It’s been a busy year with a ton of new features and enhancements ranging from big to small. We thought we’d take a moment to share with you some of the highlights from 2011.

As with any technology, there are many, many things that go into a new feature including design, development, testing, documentation, integration and other operational requirements. We won’t go into that amount of detail here, but instead will focus on the primary achievements within each of the four principle areas of specialization at iovation, which include:

It’s truly an honor to follow in the footsteps of some of the most recognizable technology companies in the world such as Google, YouTube, Skype and eBay, who have all been previously selected to Red Herring’s prestigious Top 100 Global list.

This recognition is a direct result of years of hard work evolving our fraud protection service into a full spectrum device reputation solution that supports native and web integrations for mobile and desktop devices, tagged and tagless device recognition, real-time transparent risk scoring, and on-demand and scheduled reporting. Our remarkable growth is attributed to the collaborative work and effectiveness of our global device intelligence network, which today protects billions of transactions for our clients representing multiple industries around the globe.

Red Herring Chairman, Alex Vieux, elaborated on the difficulty the editorial staff goes through each year in selecting the Global Top 100.

“Choosing the best out of the previous two years was by no means a small feat. After rigorous contemplation and discussion, we narrowed down our list from 1,100 potential companies to 100 winners. It was an extremely difficult process. iovation should be extremely proud of its achievement, the competition for the Top 100 was fierce. The Top 100 Global are truly the best of the best.”

Companies were evaluated on both quantitative and qualitative criteria such as financial performance, technology innovation, management quality, strategy and market penetration.

The full list of 2011 winners is located at: http://www.herring100.com/RHG/2011/top100.html.

To expand our fraud preventative services to organizations in southern Europe, we’ve partnered with AliasLab, a leading professional services, consultancy and system integrator specializing in digital signature solutions and secure data transfer. Through this partnership, AliasLab will offer iovation’s device identification service, ReputationManager 360, along with its sophisticated Out of Band (OOB) authentication solution, SecureCall Suite, which offers strong authentication, mobile payment digital signature and mobile VAS services to banking, insurance and telcos in Italy and Southern Europe.

It goes without saying that we are very proud to be partnering with an industry leader like AliasLab. This partnership is a key for iovation’s growth largely because our companies’ authentication and device reputation solutions are extremely complimentary to each other. Together, we provide a highly effective next-generation solution for authentication and fraud management.

Working with many of the market’s leading brands, AliasLab has an established presence in Italy and Southern Europe. They will share how iovation’s global fraud prevention solution reduces online fraud and abuse to protect corporate brands and their customers, allowing them to:

• Know when an Internet-enabled device with a history of fraud touches their website
• Expose related accounts and devices collaborating in fraud
• Assess risk by velocity, past behavior and device characteristics

By customizing business rules to meet their specific and evolving needs, organizations leverage iovation’s device identification technology and comprehensive risk assessment service to confidently allow, deny or flag suspicious transactions in real-time to increase operational efficiency, saving both time and money.

We look forward to working with Roberto Tabacchi and the rest of the innovative team at AliasLab to expand our global presence and help businesses recognize and stop all types of online fraud and abuse.

This is why combating increasingly sophisticated fraud techniques requires online merchants to identify fraudulent orders faster and boost the efficiency of their fraud management functions, without increasing overhead. For one North America retailer whose fraud losses were eating into profits and affecting the customer experience, implementing the right fraud prevention service enabled them to drop annual fraud losses from a peak of $2 million to $180,000.

In our newly downloadable case study, “Online Retailer Uses New Fraud Detection Systems To Cut Fraud Loss Rates,” Forrester Research principal analyst, Andras Cser, shares how the online merchant was able to reduce fraud loss by $1.8 million after deploying iovation’s ReputationManager 360 along with our partner’s case management system.

Initially lacking the ability to configure its own business rules and review important order details in one place with its existing fraud management solution, iovation allowed the retailer to create versatile fraud detection rules and review complete order information from a robust, single-screen user interface. iovation’s Real IP technology also revealed the true IP addresses of the devices cyber criminals were using to perpetrate fraud so the merchant could identify high-risk activity relating to velocity, anomalies and detection of proxy in real-time to automatically flag suspicious orders for review or stop them in their tracks.

Recognizing fraudulent orders before they are approved and shipped is critical to reducing fraud rates, which is why iovation’s device reputation technology is essential for any online retailer’s fraud prevention strategy.

To show how layering iovation’s device reputation services with authentication technology offers a comprehensive defense-in-depth solution for exceeding the FFIEC’s new guidelines, we are hosting the upcoming webinar, “Ensuring Optimal Efficacy and Balance with Device Identification and Out-of-Wallet Questions.”

Along with Keir Breitenfeld, Senior Director at Experian Decision Analytics, I will be presenting what financial institutions need to know about how mitigating fraud risks while improving the overall customer experience, including:

1. How to achieve risk-based authentication with device reputation, authentication, scores and analytics — all while minimizing friction for the customer.

2. How to apply proportional treatment to your risk-based authentication efforts and dynamically manage credit and non-credit data questions, to fight fraud.

3. How to find optimal process points and question session configuration to strike the right balance between fraud prevention, customer experience, and cost.

4. The differences between simple device identification and complex device identification.

5. How leading financial institutions are collaborating using ‘device reputation’ today without sharing PII.

iovation’s ReputationManager 360 solution combines past and current behavior of more than 650 million devices with pattern recognition algorithms and pattern-learning processes to identify and re-recognize all devices logging onto a bank’s website in real time. It also allows financial institutions to see how these devices are connected to existing accounts already in the system. Doing so helps banks prevent fraudulent transactions before they happen, as well as root out fraud rings or re-occurring fraud activities that continue to take place right under their noses.

To hear how global banks are already leveraging device reputation to exceed the FFIEC guidance, register for our webinar taking place on Tuesday, July 26th, beginning at 10:00 a.m. PDT (1:00 p.m. EDT). If you have any questions in the meantime, feel free to email info@iovation.com.

However, to ensure they stay one step ahead of today’s profit-driven fraudsters, banks need to use the most advanced, anti-fraud techniques to prevent criminals from gaining access to legitimate online bank accounts. Michael Grillo’s article, “Combating Online Banking Fraud – A Top 10 List,” provides a checklist of the essential fraud detection methods that all banks should consider to ensure they are doing everything they can to stop online fraud, including:

1. Apply multi-factor logon authentication for online banking systems – such as tokens with one-time password or Adaptive Authentication (risk-based authentication).
2. Utilize real-time analytics – monitor transactional behavior to determine whether activity is standard or anomalous for that customer. When high-risk activity is detected, action can be taken in real time or near-real time to stop the transfer of funds from the customer’s account. Funds can also be held until customer validation can take place (see #4 below).
3. Employ profiling – include non-financial information (IP address, login activities, and device characteristics) to build customer profiles which can be stored to monitor ongoing behavior.
4. Make use of out-of-band notification methods - utilize phone call, text message, e-mail, etc to confirm activity with customers before transactions can be completed.
5. Maintain anti-virus software – Be sure to recommend your customers keep it current on end-user machines. While not fool-proof, it can stop lesser forms of intrusion.
6. Maximize password management – Ensure password management best practices are enacted (e.g. change password every ninety days, minimum length, combination alpha-numeric, varying history, etc.).
7. Leverage dual approval and limit management capabilities in your online banking tool -End-users with transaction initiation or approval entitlements should not also have administrative rights.
8. Implement token management at ACH or Wire release – this approach provides another layer of authentication prior to finalizing the transaction.
9. Employ a prescriptive, layered approach to security – utilize security tools within your online banking solution (e.g. multi-factor authentication, limit management, etc) with a fraud prevention and detection solution (e.g. profiling, analytics, etc.)
10. Education – keep it simple but constant. Partner with your customers to ensure they are aware of today’s threats and know what tools are available today to protect themselves.

As the industry shares information about new types of fraud attacks, iovation’s ReputationManager 360 puts intelligence shared by over 2,000 fraud professionals around the globe to work. By leveraging our knowledge base of 650 million Internet-connected devices and their associations, financial services and other industries can immediately identify suspicious activities through configurable real-time, fraud detection mechanisms that include device identification, device reputation and risk profiling.

In addition to the daily monitoring of transaction anomalies, velocities, geolocation and proxy-busting technology, iovation helps leading online brands stop fraudulent transactions before they are processed, as well as roots out and rids their systems of repeat offenders and fraud rings that are unknowingly perpetrating a multitude of fraud and abuse activities over time.

In the recent Network World article, “Federal agency issues new security rules for financial institutions,” the FFIEC is instructing financial institutions to deploy layered security systems and recommends they update their risk assessments to detect anomalies and effectively respond to suspicious activity as more profit-driven hackers focus on business computers to perpetrate fraudulent online transactions.

