financial fraud, player collusion, bonus abuse and more.

With iovation ReputationManager 360, Japanese businesses are able to leverage the reputation of devices inside and outside of their network to:

• Expose relationships between accounts and transactions that are otherwise being hiddenKnow when a device or group of devices on their website previously defrauded or caused other problems for another business, even when all other fraud checks returned no risk
• Expose relationships between accounts and transactions that are otherwise being hidden
• Know when a device or group of devices on their website previously defrauded or caused other problems for another business, even when all other fraud checks returned no risk
• Combat both direct financial fraud and abuse-related incidents such as chat abuse, spam, promotion abuse, policy violations, profile misrepresentation, code hacking and phishing attempts
• Identify high-risk devices based on device characteristics and behavior analytics

For Japanese businesses looking to integrate fraud prevention services to reduce fraud losses, increase operational efficiencies and protect online customers, here is the contact for Info Innovation Japan.

Info Innovation Japan Inc.
1-3-6 Kitaaoyama Minato-Ku
Tokyo 107-0061 JAPAN
Phone: +81-3-3470-2239
Email: info@iovj.co.jp

There are many facets to building a highly available, lightning fast infrastructure (which we will cover in more depth in future blog posts), but today I would like to start at the very beginning with our DNS architecture.

The first thing that happens when an iovation ReputationManager 360 customer (or a customer’s end user) tries to connect is a DNS (Domain Name System) lookup to convert a name (like www.iovation.com) to an IP address (74.121.28.140).  This DNS query must complete before any further interaction with the service can proceed.

To make this as fast and reliable as possible, iovation leverages IP Anycast technology. Anycast allows DNS requests to be handled by the closest member of a global cluster consisting of 17 distributed nodes (with 5 more on the way).   Without IP Anycast technology, requests are randomly routed to a single server, which may be half way around the globe.

Beyond the speed aspect, Anycast DNS also has a number of other advantages over Unicast.  With Anycast, the loss of a single node does not impact the ability to resolve DNS. Requests are simply routed to the next closest node.  This distributed architecture helps protect against Denial of Service attacks by spreading the load among the entire cluster and by limiting attacks to the region from which they originate.

As a quick example, let’s run a traceroute from my house (in Portland, Oregon) to one of iovation’s DNS servers, ns1.p20.dynect.net.

admin@router:~$ traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1 L100.PTLDOR-VFTTP-18.verizon-gni.net (98.108.131.1)  5.044 ms  5.046 ms  5.031 ms
2  184.19.244.32 (184.19.244.32)  4.982 ms  4.969 ms  4.961 ms
3 so-7-3-0-0.SEA01-BB-RTR1.verizon-gni.net (108.57.128.160)  9.898 ms  9.890 ms  9.876 ms
4  0.so-0-3-0.XT1.SEA7.ALTER.NET (152.63.105.169)  37.321 ms  37.308 ms  37.294 ms
5  0.so-6-0-0.BR1.SEA7.ALTER.NET (152.63.105.113)  12.279 ms  12.250 ms  12.233 ms
6  204.255.169.74 (204.255.169.74)  12.218 ms  12.425 ms  12.411 ms
7  po-3.r00.sttlwa01.us.bb.gin.ntt.net (129.250.4.178)  12.398 ms  12.385 ms  12.369 ms
8  fa-4-4.r00.sttlwa01.us.ce.gin.ntt.net (198.104.202.66)  12.355 ms  12.435 ms  12.422 ms

Not bad! Less than 13 ms round trip to the node in Seattle. But we would expect low latency between Portland and Seattle, so let’s go run the same test from a computer located in Chicago to the same iovation DNS server.

[root@prextmon01 ~]# traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1  173-203-80-2.static.cloud-ips.com (173.203.80.2)  21.168 ms  21.425 ms  21.662 ms
2  core1-aggr301a-1.ord1.rackspace.net (173.203.0.168)  0.434 ms  0.526 ms  0.549 ms
3  vlan901.edge1.ord1.rackspace.net (173.203.0.33)  0.317 ms  0.358 ms  0.412 ms
4  xe-7-1-0.edge1.Chicago2.Level3.net (4.71.248.53)  0.795 ms  1.938 ms  1.938 ms
5  ae-2-52.edge4.Chicago3.Level3.net (4.69.138.166)  34.377 ms  0.947 ms  0.961 ms
6  xe-6-2.r02.chcgil09.us.bb.gin.ntt.net (129.250.8.77)  1.203 ms  1.172 ms  1.193 ms
7  ae-3.r21.chcgil09.us.bb.gin.ntt.net (129.250.2.72)  1.239 ms 1.332 ms 1.253 ms
8  po-4.r00.chcgil09.us.bb.gin.ntt.net (129.250.2.208)  1.224 ms  1.191 ms
9  ge-7-15.r00.chcgil09.us.ce.gin.ntt.net (128.242.180.110)  1.325 ms 1.393 ms 1.435 ms
[root@prextmon01 ~]#

This path is actually faster, taking only 1.4ms. This query was handled by the Chicago Anycast node rather than having to come all the way back to Seattle. This is precisely the magic of Anycast.  This same scenario holds true for queries issued in Japan or Germany – they get routed to their closest node.

