It’s been said that the best offense is a good defense. But how do you defend against something that’s always changing? That’s an important question for IT security professionals who know that it’s only a matter of time before cyber criminals find ways to take advantage of the inherent weaknesses in even the best technologies.

The harsh reality is that today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. That’s why, when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers. (more…)

We’re going into 2010 with a lot to be excited about, including the announcement of our new VP of Technology, Scott Waddell.  Scott joined iovation in April 2008 as our Director of Research, a role to which he has brought amazing insight and innovation.  I love his ability to keep sight of a strategic vision while being pragmatic about getting there.  Starting this month, he’s taking over the helm of our entire technology organization and we’re confident he will continue our positive momentum into the new year and beyond.

To provide a bit of an introduction, Scott has nearly two decades of technology experience with an emphasis on security.  Before joining iovation, he spent a number of years at Cisco, serving in a variety across engineering, network security and research. Prior to that, Scott co-founded WheelGroup, a network security company that was later acquired by Cisco.  He also served as a charter member of the Air Force Information Warfare Center, pioneering tools and techniques for automated vulnerability assessment and incident response. (more…)

We have exciting news to share! Now that the nomination phase of the  first annual 2010 Internet Dating Industry Awards is complete, iovation has been named a finalist for the Best New Technology.  This award recognizes the best individual technology created by a vendor for dating or matchmaking sites. The award will be announced at the 7th Annual Internet Dating Conference. (more…)

As iovation continues to expand its subscriber-base across multiple industries, the number of shared devices (meaning those devices seen at multiple sites) continues to rise. As we see this cross-over between subscribers rise, new and existing subscribers have a greater chance of encountering devices that already have a reputation. This increases the proactive value of device reputation and directly supports the significance of having a shared device database.

The increase in the number of shared devices can in part be understood by analyzing the population of “reactivated” devices. Reactivated devices are devices that iovation re-identifies after having not seen the device for more than 90 days. By studying these devices in contrast to the device population as a whole, it is clear that iovation’s expanding customer base is a significant contributor to this trend as a vast majority of reactivated devices have been seen in multiple customer networks. (more…)

When I talk with fraud managers, they often express concern that the benefits of a reputation-based system won’t be instantly apparent. While a reputation service inherently becomes more valuable over time as companies log their fraud experiences into the system, it’s worth pointing out that device recognition and device reputation provide a number of benefits that can have an immediate effect, such as the following:

• Expose relationships between transactions –Device recognition gives fraud management teams instant visibility into the relationships between all online transactions (fraudulent or not). This provides immediate value in assisting with investigations and resolving issues.
• Receive velocity alerts –The number of purchases, applications, account creations, etc. that originate from one user in a given period of time is highly indicative of fraudulent behavior. For example, wouldn’t it be valuable to know that in the span of one hour, ten credit card applications were all submitted by one person? Unfortunately, since most fraudsters use fake or stolen identities, this can be incredibly hard to detect—unless you focus on the device. With device recognition, you can monitor the velocity of transactions coming from a single device, regardless of the identities provided.

(more…)

Darin Glatt, application architect with iovation, was interviewed by the Chroma Coders Game Development Club at Casual Connect Seattle. Darin shares information on iovation’s online fraud protection service used by many leading MMOs.

Listen to the Podcast >

Interviewer: I’m here at Casual Connect and with me today is a special guest. Would you please introduce yourself?

Darin: Hi, I’m Darin Glatt. I’m the application architect for iovation.

Interviewer: What is iovation?

Darin: iovation provides a service for games and websites to help them fight fraud and abuse.

Interviewer: Is this credit card checks or what exactly is it? And how would a game use this service?

Darin: Well, actually it’s not credit card checks. We consider fraud just another kind of abuse on a website. We handle it all the same way. We do that with device recognition and device reputation. We provide a global database of devices, and we track their reputations so we can tell you, when you send us a transaction, what that device has been up to. (more…)

IP Addresses have long been used in device fingerprinting solutions, but their utility has been hit-and-miss due to differences in how groups of IP addresses are managed. As a result, solutions relying on the IP address for device identification generally experience high false positive rates; this is especially true in cases where the same IP address has been issued to different end users over time.

