When it comes to managing risk for online transactions, we get a lot of questions about how our approach compares to other commercial solutions. Establishing business rules and risk scoring in combination with device reputation ranks high among topics of interest. Simply put, iovation uses the device and transaction data available to any vendor, and combines it with the strongest database of historical device risk data available on the market today.

Risk scoring, when you boil it down, is the simple process of taking the data you have available about a given transaction and the device requesting that transaction, and measuring characteristics that would lead you to believe that it is either valid or risky. Most device-based risk scores, including those offered by iovation, incorporate common types of risk elements in their scoring. These may include:

• Velocity-based Rules – Measuring device activity in a given time frame
• Transaction Anomalies – Device characteristics that indicate the device is masking its identity, such as using an anonymizing proxy, or disabling technologies like flash

What sets iovation apart is the growing network of businesses it protects that leverage and contribute to the Device Reputation Authority (DRA). This database of over 350 million device reputations is queried more than 5 million times per day by iovation clients.

The Device Reputation Authority contains historical information about specific fraud and abuse occurrences by the device used. We use this information to further assess transaction risk for our customers in the following unique ways:

• Global Account Associations – Looking at extended relationships between devices and shared accounts that are evident in fraud rings and targeted fraud
• Factual Evidence of Fraud – Whether the information comes from a close partner, a peer, or a company in a completely unrelated industry, direct evidence of fraud on a given device is one of the strongest correlations to transaction risk a customer can have.
• Profile Risk – Profiling harnesses the power of shared factual evidence in the reputation system to measure the similarity of the device in the current transaction to those devices that have been seen across iovation subscriber sites in the past. A high ratio of known bad devices in the set of similar devices is a very strong risk indicator.

These three risk elements are tremendously valuable to our customers who find over time that either factual evidence or profile risk are so strongly correlated with fraud that it can cut their review time down substantially for those transactions.

In the world of risk scoring, cloud services, and crowdsourcing, it is proven that leveraging information from larger affinity groups provides unmatched effectiveness. When a company is combating highly sophisticated fraudsters determined to defeat their defenses, what risk analyst wouldn’t want to know that a device trying to create an account or make a purchase had previously been flagged for fraudulent activity? Adding this data to risk scores increases their ability to shine light on fraud that might otherwise remain hidden.

The White House’s new plan for strengthening authentication and identity verification on the web is a good first step for securing identities in online transactions and creating a trusted digital environment. In the draft strategy, entitled the “National Strategy for Trusted Identities in Cyberspace” (NSTIC), the government calls for an Identity Ecosystem, an online environment where individuals, organizations and devices trust each other because authoritative sources establish and authenticate their digital identities. (more…)

Along with the enormous success of mobile phone sales, wireless carriers and resellers have to contend with a variety of issues around theft and fraud. Working closely with several carriers and resellers, we’ve seen four primary fraud threats that financially impact carrier business. They include:

1. Account creation / application fraud – In this case, a fraudster uses a stolen identity to apply for an account online to order phones and services.  After initiating a shipping scheme to obtain the goods, the fraudster runs up the phone bill until the carrier or identity theft victim uncovers the charges.Much like credit issuers, carriers perform comprehensive identity and financial background checks on applicants, however, the checks are on the identity theft victim.  By adding a device check at the front of the process (which looks at the computer or Internet-enabled device being used), carriers can quickly identify suspicious activity such as when the same computer initiates multiple applications under various identities, or if the computer being used has been involved in previous fraudulent activity. (more…)

I’m very proud that iovation was included in the 2010 OnDemand Top 100, as selected by the AlwaysOn staff and other industry experts across the globe. This list recognizes companies for creating new opportunities in cloud computing and SaaS.

AlwaysOn asserts that the selected companies are developing game-changing approaches and technologies that are likely to disrupt existing markets. Selection criteria include innovation, market potential, commercialization, shareholder value and media buzz. Quoting Tony Perkins, founder and editor of AlwaysOn:

“As the digital information created by businesses continues to explode at astronomical rates, the need to store, manage, and share this information is becoming extremely challenging. By providing innovative technologies that help enterprises better compete in this new era of information complexity, the OnDemand 100 represent some of the highest growth opportunities in the private company marketplace.”

It’s an honor to be recognized by industry experts for pioneering the use of device reputation to help online businesses fight fraud and abuse. The only thing better is recognition from customers that use our service every single day. (more…)

Security experts from around the globe will soon meet in Nigeria to help boost the West African country’s parliament to fight Internet fraud and terrorism worldwide. In the article, “Foreign cybercrime experts to partner with lawmakers,” anti-cyber crime and terrorism experts from the US and other European countries will partner with members of the National Assembly to explore the extent of the fraud problem in Nigeria and discuss strategies to combat it.

Over the years, online schemes operating out of Nigeria have cost victims millions in fraud losses. The proposed conference of worldwide anti-fraud, economic and strategic Nigerian government agencies and groups will evaluate the country’s electronic payment system and ensure that measures are taken to protect public funds for a new payment system and other online transactions. (more…)

The security strategy of “defense-in-depth” allows a system or an organization to prevent an attack by coordinating complementary defense techniques, taking advantage of the strengths of each one while relying on the combination to shore up weaknesses in the others.  The end result is a more complex and nuanced system that is resilient to a much greater number of attacks.

In a similar vein, we can see that any single device recognition strategy on the Web is going to run into some serious limitations, mostly related to the quality and the variety of the data that can be collected from a browser.  There are a number of sources of data that we can use to construct a view of a device on the Web, but most of them can be manipulated, and all of them have problems with uniqueness.  How to build a system that is resilient to so much data uncertainty?  Yeah, I know you’re already a step ahead of me – we design in depth. (more…)

It’s been said that the best offense is a good defense. But how do you defend against something that’s always changing? That’s an important question for IT security professionals who know that it’s only a matter of time before cyber criminals find ways to take advantage of the inherent weaknesses in even the best technologies.