Without Anycast, just imagine how bad this problem is for customers that have globally distributed users with many outside the United States.  Connectivity from the other side of the globe is a minimum of 250ms round trip (and often times much longer). That delay can add up quickly if you’ve got multiple round trips to your SaaS providers.

It’s important to consider things like globally distributed DNS infrastructure when integrating third party services with your site to make sure the value from the SaaS you’re buying isn’t offset by slower page loads for your users.

Fraudsters excel at hiding their true identity. True professionals in the field of fraud detection and prevention must employ a defense-in-depth approach, and iovation deploys one of the most sophisticated with a multi-tiered approach to recognize trouble when it is near. Our innovative service to recognize risk has been constantly refined over the past six years.

We use tried and true approaches such as tokens, or cookies, along with sophisticated and unique pattern matching that can only be derived from our extensive and unique experience with our shared reputation database, profiling based on billions of device and account relationships, and finally risk models honed over the years and several other strategies that are a part of our secret sauce. All of these contribute to a highly flexible and effective model that is hierarchical and adaptive to both the situation and the customers’ tolerance.

iovation’s Defense-in-Depth Approach includes:

• Native client device recognition for standalone applications downloaded by your end users – A unique capability to add device reputation into our client’s downloaded applications
• Collaboration between the native recognition clients and our web client – To provide a unique “one-two punch” that gives iovation the best device recognition capabilities in the industry
• Pattern matching to provide additional recognition opportunities even when tags like browser and Flash cookies have been cleared (or private browsing features are in use)
• Multi-level risk analysis through configurable and real-time weighted business rules

Tokens, cookies, and local stored objects, are table stakes for any device identification provider and are relatively reliable methods since they can easily be uniquely identified. When leveraging tokens placed from a prior visit, either to your site or another iovation customers’ site, the device is recognized and within milliseconds our risk assessment takes place. But if the bad guys are trying to hide, they might have tried to clean up the crumbs.

Pattern Matching

With iovation, if no tokens are found, the next tier of defense is our industry-leading pattern matching, also known as adaptive logic. As opposed to relying on exact attributes, patterns deliver high confidence while allowing for changes over time. Based on our experience assessing risk for more than 4 billion transactions, we have an extremely large amount of data to build patterns from. Each pattern has a ‘time to live’ and is updated every time we see another device that matches the pattern. If there is no match, the new pattern is automatically evaluated for effectiveness and added to the series. Each pattern has a confidence factor that increases as the pattern proves effective at identifying the device.

Profiling and Real-Time Risk Evaluation

The next tiers are profiles and real-time risk evaluation. Profiles, like patterns, use statistically proven combinations of transaction elements to contribute to risk scores. Real-time risk takes all of the elements into account (including velocity triggers, geographical issues where the true location is masked, device anomalies and more) to produce a final risk score.

Effective fraud prevention is not about collecting cookies or not collecting cookies, and it’s not about relying on any single technology or approach. It’s about using a comprehensive, multi-layered and adaptive approach that our customers find highly effective over the long run, and millions of times each day.

According to Errol Weiss, who runs the Financial Services Information Sharing and Analysis Center (FS-ISAC) corporate account takeover task force, the effort by his group and other federal law enforcement agencies is to make businesses and consumers more aware of this type of cybercrime and provide recommendations on how they can protect themselves against such attacks.

“Educating all stakeholders (financial institutions, businesses and consumers) on how to identify and protect themselves against this activity is the first step to combating cybercriminal activity…The information contained in these advisories is intended to provide basic guidance and resources for businesses to learn about the evolving threats and to establish security processes specific to their needs.”

Since 2004, iovation has been providing business intelligence to clients about account takeovers and hijack attempts. The devices used to maliciously compromise other people’s accounts are closely tracked in the Device Reputation Authority database and this evidence of fraudulent activity is shared with all iovation subscribers, so that they can have prior knowledge and use that intelligence when deciding whether or not to allow a particular device access to their online business.

Of the total number of account takeover attempts reported by iovation’s cross-industry customers, over the past 90 days, 50% came from businesses representing online communities such as Internet dating sites and social networks. Online retail customers accounted for 36%, while 11% of account takeover attempts during this time were reported by iovation’s massively multiplayer online (MMOs) and social gaming customers.