According to the IC3 Annual Internet Crime Reports:

Cyber crime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts.  Fraudsters are responsible for losses of hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers.

The new rules instruct banks and financial institutions to focus their network defenses on layered security that involves fraud monitoring, dual customer authorization through different access devices, out-of-band verification, and technologies that limit the fraudulent transactional use of an account.

According to Scott Waddell, Vice President of Technology at iovation, who has been helping the nation’s largest financial institutions and credit issuers implement layered defense programs for years:

We’re glad to see the FFIEC guidelines catching up to the device reputation best practices that our customers enjoy. Complex device recognition, reputation, and real-time risk assessment are powerful additions to any bank’s fraud-fighting arsenal.   

The 2005 FFIEC Guidance described customer authentication as more than the initial authorization of the customer at login.  Including defenses at multiple interaction points such as accessing customer information, or movement of funds within or outside of the financial institution, is equally important.  Risk assessments should consider changes in the internal and external threat environment, changes in customer adoption, changes in electronic banking functionality and incidents of security breaches, identity theft or fraud experienced by the bank or industry.

With business or commercial banking accounts more susceptible to risk (as compared to retail banking) due to the frequency and high dollar amounts of the transactions, a defense-in-depth approach to security is even more important.

As explained specifically by the FFIEC, layered security programs may include:

• Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response
• The use of dual customer authorization through different access devices
• The use of out-of-band verification for transactions
• The use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account
• Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows
• Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities
• Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud
• Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels
• Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate risk

The FFIEC recommends that an institution’s security program include device identification strategies that are more sophisticated than the simple cookie or IP address schemes used by many banks today as part of their authentication process.

At iovation, our financial services clients have been doing more than simple device ID for years.  In fact, they’ve been doing more than complex device ID for the last 7 years.  Complex device recognition techniques involve assessing larger sets of attributes and applying both pattern recognition algorithms and pattern-learning processes to identify devices.

While useful, complex device identification is just one part of an effective solution. The big players are tapping into the power of device reputation. Device reputation builds on device recognition with real-time risk assessment, leveraging both the attributes and the behavior of the device.  iovation takes that further still by showing our customers the relationships between devices as they interact with online businesses across iovation’s shared device intelligence community. And understanding how individuals are connected through devices and the accounts they access, as well as past and current behavior, is critical.

Device Reputation is what provides this depth of insight at transaction time.

Read the Supplement:

The Federal Financial Institutions Examination Council (FFIEC), Supplement to Authentication in an Internet Banking Environment

The Westin Building is easily the best connected facility in the Northwest United States. Via our patch panel in the meet-me-room we can rapidly connect to dozens of global telecommunications carriers serving the US, Asia, Canada, Europe, and the rest of the world with a simple fiber optic jumper cable. This facility is also home to the Seattle Internet Exchange on which we are a member.

If you are an iovation customer and would like to directly connect to us within this facility or across the SIX please contact me.

From an infrastructure point of view, keeping the iovation service online at all times and keeping the “bad guys” from harming our customers is always Job #1. To do this, we employ many levels of redundancy, both within a given facility, and between multiple facilities. As with any data center, this starts with the electrical power feeding the facility. Every piece of iovation equipment is fed from dual power sources which are completely redundant all the way back to the power utility. It should also be noted that power failures in Seattle are nearly nonexistent as the grid is extremely robust (fed largely by hydro-power).  

Here you can see the generator bank backing up our “A” side power bus:

Here you can see the generators backing up our “B” side power bus:

After the generators, the power flows through a pair of “Automated Transfer Switches” that will cutover from “utility” power to “generator” power should their be a disturbance on the power grid. Unfortunately, I don’t have a picture of these transfer switches handy, but here is a picture of the main electrical switchgear that is downstream of the transfer switches for both the “A” side bus and the “B” side bus.

After the main switchgear, the power is fed into a pair of 500KVA UPS units (again, completely separate “A” side and “B” side units) which provide super-clean output power at all times due to their double-online-conversion design. They also provide battery back up during power outages until the generators start up and take the load:

From the UPS units, the power is sent out at 480 volts to step-down transformers located on the data center floor (the black cabinet in the middle of the picture is one of the two that feed iovation):

After being stepped down to 208 volts, iovation receives one three phase 225 amp power feed from the “A” side power bus and another 225 amp power feed from the “B” side power bus into a pair of RPP panel units (circuit breakers):

From these RPP panel units we provide every cabinet with one 208v 30amp 3 phase connection from the “A” unit and another from the “B” unit. All power capacity planning is done with the assumption that we can lose either the “A” side or “B” side power and everything will just seamlessly shift over to the still-functioning power leg without any impact.

So that should provide a pretty good overview of our power infrastructure, now let’s talk about cooling for a bit. While the Westin Building has numerous redundant evaporative cooling towers, here is a snapshot of a few of them:

I don’t have a picture handy, but needless to say, the cooling loop system has fully redundant pumps for water circulation. Here you can see a very important feature of the cooling system – The Westin Building stores thousands of gallons of emergency water on site to keep their cooling system operational even in the event of a water utility outage:

Here you can see an example of the many redundant cooling units that actually provide cool air to our servers by moving heat from the air into the cooling loop. There are a pair of these units dedicated to the iovation cage (not shown):

And last but not least, here is a picture of the iovation cage (though this was taken before all the servers were installed):

I could continue on about the layers of fire protection systems, multi-factor access control, 24×7 engineering and security staff, etc, but perhaps those will be topics for future blog posts. We here at iovation are very excited about the addition of this facility to our tool set as it allows us to scale up to handle ever increasing customer demand while continuing to provide the highest level of service to our clients.

As always, please send me an email if you have any questions!

-Eric
Sr. Infrastructure Architect

“We are proud to be a new entrant to the Portland Business Journal’s Top 100 list and look forward to being a regular member of this outstanding group of companies. We fully intend to move up the list in the coming years as our growth continues to accelerate,” said Doug Shafer, CFO at iovation Inc. “We are very excited about the growth opportunities in all of the key vertical markets that we serve across the globe.”

In any economy — but even more so in today’s slow economic recovery — the key to business growth is all about customer satisfaction. Driven by a “customer first” mentality, we provide much-needed fraud protection services to online businesses around the globe. This powerful combination has played a central role in not only earning new business, but also achieving a 96% customer retention rate.

For any fraud prevention company, knowing you are delivering highly innovative and effective fraud-fighting solutions that are improving the safety and financial well-being of your customers and business partners makes all the difference. That’s what makes us tick at iovation. And we couldn’t have done this without the hard work and dedication of our amazing team, partners and customers. Thanks for working with us to make the Internet a safer place.

The Visionary section of the Magic Quadrant recognizes security vendors whose products are easy to implement and have successfully reduced online fraud for their customers.  According to Gartner’s description:

The Visionaries’ products are relatively easy to implement (when compared with many of their competitors) and have achieved very good results in reducing online fraud for their clients, often using software-as-a-service (SaaS)-based models. Often, they are more innovative than their competitors and tend to offer superior customer service, which they can afford to do, given their smaller customer base and their dedication solely to fraud detection.

Our revolutionary device reputation technology uniquely identifies and re-recognizes individual devices, including computers, smartphones and tablets, that log onto business websites and checks it with our shared global fraud and abuse database to help customers assess the transaction risk based on the likelihood that the device will commit online fraud or abuse.

In fact, Gartner’s description of Web fraud detection nearly describes what iovation’s ReputationManager 360 fraud prevention solution does to a tee: detects account takeover, detects fraudulent accounts created by a stolen or fictitious identity, and detects the use of a stolen financial account when making a financial transaction.

“We’ll stop over 50 million fraud attempts this year as we continue on our mission to make the Internet a safer place”, said Greg Pierson, founder and CEO of iovation. “We are honored to be positioned by Gartner as a Visionary and recognized in the web fraud detection market. We take pride in providing superior customers service and delivering meaningful results in the fight against online fraud and abuse.”

Being recognized as a finalist for this prestigious award, which looks at technological innovation, financial performance, execution of strategy and management strength of private technology ventures, is a testament to our continued success in protecting the world’s largest brands from online fraud and abuse like credit card fraud, account takeover, chargebacks, money laundering and identity theft, to name a few.

“This year was very rewarding,” said Alex Vieux, publisher and CEO of Red Herring. “The global economic situation has abated and there are many great companies producing really innovative and amazing products. We had a very difficult time narrowing the pool and selecting the finalists. iovation shows great promise and therefore deserves to be among the Finalists. Now we’re faced with the difficult task of selecting the Top 100 winners of Red Herring North America. We know that the 2011 crop will grow into some amazing companies that are sure to make an impact.”