The harsh reality is that today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. That’s why, when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers. (more…)

We’re going into 2010 with a lot to be excited about, including the announcement of our new VP of Technology, Scott Waddell.  Scott joined iovation in April 2008 as our Director of Research, a role to which he has brought amazing insight and innovation.  I love his ability to keep sight of a strategic vision while being pragmatic about getting there.  Starting this month, he’s taking over the helm of our entire technology organization and we’re confident he will continue our positive momentum into the new year and beyond.

To provide a bit of an introduction, Scott has nearly two decades of technology experience with an emphasis on security.  Before joining iovation, he spent a number of years at Cisco, serving in a variety across engineering, network security and research. Prior to that, Scott co-founded WheelGroup, a network security company that was later acquired by Cisco.  He also served as a charter member of the Air Force Information Warfare Center, pioneering tools and techniques for automated vulnerability assessment and incident response. (more…)

We have exciting news to share! Now that the nomination phase of the  first annual 2010 Internet Dating Industry Awards is complete, iovation has been named a finalist for the Best New Technology.  This award recognizes the best individual technology created by a vendor for dating or matchmaking sites. The award will be announced at the 7th Annual Internet Dating Conference. (more…)

As iovation continues to expand its subscriber-base across multiple industries, the number of shared devices (meaning those devices seen at multiple sites) continues to rise. As we see this cross-over between subscribers rise, new and existing subscribers have a greater chance of encountering devices that already have a reputation. This increases the proactive value of device reputation and directly supports the significance of having a shared device database.

The increase in the number of shared devices can in part be understood by analyzing the population of “reactivated” devices. Reactivated devices are devices that iovation re-identifies after having not seen the device for more than 90 days. By studying these devices in contrast to the device population as a whole, it is clear that iovation’s expanding customer base is a significant contributor to this trend as a vast majority of reactivated devices have been seen in multiple customer networks. (more…)

When I talk with fraud managers, they often express concern that the benefits of a reputation-based system won’t be instantly apparent. While a reputation service inherently becomes more valuable over time as companies log their fraud experiences into the system, it’s worth pointing out that device recognition and device reputation provide a number of benefits that can have an immediate effect, such as the following:

• Expose relationships between transactions –Device recognition gives fraud management teams instant visibility into the relationships between all online transactions (fraudulent or not). This provides immediate value in assisting with investigations and resolving issues.
• Receive velocity alerts –The number of purchases, applications, account creations, etc. that originate from one user in a given period of time is highly indicative of fraudulent behavior. For example, wouldn’t it be valuable to know that in the span of one hour, ten credit card applications were all submitted by one person? Unfortunately, since most fraudsters use fake or stolen identities, this can be incredibly hard to detect—unless you focus on the device. With device recognition, you can monitor the velocity of transactions coming from a single device, regardless of the identities provided.

(more…)

Darin Glatt, application architect with iovation, was interviewed by the Chroma Coders Game Development Club at Casual Connect Seattle. Darin shares information on iovation’s online fraud protection service used by many leading MMOs.

Listen to the Podcast >

Interviewer: I’m here at Casual Connect and with me today is a special guest. Would you please introduce yourself?

Darin: Hi, I’m Darin Glatt. I’m the application architect for iovation.

Interviewer: What is iovation?

Darin: iovation provides a service for games and websites to help them fight fraud and abuse.

Interviewer: Is this credit card checks or what exactly is it? And how would a game use this service?

Darin: Well, actually it’s not credit card checks. We consider fraud just another kind of abuse on a website. We handle it all the same way. We do that with device recognition and device reputation. We provide a global database of devices, and we track their reputations so we can tell you, when you send us a transaction, what that device has been up to. (more…)

IP Addresses have long been used in device fingerprinting solutions, but their utility has been hit-and-miss due to differences in how groups of IP addresses are managed. As a result, solutions relying on the IP address for device identification generally experience high false positive rates; this is especially true in cases where the same IP address has been issued to different end users over time.

Based on data iovation has collected from performing over two billion device identification requests, we’ve developed techniques to more accurately assess the relevance of an IP address in identifying and re-recognizing a device. This allows us to use IP address as a factor, when appropriate, and ignore it when not. (more…)

While not often talked about, the malicious use of domain names is becoming a serious problem. Domain names provide a means to an end for criminals attempting all kinds of scams and online fraud. In phishing attacks, for example, a hacker-controlled domain name serves as the redirection point for a fake or infected site. In the case of botnet operations, a domain name replaces a unique IP address as the point of command and control, allowing fraudsters access to a much larger set of data with less risk of detection. (more…)

Ellen Messmer of Network World had an interesting post recently listing America’s 10 most wanted botnets.  These ten alone are responsible for an estimated 12.4 million infections in the United States.

Botnets are an increasingly difficult problem to address and are becoming an important part of the Fraud as a Service value chain.  There are a number of uses for botnets but Messmer’s post supports that the three primary threats are theft of data, propagation of spam or malware, and execution of coordinated denial of service attacks.

With respect to online fraud, the first threats are the most concerning and are directly related to each other. Distribution of spam and malware is usually a means to an end of stealing personal data which can easily be monetized in the cyber black market. The number of effective botnets is growing. What this means to online businesses is that comprehensive databases of credit and identity information are readily available and getting cheaper, allowing fraudsters easy access to stolen identities. The result is that fraud management systems relying entirely upon identity checks are becoming less effective and need to be accompanied by a solution based on information independent of identity. This is where device reputation systems excel and provide the perfect complement to existing fraud management tools and processes. (more…)