Clients use iovation ReputationManager 360 to assess risk on all incoming transactions. This comprehensive service combines shared evidence of fraud and abuse from the world’s leading brands, configurable advanced real-time business rules, account relationships, device profiles and anomaly checks.

As more and more merchants offer mobile payment options to their customers, cyber criminals are quickly moving into the mobile channel. In the Digital Transactions article, “Mobile-payments fraud starts to take its toll,” a recent study by Javelin Strategy & Research found that fraud losses from mobile payments as a percentage of total revenue were 1.13% compared to the 0.83% for online-only merchants and 0.86% for multi-channel merchants.

This trend doesn’t surprise Jim Rice, director of market planning for retail and e-commerce marketing at LexisNexis Risk Solutions. While the mobile channel represents a new way for businesses to connect with their customers, it’s also another opportunity where fraudsters will try to make a dishonest buck.

“It’s clear that [as] retailers are moving into that direction, retailers are experiencing significantly more fraud as a percentage of sales.”

Of the 1,000 risk-control retail executives surveyed, attempted mobile fraud had a slightly higher success rate than fraud attempts through most other channels. Merchants accepting mobile payments reported being hit with an average of 3,385 attempted fraudulent transactions per month, with 1,287 getting through undetected for a fraud success rate of 38%. Multi-channel merchants reported 2,142 fraud attempts per month and 769 going through for a fraud success rate of 36%. For online-only merchants, the respective figures were 1,049, 531 and 37%.

While it’s not entirely clear what makes the mobile channel risky, Rice noted that smart phones or cell phones with a mobile browser move around, which means merchants have less assurance that the transaction originator is the phone’s rightful owner. Despite the fear of fraud, merchants likely won’t stop offering mobile payments because of the channel’s upside as more customers get comfortable making payments through their mobile devices.

Similar Mobile Fraud Trends seen in iovation’s Device Reputation Network

iovation protects online businesses and their end users against fraud and abuse through our combination of shared device reputation and real-time risk evaluation.  Managing the world’s largest database of Internet devices (computers, tablets and mobile phones) and the network of relationships between them to determine the level of risk, we have seen an upswing in fraud attempts in mobile transactions.

Over the past 90 days, we’ve processed 8 million device reputation checks on mobile devices alone for our customers. Based on their uniquely configured business rules, 44,000 mobile transactions proactively returned ‘denied’ or “review” responses. Of those mobile devices checked, 43% were iPhones, 21% were Android, 12% were Blackberries and 24% were other mobile devices. The most common mobile fraud reports from online businesses have included credit card fraud, chat abuse and account takeover.

iovation Leads Mobile Fraud Detection Roundtables on October 25th

On Focus Day, October 25th, I will be leading six Mobile Anti-Fraud Roundtable discussions at the Mobile Shopping Summit in New York City. The Summit brings together mobile payment executives from retail, entertainment, travel, retail banking and utilities business to network and discuss the latest technologies and opportunities in mobile commerce. During our roundtable discussions we will be sharing information on new trends emerging from cyber criminals using mobile devices, how merchants are interacting with mobile devices through browser-based and native applications, understanding how mobile phone reputations can be leveraged, and risk scoring and/or rule-based models that merchants can use to further assess risk.

With only three months remaining, iovation has already increased the annual growth rate for processed transactions by 67% over 2009. With more than 3.9 billion cumulative device reputation checks processed for e-commerce, financial, travel, gaming and online communities today, we expect to break 4 billion early in Q4.

We’ve also increased the overall number of unique devices by 110% over last year. Starting in 2006 with 5 million devices in our system, we now manage more than 390 million unique devices (including PCs, Macs, iPads, iPhones, Blackberries, Android, etc.). Surpassing 400 million unique devices is just on the cusp.

With cybercrime fraud losses more than doubling in 2009, Internet-based businesses need security solutions that allow them to proactively identify and make educated decisions on all incoming transactions. Through fraud and abuse evidence submitted by our worldwide, cross-industry subscriber base, iovation ReputationManager 360 combines device and account profiles, analytics, custom reporting, real-time business rules, device anomalies, and the experience and expertise of over 2,000 fraud analysts to help customers make quick, confident decisions on every online transaction request.

Risk scoring, when you boil it down, is the simple process of taking the data you have available about a given transaction and the device requesting that transaction, and measuring characteristics that would lead you to believe that it is either valid or risky. Most device-based risk scores, including those offered by iovation, incorporate common types of risk elements in their scoring. These may include:

• Velocity-based Rules – Measuring device activity in a given time frame
• Transaction Anomalies – Device characteristics that indicate the device is masking its identity, such as using an anonymizing proxy, or disabling technologies like flash

What sets iovation apart is the growing network of businesses it protects that leverage and contribute to the Device Reputation Authority (DRA). This database of over 350 million device reputations is queried more than 5 million times per day by iovation clients.