Last year alone, iovation helped online businesses prevent 35 million fraud attempts to protect their customers, corporate reputations and reduce fraud losses. As cyber crime continues to put online businesses and their critical data at risk, nothing is more satisfying to me than knowing the impact our device reputation technology is having in helping our customers across multiple industries fight fraud and protect their customers and business profits from more sophisticated and damaging fraud and abuse schemes.

We look forward to sharing more during our presentation at the Red Herring North America Forum in Hollywood, California, June 13-15, 2011.

Even if you protect your PC and keep your critical security patches and antivirus definitions updated, there is always the possibility that your bank or credit card company may be hacked, and your sensitive data sold for the purposes of identity theft.

2. Social Engineering: This is the act of manipulating people into taking certain actions or disclosing sensitive information. It’s essentially a fancier, more technical form of lying.

At 2010’s Defcon, a game was played in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. Of 135 “targets” of the social engineering “game,” 130 blurted out sensitive information. All five holdouts were women who gave up zero data to the social engineers.

3. Failure to Log Out: Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and, once selected, will do so indefinitely. This feature often works with cookies, or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.

4. Inside Jobs: With millions losing jobs, there are many opportunities for an insider to plug in a thumb drive and steal client data or other proprietary information. Networks are like candy bars, hard on the outside, soft and chewy on the inside. Insiders who fear layoffs may be easily tempted to use their access to profit while they have the chance.

5. Fraudulent Accounts: Many businesses lay claim to thousands or millions of members or clients who have access to web-based accounts. No matter the nature of the business, social network, dating site, gaming site, or even bank or retailer, some percentage of the accounts are ongoing instigators and repositories for fraud. Troublemaker accounts infect the overall stability of any organization, and flushing them out is essential.

One anti-fraud service getting lots of attention for protecting online businesses from crime and abuse is ReputationManager 360 by iovation Inc. The service is used by hundreds of online businesses to prevent fraud by deeply analyzing the computer, smartphone or tablet connecting to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Our dependency on the Internet has long since passed the point of turning back, and I think we’ve made a mistake in that approach. Fortunately, it’s extremely unlikely that the Internet will go down entirely.

The U.S. and most other developed countries are thoroughly electrically and digitally dependent. Critical infrastructures, including drinking water, sewer systems, phone lines, banks, air traffic, and government systems, all depend on the electric grid. After a major successful attack, we’d be back to the dark ages in an instant. No electricity, no computers, no gasoline, no refrigeration, no clean water. Think about what happens when the power goes out for a few hours. We’re stymied.

A Wired op-ed by Deputy Secretary of Homeland Security Jane Holl Lute and Bruce McConnell, a Senior Counselor at the department, points out that no single individual or entity has the capacity to protect the Internet, not would we want to rely on one entity. They stress the necessity of collaboration among, private citizens, corporations, and government.

The most important part:

“While America is deeply reliant on cyberspace, the health of this critical ecosystem is itself a work in progress. Indeed, tomorrow’s threats and defensive capabilities have probably not yet been invented. Government must engage: to secure government systems, assist the private sector in securing itself, enforce the law, and lay the policy foundation for future success. Where industry lags, policy change can incentivize key actions. Today’s environment does not, for example, adequately incentivize companies to write secure software. This must change.”

What this is saying is, essentially, “This ain’t no dress rehearsal.” This is the time to act, particularly for those companies that are engaged in commerce or in support of our critical infrastructures.

Robert Siciliano, personal security expert contributor to iovation, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)

With criminals targeting online casinos around the clock (we’ve got the data to prove it!), gaming sites need all the help they can get to rid their tables of costly criminal activity such as credit card fraud, chargebacks, account takeover and player collusion. Leveraging iovation’s global database of over 600 million unique devices, our gaming customers gain deep insight into every device, whether it’s a PC, smartphone or tablet, attempting to login or play on their site. Using customizable business rules that allow them to assess risk at various integration points, online gaming providers will spot characteristics that are consistent with fraud and abuse to stop criminals before they strike.

Based on the online gaming transactions iovation has checked since January 1, 2011, here’s a sample of what we’ve stopped and what we’ve seen:

This prestigious award is a testament to our continued commitment to reduce fraud and abuse in the online gaming industry. For 7 years now, we’ve been helping gaming sites detect cyber criminals and shut down global fraud rings so our customers can improve their business profits and maintain a reliable, trustworthy reputation with their good players.

The Software Association of Oregon will host its Fireside Chat luncheon featuring Eric Dishman, Director of Health Innovation of the Intel Architecture Group, as well as Jeff Harvey, President and CEO of Burgerville and Nancy Phillips, COO and Co-founder of ViaWest.

As the market leader in device reputation, iovation will be talking with attendees about how we protect online businesses from fraud and abuse. We do that while protecting the identity and privacy of consumers. Daily, we protect 8 million transactions and stop 150,000 online fraudulent activities.

Most anti-fraud solutions fight fraud by looking at identity or financial data on the consumer.  iovation’s approach is completely different.  We focus on is the physical device (computer, tablet or mobile phone) that the consumer is using to connect to the online business.

Our SaaS solution exposes the reputation of devices connecting to online businesses. We manage the reputations of 600 million unique devices that have touched our customers from all over the world.  And we help clients understand how devices in their network and outside of their network are related.

Stop by the iovation booth to chat with Brian Walter, Director of IT and Product Operations, Connie Gougler, Director of Marketing, and Merilee Schillinger, Technical Recruiter, and hear why 2000 fraud analysts around the globe interact with our system every day to keep the bad guys out.  And by the way, we’re hiring!

While we know fraudsters can’t resist a sure thing, Craig Scroggie, vice president and managing director of Symantec in the Pacific region, said most of the time consumers turn a deaf ear to such warnings until it is too late. In the article, “Cybercrime to hit tablets,” Scroggie, who has warned consumers about potential threats to email, fake websites and computers in the past, is at it again. This time he says the proliferation of smartphones and tablet devices will soon face the same type of attacks PC owners have long suffered.

According to Symantec’s Internet Security Threat Report, there were 163 known vulnerabilities in mobile operating systems in 2010, a 42% increase compared to the 115 in 2009. More attacks on mobile devices can be attributed to a couple of things, most notably more people using the devices for mobile computing and Web surfing, and the fact that users are less security-savvy about malware on mobile devices.

With the major mobile platforms now ubiquitous enough to attract hackers, like clockwork, we’re seeing the same criminal pattern take its course. As a result, Symantec expects attacks on these platforms to increase in 2011. The report also found that despite having security measures in place, 45% of respondents said security was still one of the top obstacles in smart devices.

From the iovation perspective, we’re seeing increasing traffic across our subscribers from mobile devices, predominantly from smart phones, with iPhone and Android devices leading the pack. While there is fraud originating from mobiles, it’s still a relatively small fraction of the overall fraud we catch every day. It will be interesting to watch the shift as mobiles begin to overtake laptop and desktop devices as the platform of choice for everyone, fraudsters included.

According to the article, “Securing Internet Payments,” 70% of all fraudulent credit card transactions originate from card-not-present (CNP) transactions. This has a substantial impact on the public’s confidence using their credit card for online transactions. Lacking the capability to prevent unauthorized transactions and associated fraud and abuse ultimately trickles down to Internet-based businesses’ bottom line revenues and profits.

Because e-commerce is expanding faster than conventional transactions, financial institutions, merchants and other organizations that depend on online payments to do business need to have effective fraud preventative tools in place to identify the cardholder before the remote transaction actually takes place. Doing this requires the ability to look beyond the credit card information provided by the individual requesting the transaction.

iovation ReputationManager 360 does this by checking the reputation of the actual device being used to request the online transaction against a database of more than 550 million unique devices, some of which have been used for fraud or are associated with other devices that have been involved with fraud or abusive behavior. This allows businesses to accept, deny or review transactions to stop criminals before they cause damage to the business or customers.

Using iovation’s configurable business rules engine, financial services organizations can automatically make decisions at transaction time. Here are just a few example rules that could be written. Of course, there is not a “one size fits all” model when it comes to business rules, so these are purely examples.

If you plan to attend NACHA Payments 2011 in Austin, Texas, April 3-6, and would like to learn more about how device reputation helps protect financial institutions from CNP fraud, chargebacks, identity theft, account takeovers, and other fraudulent activities, stop by our Booth #332. I will be there along with Don Megale and we both look forward to meeting you.