Based on data iovation has collected from performing over two billion device identification requests, we’ve developed techniques to more accurately assess the relevance of an IP address in identifying and re-recognizing a device. This allows us to use IP address as a factor, when appropriate, and ignore it when not. (more…)

While not often talked about, the malicious use of domain names is becoming a serious problem. Domain names provide a means to an end for criminals attempting all kinds of scams and online fraud. In phishing attacks, for example, a hacker-controlled domain name serves as the redirection point for a fake or infected site. In the case of botnet operations, a domain name replaces a unique IP address as the point of command and control, allowing fraudsters access to a much larger set of data with less risk of detection. (more…)

Ellen Messmer of Network World had an interesting post recently listing America’s 10 most wanted botnets.  These ten alone are responsible for an estimated 12.4 million infections in the United States.

Botnets are an increasingly difficult problem to address and are becoming an important part of the Fraud as a Service value chain.  There are a number of uses for botnets but Messmer’s post supports that the three primary threats are theft of data, propagation of spam or malware, and execution of coordinated denial of service attacks.

With respect to online fraud, the first threats are the most concerning and are directly related to each other. Distribution of spam and malware is usually a means to an end of stealing personal data which can easily be monetized in the cyber black market. The number of effective botnets is growing. What this means to online businesses is that comprehensive databases of credit and identity information are readily available and getting cheaper, allowing fraudsters easy access to stolen identities. The result is that fraud management systems relying entirely upon identity checks are becoming less effective and need to be accompanied by a solution based on information independent of identity. This is where device reputation systems excel and provide the perfect complement to existing fraud management tools and processes. (more…)

We recently announced an amazing achievement and this is a proud moment for everyone at iovation. Since our inception, we have processed over 2.0 billion real-time device reputation inquiries for our subscribers.

Over two billion times, our subscribers have used one of our device printing technologies while interacting with end-users and then reached out to our service with device printing data plus their unique account or transaction identifier. In real-time (sub-second response times) our service then follows business rules that are unique to each subscriber and leverages terabytes of information in our global fraud database, the Device Reputation Authority (DRA).  We can tell subscribers if they have ever seen a given device and if any related accounts and devices have a history of fraud or abuse at their site. We can also tell subscribers if any related devices are associated with fraud or abuse at other subscriber sites. (more…)

In a class action lawsuit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII). In my original post, I made reference to the often passionate and sometimes controversial balance between online security and privacy. (more…)

In a class action lawsuit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII). In response to my first post,  few people actually read the order by Judge Richard Jones. I received an email from someone stating that the judge was dead wrong in stating that IP addresses identify computers. (more…)

In a class action lawsuit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII). If you read my first post on this issue, you know that I support this decision and believe that IP addresses should be treated as very weakly associated with identity. (more…)

In a class action law suit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII).  This will undoubtedly contribute to the important, often passionate and sometimes controversial balance between online security and privacy.  There will be countless threads pointing out the legal and technical reasons that an IP address is not personal information.  There will be valid points here.  And there will be countless more threads on what can be done with IP addresses alone and how IP addresses can be used in combination with other types of information for target marketing, behavior analysis and even identifying specific individuals.  There will be valid points here too. (more…)

We are pleased to announce the release of our recent case study with BattleClinic on Gamasutra.com. The case study details how we helped them achieve a 95% reduction in credit card chargebacks in 8 months. As the leader in fraud prevention for MMOs, iovation pioneered the use of device fingerprinting to establish device reputations and fight online fraud.

The reality in the online games environment is that even many of the best anti-fraud tools simply don’t provide effective results. Time and again we at iovation have seen significant uplift over existing tools to reduce fraud for our customers in the MMO industry: in the case of BattleClinic, as dramatic as a 95% reduction. What seems to be particularly compelling about theresults we’ve seen in this industry is our ability to quickly establish the relationships between player accounts that were previously hidden. Not only does this result in dramatic reduction in fraud, it also significantly reduces the amount of time spent on trying to manually search for associations and patterns in personal data.

iovation is committed to the gaming industry and frequently attends and presents at gaming conferences. We will be at both the Casual Connect Seattle conference, July 21-23, and the Austin GDC conference, Sept 15-18, if you would like to meet with us in person.