The Device Reputation Authority contains historical information about specific fraud and abuse occurrences by the device used. We use this information to further assess transaction risk for our customers in the following unique ways:

• Global Account Associations – Looking at extended relationships between devices and shared accounts that are evident in fraud rings and targeted fraud
• Factual Evidence of Fraud – Whether the information comes from a close partner, a peer, or a company in a completely unrelated industry, direct evidence of fraud on a given device is one of the strongest correlations to transaction risk a customer can have.
• Profile Risk – Profiling harnesses the power of shared factual evidence in the reputation system to measure the similarity of the device in the current transaction to those devices that have been seen across iovation subscriber sites in the past. A high ratio of known bad devices in the set of similar devices is a very strong risk indicator.

These three risk elements are tremendously valuable to our customers who find over time that either factual evidence or profile risk are so strongly correlated with fraud that it can cut their review time down substantially for those transactions.

In the world of risk scoring, cloud services, and crowdsourcing, it is proven that leveraging information from larger affinity groups provides unmatched effectiveness. When a company is combating highly sophisticated fraudsters determined to defeat their defenses, what risk analyst wouldn’t want to know that a device trying to create an account or make a purchase had previously been flagged for fraudulent activity? Adding this data to risk scores increases their ability to shine light on fraud that might otherwise remain hidden.

Join us for a live webinar, “Detecting High-Risk Transactions,” on Tuesday, July 20th. Learn how you can proactively assess risky transactions to better protect your business from more sophisticated schemes and elaborate fraud rings. Along with discussing the various techniques today’s cyber criminals use to hide their identities, you’ll learn more about the top 5 methods of detecting transaction risk, including:

Transaction Anomaly — Check mismatches, proxies and disabled components.
Velocity Rules — Know when activity counts have been met or exceeded.
Profile Risk — Check against aggregate profiles of risky accounts or devices.
Factual Evidence — Identify when known bad devices touch your website.
Account Associations — Identify and shut down fraud rings for good.

Register today at iovation.com/risk-mitigation.

We look forward to a very insightful, interactive discussion.

One of the most effective ways to defend your enterprise is by working together and sharing information with other fraud teams across multiple industries. Interacting with a centralized, global network of fraud intelligence arms you with information upfront to minimize your chances of having to take that first hit.

Fraud management solutions such as iovation ReputationManager draws upon the power of fraud teams working together with a common goal — to proactively defend their enterprises against a variety of sophisticated forms of fraud and abuse. Instead of trying to recognize every changing identity or device profile used by fraudsters on your own, with iovation once a device has been identified and submitted to the shared  database (containing  more than 300 million devices), fraud analysts are alerted in real-time when a suspect device accesses their website, even if the computer’s configurations changed since its previous visit.

Sharing device information across a large, centralized shared network utilizes fraud intelligence effectively and exposes otherwise hidden device and account relationships  across networks and across industries, so you can make fast, educated decisions for accepting, denying, or flagging online transactions for review.

Subscribers of iovation see on average, 17% of their devices cross between multiple industries.  For example, the same computer that accessed an online dating site and committed fraud, may then access an online retail site and later a massively multiplayer online gaming site. As today’s fraudsters use personal information they’ve stolen from social networks to commit fraud against other industries, having a tool that provides the intelligence needed to stop fraud across multiple industries is a critical component to a comprehensive fraud prevention strategy.

To make things even more interesting, there are also different currencies. While the main currency remains to be real-world money as you might expect, secondary currencies include things like player experience, activity and achievement (in other words, gaining points for advancing levels within a game).

One of the presentations we found interesting at LOGIN was Vindicia’s lecture titled: “Payments, Payments, Payments” by Steve Klebe, their Senior Vice President of Business Development. Steve showed how the gaming market has sharply moved from offering players credit card payment (MC, Visa, Discover, AMEX), to a variety of payment choices. There are also monetization providers such as PlaySpan, offering over 85 international payment methods, including credit cards, PayPal, the ULTIMATE GAME CARD ™, and UltimatePoints™, a popular and universal virtual currency.

Well, we caught up with Steve following his presentation to hear his thoughts first hand and here we will share those findings.

Max Anhoury: Steve, we really enjoyed your presentation. It’s exciting that alternative payments will represent 31% of online dollar volume by 2012. When you consult with gaming publishers, how do you decide which payment types to recommend – between the major players, pre-paid, mobile, cash, monetization platforms, or offer-based payments?