In order for the business rules engines to be productive, the rules they operate on need to reflect the particular risks the organization faces. When it comes to customizing business rules, this is not a “one size fits all” model. Giving a retailer, financial institution, or gaming company the ability to easily create and manage rules that are run against their transactions requires a tool that makes it simple to see, add, edit, and experiment with rules.

The iovation business rules editor provides great flexibility in managing the set of rules to be reviewed for transactions such as login, account creation, account change, and checkout. Rule sets are the collections of rules for each end-customer touch point. Rules can be added with a familiar drag-and-drop, enabled and disabled with one click, parameters can be adjusted, and lists of common items can be managed and included. An example of a list is a ‘risky ISP list’, where the user can create a list of risky ISPs and use that same list in multiple rules. If the list changes, all rules leveraging that list will be immediately updated. New rules can be evaluated without impacting scoring results by giving them a zero weight and tracking how frequently they are triggered.

The iovation rules editor provides additional flexibility to help you keep up with the evolution of fraud while protecting your business.

With total losses to Internet crime topping $599 million in 2009 (the latest annual statistics), educating others about the current state of fraud, evolving fraud tactics, high at-risk groups, and best practices to identify and prevent fraud, plays a critical role in helping consumers and businesses protect themselves from online fraud.

Fraud Prevention Month is also an indicator of how much still needs to be done for businesses to adequately protect themselves and their customers from today’s growing threats.

In the article, “One in five Canadian small firms insufficiently prepared to handle fraud,” a recent survey found 80% of Canadian small business owners believe their fraud-prevention strategies are enough to protect themselves from fraud. However, 17% responded that they are not prepared to handle new types of fraud tactics.

With cyber attacks becoming more widespread, the annual education and awareness campaign focuses on the growing concerns of online fraud. According to Gail Cocker, senior vice president of commercial banking at BMO Bank of Montreal, businesses that aren’t equipped to prevent evolving fraud tactics face increasing risk that could impact their business operations.

“Fraud is a direct threat to the success of our business customers. In today’s world, business owners must understand and manage multiple risks. Fraud is an operational risk that must be managed proactively.”

While education is key to raising the business community’s awareness of potential fraud risks, regularly assessing your fraud-prevention strategies is essential to making sure you are prepared for evolving fraud techniques that are continually seeking new ways to defraud your business and customers.

With regular events going on around the globe to help organizations protect their businesses and customers from more sophisticated cyber attacks and identity theft, the iovation team spent last week talking with 800 attendees at the 2011 Merchant Risk Council (MRC) e-Commerce Payments & Risk Conference, held at the Wynn Resort in Las Vegas. Take a look at the photos published on iovation’s Facebook page.

iovation provides device reputation and real-time risk evaluation solutions to help businesses representing retail, financial services, gaming and social networking determine the level of risk associated with their Internet transactions including PCs, tablets and smartphones. By performing device reputation checks on over 7.5 million daily online transactions for our customers, we help stop more than 150,00 online fraud and abuse attempts each day.

With identity theft the clear leader of consumer complaints over the past decade, what I found most surprising is that impostor scams — the means of deceptively assuming another identity (either that of an individual or of an organizational entity) — only cracked the FTC’s Top 10 most complained-about consumer issues for the first time last year, coming in at No. 6 with over 60,000 complaints.

With impostor scams, fraudsters earn trust with their victims by impersonating anything from credible, trustworthy businesses to consumers applying for credit or purchasing items over the Internet. Whether fraudsters are attempting to defraud individuals or socially engineer businesses, identifying cleverly concocted impostor scams requires the ability to see beyond the information provided by criminals.

For online businesses, this means looking beyond the personally identifiable information (PII) supplied by individuals. Unlike most anti-fraud tools that rely on PII to identify customers logging onto websites or requesting online transactions, iovation’s ReputationManager 360 identifies the devices being used to defraud or abuse others online. Leveraging the world’s largest device reputation database that shares intelligence on more than 500 million devices and their associations, iovation provides information that online businesses can use for protection against the growing threat of impostor scams.

By taking data collected from 113 million servers globally that track cyber attacks like identity theft, phishing threats and fraud activity, the Cybercrime Index is a website that acts like a stock index, informing Internet users about the day’s biggest online threats.

Along with giving users up-to-date reports on malware activity, the Cybercrime Index is an educational tool that provides tips on how Internet users can avoid cybercrime, said Dan Nadir, senior director of consumer products at Norton.

“With the increasing sophistication of cyber threats and the staggering amount of money lost to cybercriminals, it’s important for people and businesses alike to think seriously about how they are protected online. We’re constantly trying to educate people around the dangers of online threats.”

While there’s certainly no substitute for education when it comes to keeping up with the latest trends in cybercrime, businesses in particular require fraud prevention tools and techniques that work together to effectively defend their virtual environments and customers from all types of online fraud and abuse attempts. Education and training, combined with highly effective and comprehensive security solutions like iovation’s ReputationManager 360, provide a stronger, multi-layered defense that today’s organizations need to protect their businesses from all forms of online crime, including the top threats of the day.

Through this partnership, Affirmative Technologies will offer customers iovation’s ReputationManager 360, which combines customizable business rules, risk profiles, and the shared experiences of more than 2,000 fraud analysts from leading brands worldwide, as a strategic component of its risk platform. By combining Affirmative Technologies expertise in electronic payments with our risk assessment and global device reputation solution, companies get an extra layer of security to authenticate users before they enter their secure websites.

When it comes to online payments, nothing is more important to businesses than preventing the bad guys from committing financial fraud. This partnership allows companies to verify good, bad and suspicious users before they can request a financial transaction, and in doing so, confidently accept online transactions faster and stop criminals from causing harm to their business and trusted customers.

Microsoft, Google, and Firefox are implementing do-not-track features into their browsers, giving consumers the option to block cookies that may track their surfing for advertising purposes.

Most major websites now install cookies on your computer, which, over time, help develop a profile that serves as your digital fingerprint. This is why, after searching for a specific product, you may notice advertisements for that particular product or brand appearing on various other websites.

But not all cookies track you in order to sell you something. Many are there for security purposes. Merchant Risk Council considers “where the line is drawn between the proper and improper uses of this type of technology (protecting against online fraud vs. targeted online marketing).”

Several companies use cookies as well as other technologies, such as tokens, along with sophisticated and unique pattern matching that can only be derived from extensive and unique experiences with a shared reputation database, to identify and re-identify devices.

I don’t see any physical harm or identity theft ever happening as a result of device identification, especially when it comes to techniques meant to watch your back and protect you.

With privacy watchdogs addressing this kind of advertising as a major concern, and the Obama administration now stepping in, we will surely see the implementation of some standards in this kind of marketing practice over the next few years.

The MRC wonders, “As this issue gets more play, and consumers become more aware of this technology, will there be any effect on “good customer” behavior by potentially scaring people away from online shopping?”

I doubt it. But right now, government, industry, and consumers need to understand the difference between good cookies and bad cookies, before rash decisions designed to give us slightly more privacy make us more vulnerable to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Banks understand this, which is why they’re pushing mobile payment apps that are designed to make mobile banking and mobile payments faster and easier for their customers directly from their smartphones and tablets. However, because mobile transactions between banks, merchants and mobile devices aren’t as closely guarded as they are over the Internet, cyber criminals are taking advantage of this vulnerability by targeting banks and online businesses with their mobile devices.

The recent article, “Theft gangs using smartphones to steal bank card numbers,” provides another example of how Web services and new mobile devices are being used by criminals to commit financial fraud. While the rise in identity fraud is leading banks and other financial institutions to consider security tools that help protect them and their customers from mobile transaction fraud, Donald Malloy, business development manager for NagraID Security, said U.S. banks haven’t been too receptive to security measures that require customers to take additional steps such as more passcodes to authorize transactions because this creates an extra inconvenience when making a purchase.

“In the past couple years, with the recession, the banking world has not been willing to invest in any new technologies, but that’s changing now. As fraud grows, banks are realizing that they need to come forward and adopt something that’s going to help them in the future.”

Of course banks want to show their customers they are taking extra steps to detect and prevent all types of fraud. But they want to do so without impacting the customer experience. iovation allows the Banks to do both.

Whether users are accessing your Web site through a PC or any type of mobile device including a smartphone, tablet, or a laptop connected to the web by a wireless network, iovation’s ReputationManager 360 identifies all devices coming into a site and provides critical device reputation intelligence that allows banks and other financial institutions to determine the risk of a transaction (and if they want to allow, deny or review it) based on results of their customized business rules. All this takes place behind the scenes to provide banks with an extra layer of protection without disrupting the user experience.

Dr. Bernard Herdan, CEO of the National Fraud authority who runs Action Fraud, said fraudsters who take advantage of online dating sites are a particularly sinister bunch, who use clever tricks to gain the confidence and affections of legitimate site users before asking for money. He warned that nobody should ever send money to someone they’ve never met in person.