Steve Klebe: Max, the most important dialogue to have is to first identify who is the target audience for the game demographically and then geographically. You cannot begin to talk about payment methods until you understand these two attributes. If the game’s player is 18+ and is primarily in the US, then it is simple, the focus should be on Visa, MasterCard and PayPal. However, if the player is likely to be 18+ in Germany, then you have to support something called ELV which is a form of direct debit very popular in Germany. And the list goes on and on and on.

Max Anhoury: How well are new and alternative payment types being adopted by players? If a payment method (or brand) is unknown to the player, are they willing to give it a chance?

Steve Klebe: That is a very difficult question to answer because there is a tremendous amount of noise from vendors in this arena without much substantiation. For the 13-18 year old segment, depending on how desperate they are to play, they will likely try just about any method. However, if they use their mobile phone as a billing method and their parents end up disputing the transaction, which I understand can approach 20%, then the “sale” can be pretty hollow. My guess is that the answer to your question is Yes, primarily because there is a tremendous amount of immaturity in the user population and they are being bombarded with a lot of deceptive messaging.

Max Anhoury: From your experience, how many payments types should be offered in a game? At what point are there too many?

Steve Klebe: It depends on the target audience demographic and geographic, but I would say for the game that is primarily targeted at 18-35 year olds and the primary market is North America, then 3-5 as a general rule. Of course, Visa, MasterCard, Discover, American Express count as 1 of those. So, in addition, one e-wallet, one mobile payment provider and a pre-paid card. These will satisfy 98+%. Is the potential confusion and operational insanity worth adding a dozen more for another 2%? Not if you ask the COO/CFO who has to reconcile them and manage customer service.

Max Anhoury: What are some of the common mistakes that you’ve seen made in regards to payment offerings in gaming environments?

Steve Klebe: There are many. First and foremost, gaming companies are signing up for payment services where they may not understand, that if they ever need or want to leave that provider, the valuable customer information that was handled by the provider, may not be returned to them. There is also an issue of waiting to think through their monetization needs until very late in the deployment cycle, then hoping they can just bolt it on and it will work.

Max Anhoury: Thanks Steve, for your insight and for the hard work that you put into the LOGIN Conference every year as a board member. It’s a strong show and we look forward to sponsoring again next year.

To learn more about Steve’s advice on payment-related issues, visit his personal blog Payment Talk and the Vindicia blog.

For this multi-part blog series, here’s my first topic of interest from LOGIN Seattle.

Part I:  Playing at Work.

The next frontier for the application of virtual worlds and game environments could actually be in the workforce. Considering work activities and putting them in a game-like environment with scores, levels, rewards, visibility and recognition could really be something in the future.

During the LOGIN keynote address with presenters Byron Reeves and J. Leighton, the two doctors examined lessons that businesses can learn from game developers, games and gamers in their day-to-day process.  They have even published a book on this topic, called “Total Engagement: Using Games to Change How People Work”, where they delve into the questions of serious fun and what that can produce in the workplace.  According to Reeves, “As employee productivity and engagement become more critical, the user experience provided by game technology offers a tantalizing solution for business.  This is far more than a quaint metaphor or a twist on e-learning. Game design elements can address a host of business problems with morale, communication, and alignment while honing skills like data analysis, teamwork, leadership, and more.”

One example of helping employees become more engaged cited a security worker whose job it was to watch cameras in subway stations all day long, keeping an eye out for suspicious activity. However, rather than sitting and staring at the camera all day, they stepped things up, by making his work more interactive and fun.  First, they put him in a game-like environment with a lounge chair, wrap-around displays, and a joy stick. He looked like he was in a fighter pilot cockpit. The security professional could then select people on the camera, watch them more closely, and score them based on the suspicious activities he observed.  He could then be rewarded based on his performance, resulting from his experience and intuition, knowing which trends to look for in suspicious individuals.

This keynote made me realize the vast potential that gaming professionals have today.  If I had a game development business, I could spend a year or more working on a game, taking my chances dropping it into the high-risk, high-reward virtual universe, or I could integrate game-style interfaces for various aspects of daily business activities. This is great news for gaming professionals and for high school graduates who are just now making the decision to set out on a career in gaming.

If this is a topic you are interested in, I would encourage you to follow Byron & Leighton’s Blog at Blog.seriosity.com.

As always, the show will feature some of the industry’s top names sharing their ideas about advancements in technology and design, the future of digital games, and how online games and virtual worlds are helping solve real-world business issues.

iovation has a particular interest in this show because we actively protect over 20 gaming clients and their legitimate players from all forms of fraud and abuse. Each day, our device reputation technology helps more than 75 individual online games identify bad players in their virtual environments — and keep them from returning — to build a safer and more trusting online gaming experience for their good customers.

In fact, over the past 90 days approximately 100,000 incidents of potential fraud or abuse within our customers’ game sites were reported to iovation. Types of fraud included chargebacks, code hacking, policy and terms of service violations, virtual asset theft and account takeovers.

While at the show, be sure to stop by our exhibit and learn how to rid your games of fraudsters, minimize chargebacks and keep your reputation as a safe and fun environment. And enter to win one of the Apple TVs we’ll be giving away.

We look forward to seeing you there!

This past week, iovation has seen a rapid adoption of the iPad being used at our customer sites. We’ve seen the number of iPad transactions grow by thousands every single day since the new device was made available. And these transactions aren’t just occurring within the same industry. In fact, we’re seeing iPad transactions on a multitude of verticals including travel sites, social networks, sportsbooks, dating sites, credit issuers, MMOs and online social games. And our job is to make sure that the transactions processed are from legitimate, good customers.

Topping the list of industries where we’ve seen the most online transactions this week is online communities at 45%, with the majority on social networking sites as opposed to dating sites. The second largest group was online retail, accounting for 28% of total iPad transactions. Most of those transactions occurred on travel sites. And lastly, international gambling sites such as sportsbooks came in third, at 23% of all iovation-protected iPad transactions.

So that’s where we’re helping customers, but what information do fraud teams share within our database in order to reduce fraud losses and ensure good customers have a positive experience on their site?

iovation tracks over 30 different types of bad behavior and this segmentation is important to our customers. How they treat evidence (specific types of fraud and abuse) changes across various industries. For example, an online retailer cares about mitigating chargebacks and catching criminal activity before product goes out the door, whereas an online community cares more about stopping spam, solicitations, predators and phishing attempts, in order to protect community members and maintain a safe and trusted environment.

Our customers can customize our fraud protection service to gain control over the specific transactions and activities that they correlate with high risk. This allows them to take more business with confidence and spend less time conducting costly manual reviews.

Believe it or not, within the first week of iPad sales, we have already uncovered fraudulent activity. Over half of all transactions denied from iPads were specifically related to credit card fraud. In other words, they were fraudsters attempting to monetize stolen identities on our customers’ websites.

As iPads connect to online businesses to create accounts, submit applications and make purchases, it is very important for organizations to know whether or not the device:

• has committed fraud or abuse on their site
• has committed fraud or abuse at another business
• has relationships with other devices or accounts that have been involved with fraud or abuse
• has not been seen before, but matches the profile of other high-risk or suspect devices

As iovation’s global shared database of over 275 million devices grows, so do the reputations of iPads used to request transactions. This is important information that companies can use to determine whether or not a transaction requested by an iPad, or any other Internet device, can be trusted and just the kind of information iovation provides to its valued customers.

For example, Coders write the malware. Hackers are actively searching for vulnerabilities to exploit. Fraudsters create and deploy social engineering schemes. Hosters provide safe hosting of content on servers and sites. Techies maintain the infrastructure. And Leaders are the managers who keep the team together.

As these well-organized and highly efficient cyber gangs continue to steal U.S. public and private sector information “for the purpose of undermining the stability of our government or weakening our economic or military supremacy.” Chabinsky said:

“The cyber threat can be an existential threat, meaning it can challenge our country’s very existence, or significantly alter our nation’s potential.”

Undercover FBI agents who became trusted members of criminal organizations found that self-reliance is rare among cyber criminals. “Almost every cyber criminal is a member of at least one online forum, website or chat room,” said Chabinsky. They use these virtual meeting places to discuss techniques, share tools and tips, and evaluate other users.

As the FBI builds out its network of cyber security experts, it is also strengthening its international efforts by collaborating with law enforcement in more than 60 countries to fight cyber crime.

Creating a worldwide cyber security network mirrors the efforts of iovation’s device reputation network, which allows subscribers access to the world’s largest database of device intelligence. These subscribers benefit from information gathered from billions of transactions across multiple industries. Users tap into information on over 250 million computers which helps them fight fraud and expose sophisticated, highly-organized cyber gangs.

In the article, “Cybersecurity Partnerships are Absolutely Critical, says Gen. Dale Meyerrose,” Meyerrose, now the VP for Cyberspace Solutions at Harris Corporation, expressed his concerns surrounding cybersecurity and the economic impact of cyber crime:

“The [issue] of most concern to me is cyber crime… elements of cyber crime, particularly economically for our country, have come to the point where we need to really be concerned. There have been estimates that we’ve lost over a trillion dollars a year to cyber crime in the last couple years. And it now exceeds all other crime in terms of the amount of money.”

The question is, whose responsibility is it to deal with the mounting issue? Despite the fact that 90% of the Internet’s critical infrastructure in the U.S. is privately owned, Meyerrose believes that the government holds many of the resources necessary to help businesses protect their assets and also has a responsibility to help educate its citizens. “I think that this …needs to become a national priority and a priority of companies and citizenry. There are no pedestrians in cyberspace. Everyone is a victim, a user, a threat to somebody else because you may be passing a malicious code along inadvertently.”