“These fraudsters are normally very attentive, ensuring there is regular contact via email, by text messages and telephone, as well as sending gifts, such as flowers. They take or create identities of generally good looking, upstanding members of society, such as successful business people or increasingly, as a US or UK soldier posted in the Middle East. Anyone using dating sites should be very cautious when getting to know someone, and never transfer money till you have met.”

Because Valentine’s Day is typically the busiest time for romantic courtships, online lonely hearts should be particularly cautious with new online romances. While the article provides several tips on how users can protect themselves to avoid online dating fraud, romance websites can also help in curbing threats by deploying effective security tools to help identify potential fraudsters that could be lurking within their virtual environments.

iovation’s ReputationManager 360 looks at information independent of what users provide online dating sites to give IT security professionals a unique insight into the devices (computers and mobile devices) that criminals use to create multiple profiles and accounts on their sites. This information exposes fraudulent devices and hidden device-account relationships to help romance sites identify and stop online fraud and abuse. To learn more, check out the whitepaper, “Online Dating: Keeping Your Members Safe from Online Scams and Predators.”

After being recognized by the international gaming and online dating communities in January as one of the top technologies for preventing fraud and increasing profitability, productivity and efficiency, we are extremely proud and honored to be recognized by industry leaders in e-Commerce as one of the most innovative fraud fighting tools for online or multi-channel retailers.

To be eligible for the awards, all entrants must be available for online or multi-channel retailers to use for the purpose of measuring, monitoring or mitigating one or more of the following: card-not-present fraud; advancing online data security; improving online payment processes; and advancing the MRC’s vision of making electronic commerce more efficient, safe and profitable.

This week, the Merchant Risk Council (MRC) announced that iovation ReputationManager 360 has been named a finalist for the 2011 MRC Emerging Technology Awards (also known as the METAwards). The awards are judged by a panel of merchants that include the likes of eBay, BestBuy.com, Go Daddy, HP, Microsoft, NCsoft, Tiffany & Co., Urban Outfitters, T-Mobile, among others. The judges recognize the most innovative and effective payment, fraud and security tools on the market. The METAwards are the MRC’s initiative to recognize the best available solutions on the market, and provide their merchant members a window into the future.

The awards will be announced at the upcoming the MRC Annual e-Commerce Payments and Risk Conference, March 23, in Las Vegas. If you are planning to attend the event, stop by our booth #217 and don’t miss our feature presentation on Thursday, March 24th at 11:00 am titled, “Circle of Fraud” with speakers Jim Houlihan of HSN, Michael Peterson of Dell, and Cory Swick of iovation.

While this and the other accolades we’ve received lately have been nothing short of overwhelming, we are extremely proud of being recognized by industry leaders and associations across multiple industries. Because we serve online retail, gaming, social community and financial services companies, the acknowledgements have been a testament to iovation’s ongoing commitment to make the Internet a safer place to interact and conduct business, as well as reinforces the positive impact we make in the everyday lives of our customers by protecting their online transactions to reduce fraud rates.

The 2011 Global Excellence Awards will be announced at an awards gala, February 16th, in San Francisco.

There are situations where a mismatch between presented IP address and actual IP address does not indicate risk. These include certain ISPs, corporate networks, and CDN services that either require their users’ web traffic to pass through proxies or have service configurations that result in proxy-like behavior. If the IP addresses don’t match but the locations do, that can help filter out some of these false positive, lower risk scenarios. Likewise, if the IP addresses differ but the ISP is the same, proxy risk is typically low. When the IP addresses don’t match, the geolocated country or region differ, and the ISPs are not the same, that is much more likely to be an example of intentional proxy use by the end user.

Of course, legitimate site visitors sometimes use proxies too. So, proxy risk should be considered in conjunction with device reputation and other risk indicators for balanced real-time transaction decisioning.

Basically “just like that” the up to 1000 fraud checks they receive every hour out of Egypt dropped to zero. At first glance one would think there was some type of meltdown or maybe Egyptian scammers all of a sudden decided to get a job.

Normally, iovation would see thousands of queries from Egyptian customers interacting with businesses of all types, including social networks, online dating sites, online gaming sites, banks and retailers. Then at about 6:00 pm Eastern time, nothing.

“We’ve got a unique view of the Internet at iovation. Our service experiences the interaction of unique computers and mobile devices from every nation on earth, across a broad swath of Internet commerce,” says VP of Corporate Development, Jon Karl. “When we’re seeing Egypt’s Internet fall off a cliff, it’s at a more precise individual user level rather than just through aggregated online traffic. While transactions from Egypt represent a very small percentage of the queries to iovation’s service, it has a ripple effect that’s felt by a wide variety of our customers.”

NPR reports “Egypt has apparently done what many technologists thought was unthinkable for any country with a major Internet economy: It unplugged itself entirely from the Internet to try and silence dissent. Experts say it’s unlikely that what’s happened in Egypt could happen in the United States because the U.S. has numerous Internet providers and ways of connecting to the Internet. Coordinating a simultaneous shutdown would be a massive undertaking.”

And while experts say it is unlikely in the U.S., a bill is in fact being proposed to unplug the Internet. “Legislation granting the president internet-killing powers is to be re-introduced soon to a Senate committee, the proposal’s chief sponsor told Wired.com.” Scary stuff.

iovation, is headquartered in Portland, Oregon, and has pioneered the use of device reputation to stop online fraud and abuse. The software-as-a service used by online businesses assesses risk of Internet transactions all over the world and recognizes if a device such as a PC, tablet or smartphone has a history of fraudulent behavior. This helps organizations make educated decisions if they want to do business with the person using the device.

In the article, “Report: Stolen data sold over online black market,” the security firm revealed that cyber criminals have set up shop online to buy and sell everything from stolen bank account information, credit card numbers and passwords to consulting and technical services around developing and operating fake online stores.

Impersonating hackers to gain entry into the online black market, PandaLabs researchers discovered an online catalog of an array of products and services that include:

• Credit card details – $2-$90
• Physical credit cards – $190+ cost of details
• Bank credentials – $80-$700 (with guaranteed balance)
• Online stores and pay platforms – $80-$1,500
• Designing and publishing of fake online stores – Pricing varied according to project

This is yet another prime example of how the bad guys are highly organized and have sophisticated operations that mimic traditional business techniques. Today’s cyber criminals are motivated by financial gain, and it’s operations like these that give other aspiring hackers the tools they need to defraud businesses over and over again. As criminals work together to increase their chances of success (not to mention strengthen their numbers), we, too, have to collaborate and deploy complementary anti-fraud defenses for stronger protection against more sophisticated forms of online fraud and abuse.

iovation has been providing fraud prevention and anti-money laundering services to the gaming industry for the past 6 years.

In 2010 alone, iovation screened nearly 2 billion transactions and stopped over 35 online fraud attempts. The IGA has recognized iovation’s fraud prevention service for the strong results it has provided to gaming operators such as William Hill, Entraction and WagerWorks. The IGA technology provider award recognizes innovative services that have helped gaming operators increase their profitability, productivity and efficiency.

In the case of WagerWorks, iovation has helped identify hundreds of fraudulent accounts that prevented tens of thousands of pounds in lifetime losses. With Entraction, the ability to stop repeat offenders reduced chargeback rates to nearly zero, providing a 5x return on investment with iovation.

The IGA awards will be announced at a January 24th ceremony that kicks off the annual ICE Totally Gaming Conference in London. If you plan to attend this year’s event, look us up at booth #5117 and learn more about how iovation protects online gambling sites from financial fraud, player collusion, bonus abuse and more.

As the travel and leisure industry continues to fight various consumer scams, having the right fraud prevention tools in place is essential to stopping criminal activity that directly impacts businesses and consumers. This partnership complements TWS’s continued commitment to help their online merchants boost profits and operate more effectively.

By having access to half a billion device reputations and their associated devices and accounts through iovation’s ReputationManager 360 fraud protection service, TWS’s client base has the ability to avoid fraud losses by preventing sophisticated online crimes and shutting down entire fraud rings that unknowingly exist within their network.

Led by a highly qualified team of technical and sales experts experienced in international commerce and technologies, TWS provides consulting services to the travel and leisure industry, and beyond. They will market and sell our fraud prevention services to online travel merchants looking to reduce fraud losses and protect their brand.

1. Combining Device ID with Velocity-based Rules Packs a Powerful Punch Against Online Fraud
Velocity-based rules have long been used by merchants to identify potentially fraudulent online behavior. Unfortunately, velocity checks alone are of limited value against sophisticated fraudsters who know how to assemble multiple accounts to look completely different. Combining device identification with velocity-based rules provides a powerful one-two punch for identifying suspicious activities and stopping fraud that operates under the radar of many fraud detection systems.

2. Fraud Prevention is Not About ‘Cookie or No Cookie’ – It’s About a Defense-in-Depth Approach
Effective fraud prevention is not about collecting cookies or not collecting cookies, and it’s not about relying on any single technology or approach. It’s about using a comprehensive, multi-layered and adaptive approach that provides real results for online businesses. iovation’s defense-in-depth approach includes native client device recognition for standalone applications downloaded by end-users, collaboration between native recognition clients and our web client, pattern matching to provide recognition when tags like browser and flash cookies have been cleared and multi-level risk analysis through configurable business rules.

3. Exposing Device History Reduces ‘Friendly Fraud’ Rate
For many online merchants, friendly fraud is a persistent problem. While MasterCard says 70% of all e-commerce chargebacks are identified as fraud, more and more cardholders are committing friendly fraud due to buyers’ remorse or financial hardships. iovation assesses risk on all incoming transactions and identifies whether the device being used has committed friendly chargebacks on other websites. By leveraging known intelligence and inference of risk while website visitors interact on a website, the business can set that transaction to “Review” or “Deny” when risk level thresholds are met.

4. Fraud Scoring and Weighted Business Rules For Effective and Efficient Decision Making
As more online retailers go global, merchants must take a proactive approach to protect their business environments from fraudulent orders and safeguard cardholder data. Fraud and risk scoring tools such as velocity behavior, IP address and device ID provides multiple data points beyond the actual card data to help merchants set parameters for scoring online transactions. As a result, online businesses make decisions faster, accepting good orders and denying bad ones without impacting the user experience.

5. Latest Crime Fighting Duo: Real-Time Risk and Device Reputation
As hackers perpetrate criminal activity across the Internet to steal people’s identities and use that information against organizations to commit all types of identity fraud, anti-fraud tools that work independently of each other are not as effective as solutions that work together by design. iovation’s risk mitigation service uniquely combines real-time risk evaluation and device reputation — two complementary transaction risk analysis features by nature — to provide a stronger, more powerful defense against more sophisticated and evolving cyber crimes.

I appreciate you taking the time to read this blog. I look forward to discussing the most important issues and activities that impact the security industry in 2011. And as always, if you have specific topics that you would like iovation to cover, please send those to info@iovation.com.

There are many facets to building a highly available, lightning fast infrastructure (which we will cover in more depth in future blog posts), but today I would like to start at the very beginning with our DNS architecture.

The first thing that happens when an iovation ReputationManager 360 customer (or a customer’s end user) tries to connect is a DNS (Domain Name System) lookup to convert a name (like www.iovation.com) to an IP address (74.121.28.140).  This DNS query must complete before any further interaction with the service can proceed.

To make this as fast and reliable as possible, iovation leverages IP Anycast technology. Anycast allows DNS requests to be handled by the closest member of a global cluster consisting of 17 distributed nodes (with 5 more on the way).   Without IP Anycast technology, requests are randomly routed to a single server, which may be half way around the globe.

Beyond the speed aspect, Anycast DNS also has a number of other advantages over Unicast.  With Anycast, the loss of a single node does not impact the ability to resolve DNS. Requests are simply routed to the next closest node.  This distributed architecture helps protect against Denial of Service attacks by spreading the load among the entire cluster and by limiting attacks to the region from which they originate.

As a quick example, let’s run a traceroute from my house (in Portland, Oregon) to one of iovation’s DNS servers, ns1.p20.dynect.net.

admin@router:~$ traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1 L100.PTLDOR-VFTTP-18.verizon-gni.net (98.108.131.1)  5.044 ms  5.046 ms  5.031 ms
2  184.19.244.32 (184.19.244.32)  4.982 ms  4.969 ms  4.961 ms
3 so-7-3-0-0.SEA01-BB-RTR1.verizon-gni.net (108.57.128.160)  9.898 ms  9.890 ms  9.876 ms
4  0.so-0-3-0.XT1.SEA7.ALTER.NET (152.63.105.169)  37.321 ms  37.308 ms  37.294 ms
5  0.so-6-0-0.BR1.SEA7.ALTER.NET (152.63.105.113)  12.279 ms  12.250 ms  12.233 ms
6  204.255.169.74 (204.255.169.74)  12.218 ms  12.425 ms  12.411 ms
7  po-3.r00.sttlwa01.us.bb.gin.ntt.net (129.250.4.178)  12.398 ms  12.385 ms  12.369 ms
8  fa-4-4.r00.sttlwa01.us.ce.gin.ntt.net (198.104.202.66)  12.355 ms  12.435 ms  12.422 ms

Not bad! Less than 13 ms round trip to the node in Seattle. But we would expect low latency between Portland and Seattle, so let’s go run the same test from a computer located in Chicago to the same iovation DNS server.

[root@prextmon01 ~]# traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1  173-203-80-2.static.cloud-ips.com (173.203.80.2)  21.168 ms  21.425 ms  21.662 ms
2  core1-aggr301a-1.ord1.rackspace.net (173.203.0.168)  0.434 ms  0.526 ms  0.549 ms
3  vlan901.edge1.ord1.rackspace.net (173.203.0.33)  0.317 ms  0.358 ms  0.412 ms
4  xe-7-1-0.edge1.Chicago2.Level3.net (4.71.248.53)  0.795 ms  1.938 ms  1.938 ms
5  ae-2-52.edge4.Chicago3.Level3.net (4.69.138.166)  34.377 ms  0.947 ms  0.961 ms
6  xe-6-2.r02.chcgil09.us.bb.gin.ntt.net (129.250.8.77)  1.203 ms  1.172 ms  1.193 ms
7  ae-3.r21.chcgil09.us.bb.gin.ntt.net (129.250.2.72)  1.239 ms 1.332 ms 1.253 ms
8  po-4.r00.chcgil09.us.bb.gin.ntt.net (129.250.2.208)  1.224 ms  1.191 ms
9  ge-7-15.r00.chcgil09.us.ce.gin.ntt.net (128.242.180.110)  1.325 ms 1.393 ms 1.435 ms
[root@prextmon01 ~]#

This path is actually faster, taking only 1.4ms. This query was handled by the Chicago Anycast node rather than having to come all the way back to Seattle. This is precisely the magic of Anycast.  This same scenario holds true for queries issued in Japan or Germany – they get routed to their closest node.

Without Anycast, just imagine how bad this problem is for customers that have globally distributed users with many outside the United States.  Connectivity from the other side of the globe is a minimum of 250ms round trip (and often times much longer). That delay can add up quickly if you’ve got multiple round trips to your SaaS providers.

It’s important to consider things like globally distributed DNS infrastructure when integrating third party services with your site to make sure the value from the SaaS you’re buying isn’t offset by slower page loads for your users.

This is quite an honor for a team so dedicated to building and delivering solutions to help online dating sites protect their business and members from fraud and abusive behavior.

Released in the fall, ReputationManager 360 steps up the defense against online crime activity and abuse by combining customizable business rules, risk profiles, device anomalies, and the firsthand experience of 2,000 fraud analysts around the world.

eHarmony’s Director of Risk Management, Ella Grutman, states, “eHarmony continuously identifies and applies the latest and best fraud protection tools. iovation offers the most comprehensive and effective option to augment our current methods.”

It’s truly this type of third-party recognition, along with real-world results like helping another leading dating site stop 3,000 fraudulent profiles from being created every day, that validates the impact we are having in the online dating world, and makes us all really proud of what we do.

Voting for the 2011 Internet Dating Industry Awards is open to the public through January 4, 2011. To place your vote for iovation, just go to www.idateawards.com.

Many companies are working hard to deploy effective security tools to protect their own organizations’ IT environments as well as their valued customers from online threats. The goal is to find a balance and a cooperative strategy to implement anti-fraud protections and management techniques that work together, however in many cases these tools end up working independently of each other and are not as effective as solutions that work together by design.

Like any great crime fighting duo, iovation’s comprehensive ReputationManager 360 risk mitigation service combines real-time risk and device reputation — two complementary transaction risk analysis features by nature — to provide a stronger, more powerful defense against more sophisticated and evolving cyber crimes.

iovation’s shared Device Reputation Authority database of more than 450 million Internet-enabled devices including computers, tablets and mobile phones provides the data, analytics and reporting capabilities that organizations need to effectively and efficiently assess transaction risk and make instant decisions on all online requests. Combined with real-time risk evaluation, iovation enables organizations to:

• Identify suspicious activity in real-time
• Instantly know when a fraudulent device touches their website
• Quickly evaluate transaction risk based on fraud histories, anomalies and device profiles
• Deny bad orders and process legitimate orders faster

This proven crime fighting duo of real-time risk evaluation and device reputation is unique in the security industry. Combining this type of knowledge, expertise and speed can play a critical role in solving the online fraud challenges that many businesses face today.