Unfortunately, even with increased government involvement, cyber crime is still inherently borderless—a fact which limits the effectiveness of both law enforcement and the policies of individual governments. Businesses from all countries, however, may have a much easier time collaborating and affecting global change in the realm of cybersecurity. By voluntarily working together to share intelligence, technology, and experience, businesses have the opportunity to better protect their own assets at the same time as contributing to increased internet security for everyone, something we all can benefit from.

In a similar vein, we can see that any single device recognition strategy on the Web is going to run into some serious limitations, mostly related to the quality and the variety of the data that can be collected from a browser.  There are a number of sources of data that we can use to construct a view of a device on the Web, but most of them can be manipulated, and all of them have problems with uniqueness.  How to build a system that is resilient to so much data uncertainty?  Yeah, I know you’re already a step ahead of me – we design in depth.

The easiest method of identifying a device may be to simply write a cookie to the browser.  But we all know how easy it is to defeat that method when you’re aware of it – you just delete them.

IP address also sounds like a decent attempt at identifying a client.  For a good number of home broadband users, IP address isn’t bad, and even for corporate users, you may luck out and only find a few computers lurking behind any given firewall.  There are many ISPs like AOL) that are known for their use of proxy servers, however, and any decent size organization could be hiding thousands of machines behind any given IP address.

Browsers also publish a User-Agent string, a description of the type and version of browser being run.  These user-agent strings can provide a good deal of rich information about the browser, but they are pretty blunt hammers, narrowing down the range of possible matches to somewhere north of one in a thousand.

Each of these sources of data – browser cookie, IP address, and User-Agent string – is interesting by itself, but using them in concert to begin to build a view of the client computer from a number of different angles starts to look promising.  Each one is spoofable to varying degrees, and each one has issues with uniqueness, but each operates through a different channel to provide its information, and thus requires a different strategy to avoid detection.

All of this is to say that there is no single unique value (or simple combination of values) hiding on the Web – device recognition requires a multi-layered solution.  As iovation’s business has grown over the last five years, we’ve evolved from a native library device recognition service into a full spectrum reputation service supporting native and web integrations, business rules, pattern matching, and risk scoring. The capabilities we have in place have been built with the future in mind to support collection and analysis of reputation tracking on new transaction elements, and discovery of new risk indicators to continually improve real-time decision making for our subscribers while growing the Internet’s definitive online reputation authority.

The end result of such a multi-layered approach, an approach of “recognition-in-depth”, is that we don’t have to rely on any one technology to provide us with enough information to confidently recognize devices on the Web.  In the ever-evolving landscape of Internet technology, that layer of insulation is a must – reliance on a single strategy means brittleness in the face of change.  For example, Gartner Research recently published a research brief titled, Privacy Collides with Fraud Detection and Crumbles Flash Cookies,  suggesting that companies avoid reliance on Flash stored objects completely, as the technology may be short for this world.  Multi-layered device recognition means that we can still sleep at night when Flash fades away – and that means you can, too.

According to a recent article,  “Number of identity fraud victims jumps,” a Javelin Strategy & Research survey found that the total number of ID fraud victims in the U.S. rose to last years to 11.1 million—a 12% increase over the year before. The study also found that 2009 losses due to ID fraud totaled  $54 billion (in comparison  $48 billion in 2008).

But why, with so many anti-fraud management solutions and techniques available, does ID fraud continue to climb year-over-year? According to James Van Dyke, president and founder of Javelin, the continual evolution of technology is one of three main factors contributing to the increase of Identity fraud. Van Dyke sees online crime continuing to escalate, due to:

1. Rapidly evolving technology. Technology has become the livelihood of today’s cyber criminals who make it their business to keep up with the latest trends in technology so they can devise increasingly complex schemes to defeat anti-fraud defenses.

2. More people online. The fact that there are more people—both businesses and consumers—spending time making connections and conducting financial transactions over the Internet means there are more prospective victims out there for criminals to target.

3. More information online. The increase in personal and financial information available on the Web provides hackers with more useable information to steal online. A person’s online information is the lifeblood of everything hackers do.

This survey isn’t news to most of our customers. Fighting online fraud is a serious endeavor and is of strategic importance to any online business. That’s why, as online crime continues to rise, businesses that implement best-practice technology for fighting fraud not only save their company time and money, but gain a competitive advantage in their industry.

The harsh reality is that today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. That’s why, when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers.

The same basic principle of creating a more comprehensive defense by layering tools and diversifying methods can (and should) be applied to fighting online fraud. To successfully combat online fraud, a fraud management system should include the following layers of defense: 1) validation of credit data; 2) data mining of personal information supplied by the user (i.e. shipping address, address verification, and in some instances even SSN); and 3) device identification and validation of device reputation.