Fraudsters excel at hiding their true identity. True professionals in the field of fraud detection and prevention must employ a defense-in-depth approach, and iovation deploys one of the most sophisticated with a multi-tiered approach to recognize trouble when it is near. Our innovative service to recognize risk has been constantly refined over the past six years.

We use tried and true approaches such as tokens, or cookies, along with sophisticated and unique pattern matching that can only be derived from our extensive and unique experience with our shared reputation database, profiling based on billions of device and account relationships, and finally risk models honed over the years and several other strategies that are a part of our secret sauce. All of these contribute to a highly flexible and effective model that is hierarchical and adaptive to both the situation and the customers’ tolerance.

iovation’s Defense-in-Depth Approach includes:

• Native client device recognition for standalone applications downloaded by your end users – A unique capability to add device reputation into our client’s downloaded applications
• Collaboration between the native recognition clients and our web client – To provide a unique “one-two punch” that gives iovation the best device recognition capabilities in the industry
• Pattern matching to provide additional recognition opportunities even when tags like browser and Flash cookies have been cleared (or private browsing features are in use)
• Multi-level risk analysis through configurable and real-time weighted business rules

Tokens, cookies, and local stored objects, are table stakes for any device identification provider and are relatively reliable methods since they can easily be uniquely identified. When leveraging tokens placed from a prior visit, either to your site or another iovation customers’ site, the device is recognized and within milliseconds our risk assessment takes place. But if the bad guys are trying to hide, they might have tried to clean up the crumbs.

Pattern Matching

With iovation, if no tokens are found, the next tier of defense is our industry-leading pattern matching, also known as adaptive logic. As opposed to relying on exact attributes, patterns deliver high confidence while allowing for changes over time. Based on our experience assessing risk for more than 4 billion transactions, we have an extremely large amount of data to build patterns from. Each pattern has a ‘time to live’ and is updated every time we see another device that matches the pattern. If there is no match, the new pattern is automatically evaluated for effectiveness and added to the series. Each pattern has a confidence factor that increases as the pattern proves effective at identifying the device.

Profiling and Real-Time Risk Evaluation

The next tiers are profiles and real-time risk evaluation. Profiles, like patterns, use statistically proven combinations of transaction elements to contribute to risk scores. Real-time risk takes all of the elements into account (including velocity triggers, geographical issues where the true location is masked, device anomalies and more) to produce a final risk score.

Effective fraud prevention is not about collecting cookies or not collecting cookies, and it’s not about relying on any single technology or approach. It’s about using a comprehensive, multi-layered and adaptive approach that our customers find highly effective over the long run, and millions of times each day.

According to Errol Weiss, who runs the Financial Services Information Sharing and Analysis Center (FS-ISAC) corporate account takeover task force, the effort by his group and other federal law enforcement agencies is to make businesses and consumers more aware of this type of cybercrime and provide recommendations on how they can protect themselves against such attacks.

“Educating all stakeholders (financial institutions, businesses and consumers) on how to identify and protect themselves against this activity is the first step to combating cybercriminal activity…The information contained in these advisories is intended to provide basic guidance and resources for businesses to learn about the evolving threats and to establish security processes specific to their needs.”

Since 2004, iovation has been providing business intelligence to clients about account takeovers and hijack attempts. The devices used to maliciously compromise other people’s accounts are closely tracked in the Device Reputation Authority database and this evidence of fraudulent activity is shared with all iovation subscribers, so that they can have prior knowledge and use that intelligence when deciding whether or not to allow a particular device access to their online business.

Of the total number of account takeover attempts reported by iovation’s cross-industry customers, over the past 90 days, 50% came from businesses representing online communities such as Internet dating sites and social networks. Online retail customers accounted for 36%, while 11% of account takeover attempts during this time were reported by iovation’s massively multiplayer online (MMOs) and social gaming customers.

Clients use iovation ReputationManager 360 to assess risk on all incoming transactions. This comprehensive service combines shared evidence of fraud and abuse from the world’s leading brands, configurable advanced real-time business rules, account relationships, device profiles and anomaly checks.

As more and more merchants offer mobile payment options to their customers, cyber criminals are quickly moving into the mobile channel. In the Digital Transactions article, “Mobile-payments fraud starts to take its toll,” a recent study by Javelin Strategy & Research found that fraud losses from mobile payments as a percentage of total revenue were 1.13% compared to the 0.83% for online-only merchants and 0.86% for multi-channel merchants.

This trend doesn’t surprise Jim Rice, director of market planning for retail and e-commerce marketing at LexisNexis Risk Solutions. While the mobile channel represents a new way for businesses to connect with their customers, it’s also another opportunity where fraudsters will try to make a dishonest buck.

“It’s clear that [as] retailers are moving into that direction, retailers are experiencing significantly more fraud as a percentage of sales.”

Of the 1,000 risk-control retail executives surveyed, attempted mobile fraud had a slightly higher success rate than fraud attempts through most other channels. Merchants accepting mobile payments reported being hit with an average of 3,385 attempted fraudulent transactions per month, with 1,287 getting through undetected for a fraud success rate of 38%. Multi-channel merchants reported 2,142 fraud attempts per month and 769 going through for a fraud success rate of 36%. For online-only merchants, the respective figures were 1,049, 531 and 37%.

While it’s not entirely clear what makes the mobile channel risky, Rice noted that smart phones or cell phones with a mobile browser move around, which means merchants have less assurance that the transaction originator is the phone’s rightful owner. Despite the fear of fraud, merchants likely won’t stop offering mobile payments because of the channel’s upside as more customers get comfortable making payments through their mobile devices.

Similar Mobile Fraud Trends seen in iovation’s Device Reputation Network

iovation protects online businesses and their end users against fraud and abuse through our combination of shared device reputation and real-time risk evaluation.  Managing the world’s largest database of Internet devices (computers, tablets and mobile phones) and the network of relationships between them to determine the level of risk, we have seen an upswing in fraud attempts in mobile transactions.

Over the past 90 days, we’ve processed 8 million device reputation checks on mobile devices alone for our customers. Based on their uniquely configured business rules, 44,000 mobile transactions proactively returned ‘denied’ or “review” responses. Of those mobile devices checked, 43% were iPhones, 21% were Android, 12% were Blackberries and 24% were other mobile devices. The most common mobile fraud reports from online businesses have included credit card fraud, chat abuse and account takeover.

iovation Leads Mobile Fraud Detection Roundtables on October 25th

On Focus Day, October 25th, I will be leading six Mobile Anti-Fraud Roundtable discussions at the Mobile Shopping Summit in New York City. The Summit brings together mobile payment executives from retail, entertainment, travel, retail banking and utilities business to network and discuss the latest technologies and opportunities in mobile commerce. During our roundtable discussions we will be sharing information on new trends emerging from cyber criminals using mobile devices, how merchants are interacting with mobile devices through browser-based and native applications, understanding how mobile phone reputations can be leveraged, and risk scoring and/or rule-based models that merchants can use to further assess risk.

In a nutshell, merchants must take a proactive approach by adopting tailored fraud and risk management solutions to protect their businesses. As fraudsters become more sophisticated, Badran said protecting an online business environment from fraudulent orders and safeguarding cardholder data is critical to overall business revenues and brand reputation.

“Merchants risk incurring damage to their reputation and brand, and the consequences associated with loss of trust from customers are difficult to overcome. Merchants simply cannot ignore the impact of fraud to their business and their bottom line.”

According to Badran, one way to help mitigate bad orders is to implement fraud and risk scoring tools that provide multiple data points beyond the actual card data. Information such as velocity behavior, bill to/ship to address, IP address and device ID can help merchants set parameters for their businesses and score online transactions.

“Fraud scoring tools can help in making the right automated decisions quicker and more effectively during high-volume periods so that you are able to accept more good orders and reduce the number that may result in chargebacks.”

One way iovation helps online merchants make decisions in an efficient and effective manner is by offering customizable real-time business rules.  Within the latest release of ReputationManager 360, weighted business rules allow our customers to define a set of rules that, taken together, reflect a more accurate measure of risk for each transaction.

Here’s how Weighted Business Rules work:

1. Define the rules to be used at a specific website interaction point such as login or checkout
2. Assign a weight that reflects the risk associated with each rule
3. Set threshold limits to reflect Accept, Deny or Review (A, D, R) real-time responses
4. Once implemented, all rules will be tested within the set and a Transaction Score will be calculated for those rules that were ‘true’
5. The real-time response (A, D, R) returned is determined by where the Transaction Score falls within the thresholds.