Combining these fraud prevention methods at multiple locations throughout a website establishes important obstacles to both first-time and repeat offenders. Even if criminals are able to bypass one method of detection by using  fraudulent credit or personal information, they may be identified through device identification as a suspected or known criminal. That’s why the best offensive against cyber crime today is a multi-layered defense.

After a three-year investigation by the FBI and the UK’s Serious Organized Crime Agency (SOCA), British authorities announced they have arrested the sophisticated network of cyber criminals behind DarkMarket, one of the world’s top criminal websites. The site, which operated out of an unassuming London Internet café, was an international cyber supermarket for stolen credit card and bank account information that officials say has cost the banking industry tens of millions of dollars.

According to a recent article, “Welcome to DarkMarket: a global shop for cybercrime and banking fraud,” the DarkMarket site was an online superstore of personal data, viruses, tutorials, and a whole host of other resources for fraudsters. In order to gain access to the site, which was by invitation only, those wanting to become members had to offer up details of 100 compromised credit cards – 50 each to two separate members who would then test the cards in the market to see if the information was valid. If the information was usable, the applicant would gain entrance to the site. If not, access would be denied.

Once in, members could trade everything from credit card details to bank account PIN numbers obtained through hacking, phishing scams, and ATM skimming devices. The site even had a crime “menu,” where for very reasonable prices, members could purchase, among other things:

• Information needed for online transactions ($3-$10 depending on quality)
• Credit card images ($30 each)
• Bank logins (2% of available balance)
• Billing details needed for opening or taking over accounts ($150 for accounts of $10k balances, $300 for accounts with balances of $20k)

Of the estimated 2,000 members who had access to the site, so far the bust has led to the arrest of more than 60 members who are scattered throughout the globe, in countries including the UK, United States, Canada, Germany, France Turkey, Israel and Russia.

The scope and reach of the DarkMarket website underscores the magnitude of such an operation, as well as the growing problem of organized fraud. With more personal information accessible over the Internet, cyber criminals have built thriving illegal networks to buy, sell and trade financial data and share information on how to defraud all types of online businesses. Certainly businesses are dealing with an increasingly sophisticated threat and must continually evolve and be vigilant to defend their businesses from attack.

I commend the National Fraud Reporting Centre (NFRC) for getting the hotline going. The helpline will allow individuals and small businesses to report cyber crime to a central agency, simplifying what would otherwise be a confusing process involving potentially several different government ag encies. A similar effort in the U.S., the Internet Crime Complain Center (IC3), currently allows individuals to file complaints of internet fraud through its website.

In both cases, setting up centralized agencies to manage reports of internet crime allows for greater cooperation among different law enforcement agencies—from local police to state and federal bureaus—so that large-scale operations of identity theft and phishing attacks, for example, can be more easily identified and addressed at the appropriate level. Also, by offering individuals one clear method of reporting internet fraud, as opposed to several, the hope is that more victims and informed third-parties will be inclined to report what they know.

As we’ve mentioned in previous posts, because most cyber crimes are committed across national borders, local law enforcement is severely limited in its ability to catch and prosecute individuals who commit such crimes. While continuing efforts are being made to stop these criminals, engaging the public about online fraud trends is a worthwhile step in helping raise awareness and hopefully prevent more people and businesses from becoming victims of Internet crimes.

Establishing programs such as the Action Fraud hotline and the IC3, can also build alliances and partnerships between individuals, groups and businesses that could benefit from sharing fraud information and intelligence. Collaborating with your peers to fight fraud is the basic concept behind iovation’s fraud management system, which provides a shared environment that allows online businesses to benefit from the thousands of additional resources, tools and experiences to better protect themselves from online fraud and abuse.

Unfortunately, these kinds of velocity checks are of limited value against more sophisticated fraudsters who have the information, the technology, and the general savvy to set up multiple accounts that all, on paper, look completely different—different names, different credit card numbers, different shipping addresses, different IP addresses.

This is why including the device associated with an account or transaction can be an extremely valuable component of velocity-based rules. Even if all the elements of personal data look different among a set of accounts or transactions, if they all have the same device in common, it’s a good indication that something is wrong. With velocity-based rules focused on the device, you can monitor the number of accounts created, or the number orders placed, from one single computer.

In a world where hackers are making it more difficult for online businesses to verify the real identities of the people they’re doing business with, device fingerprinting combined with velocity-based rules provides a powerful one-two punch for identifying suspicious activities and stopping fraud that operates under the radar of many fraud detection systems. For many of our customers, having visibility into this activity is one of the biggest advantages they gain from including device fingerprinting as part of their fraud prevention process.