In the example above, an online business has chosen to create a rule set that contains rules for:

• Velocity (such as the number of devices that touch a particular account within a period of time)
• Evidence (such as financial fraud evidence exists on this account)
• Geolocation (such as a high-risk IP range)
• Anonymous Proxy (such as users hiding their IP address or making it appear they are coming from another location)
• Anomaly (such as a timezone/geolocation mismatch)

While all business rules were checked, only two returned a ‘true’ response, velocity and evidence.  The weights associated with these two rules created a Transaction Score of -125.  The threshold previously set by the business states that anything less than -100 would automatically return a ‘deny’ response for this transaction, hence rejecting the high-risk transaction.

Within each of these rule categories, multiple rules exist and can be applied and customized by our customers.  Additional categories such as Risk Profiles and Watch Lists are also available. Based on the customized business rules set, iovation’s customers are able to automatically Accept, Deny or Review any transaction at any integration point — including (but not limited to) account creation, login, account change, deposit or withdrawal and checkout.  As a result, online businesses can accept good orders faster and reduce bad ones without impacting the business process or end user experience.

Studies like these continue to remind us of how vulnerable consumers are to the growing threats that exist online. Unfortunately, the second victim to these crimes are the online merchants that are targeted by cyber criminals using stolen data to commit fraudulent transactions.

From a business perspective, iovation closely tracks countries that have high online fraud rates through the 5 million device reputation checks it processes daily. Based on the percentage of transactions denied out of the total number of transactions from that country in the last 90 days, the top 5 countries experiencing the highest levels of online fraud include Ghana, Romania, Nigeria, Korea and Israel.

While most of the online transactions we look at are from the U.S., the percentage of those that are denied is only 0.98%. As a result, the U.S. ranks 24th on our list of countries with the highest percent of total transactions denied.

Either way you look at it, online fraud and abuse continues to have a psychological and financial impact on both consumers and businesses around the globe. For the e-commerce industry, educating consumers about emerging security threats and implementing tools that stop more sophisticated attacks is critical to reducing fraud rates that continue to impact the financial well-being of online merchants and their customers.

With only three months remaining, iovation has already increased the annual growth rate for processed transactions by 67% over 2009. With more than 3.9 billion cumulative device reputation checks processed for e-commerce, financial, travel, gaming and online communities today, we expect to break 4 billion early in Q4.

We’ve also increased the overall number of unique devices by 110% over last year. Starting in 2006 with 5 million devices in our system, we now manage more than 390 million unique devices (including PCs, Macs, iPads, iPhones, Blackberries, Android, etc.). Surpassing 400 million unique devices is just on the cusp.

With cybercrime fraud losses more than doubling in 2009, Internet-based businesses need security solutions that allow them to proactively identify and make educated decisions on all incoming transactions. Through fraud and abuse evidence submitted by our worldwide, cross-industry subscriber base, iovation ReputationManager 360 combines device and account profiles, analytics, custom reporting, real-time business rules, device anomalies, and the experience and expertise of over 2,000 fraud analysts to help customers make quick, confident decisions on every online transaction request.

Since device recognition provides the platform for iovation’s Device Reputation service, we recently conducted a study to examine device shelf-life. The study looked at all transactions seen by ReputationManager over a multi-day period and identified the age of each device associated to fraudulent behavior during that period. The distribution of devices by age—depicted in the chart below—shows that 57 percent of devices involved in fraud during that period were initially identified by iovation more than 90 days prior to the transaction.

What this suggests is that iovation’s ability to continue to recognize older devices provides significant uplift to its subscribers, and conversely that systems which assume a shorter device shelf-life may be missing important opportunities to identify fraud.

Risk scoring, when you boil it down, is the simple process of taking the data you have available about a given transaction and the device requesting that transaction, and measuring characteristics that would lead you to believe that it is either valid or risky. Most device-based risk scores, including those offered by iovation, incorporate common types of risk elements in their scoring. These may include:

• Velocity-based Rules – Measuring device activity in a given time frame
• Transaction Anomalies – Device characteristics that indicate the device is masking its identity, such as using an anonymizing proxy, or disabling technologies like flash

What sets iovation apart is the growing network of businesses it protects that leverage and contribute to the Device Reputation Authority (DRA). This database of over 350 million device reputations is queried more than 5 million times per day by iovation clients.

The Device Reputation Authority contains historical information about specific fraud and abuse occurrences by the device used. We use this information to further assess transaction risk for our customers in the following unique ways:

• Global Account Associations – Looking at extended relationships between devices and shared accounts that are evident in fraud rings and targeted fraud
• Factual Evidence of Fraud – Whether the information comes from a close partner, a peer, or a company in a completely unrelated industry, direct evidence of fraud on a given device is one of the strongest correlations to transaction risk a customer can have.
• Profile Risk – Profiling harnesses the power of shared factual evidence in the reputation system to measure the similarity of the device in the current transaction to those devices that have been seen across iovation subscriber sites in the past. A high ratio of known bad devices in the set of similar devices is a very strong risk indicator.

These three risk elements are tremendously valuable to our customers who find over time that either factual evidence or profile risk are so strongly correlated with fraud that it can cut their review time down substantially for those transactions.

In the world of risk scoring, cloud services, and crowdsourcing, it is proven that leveraging information from larger affinity groups provides unmatched effectiveness. When a company is combating highly sophisticated fraudsters determined to defeat their defenses, what risk analyst wouldn’t want to know that a device trying to create an account or make a purchase had previously been flagged for fraudulent activity? Adding this data to risk scores increases their ability to shine light on fraud that might otherwise remain hidden.

The government’s voluntary Identity Ecosystem is an ambitious, but evolutionary step in securing online transactions and activities. However, it manages to fall short in circumventing fraudsters and raises the ire of privacy advocates. In contrast, device reputation and risk assessment, which uses device fingerprints to identify known fraud device reputations, focuses on recognizing and blocking the devices fraudsters use rather than the people themselves. This is an important point for the nefarious that don’t want to be identified, the paranoid that don’t want an online identity, and the rest of us whose personally identifiable information has been too easily compromised in the past.

With over 10 million Americans becoming victims of identity theft each year, solutions such as device reputation preserve the privacy for end users while still offering the fraud and abuse fighting benefits that strong systems require to protect their business and online users. As a result, devices can play a critical role in raising trust associated with online IDs and in the government’s plan for securing identities in online transactions and creating a trusted online environment. In order for the plan to be put into action, it will take time, but today there are many technologies already available that the government should consider for the underlying infrastructure that supports this national strategy.

iovation’s Device Reputation Authority (DRA) contains a plethora of information around devices, accounts, transactions, reports of fraud and abuse and more, all used to detect and prevent online fraud and abuse for businesses and their customers. It leverages customizable business rules, risk profiles, direct experiences with scammers as well as the experiences from the world’s leading online brands, all for the highest level of online fraud protection. iovation combines cross-vertical fraud prevention expertise with unmatched device recognition technology. This offering already protects over 300 major online brands from fraud and abuse today, such as financial fraud, shipping fraud, affiliate fraud, chat abuse, spam, scams and solicitations, identity theft, phishing, account takeovers, and more.

1. Account creation / application fraud – In this case, a fraudster uses a stolen identity to apply for an account online to order phones and services.  After initiating a shipping scheme to obtain the goods, the fraudster runs up the phone bill until the carrier or identity theft victim uncovers the charges.Much like credit issuers, carriers perform comprehensive identity and financial background checks on applicants, however, the checks are on the identity theft victim.  By adding a device check at the front of the process (which looks at the computer or Internet-enabled device being used), carriers can quickly identify suspicious activity such as when the same computer initiates multiple applications under various identities, or if the computer being used has been involved in previous fraudulent activity.
2. Account takeover – This crime targets people with existing business or personal accounts. If the cyber criminal is unable to hack directly into an existing account, a phishing attempt occurs to obtain the credentials needed to access the account. Once in, sub-accounts are created that the legitimate user may not immediately notice. The fraudster places orders for phones and service through sub-accounts against the victim’s credit lines. Criminal activity against business accounts is particularly costly to the carrier.For businesses not yet using device identification or fingerprinting techniques, they do not see the relationships that exist between fraudulent accounts.  With iovation ReputationManager, hidden relationships are exposed between fraudulent devices and their associated accounts. When the device (or set of devices) logs into multiple wireless accounts that otherwise appear unrelated, fraud rings are exposed and multiple compromised accounts can be shut down at once.
3. Hacking reseller accounts to purchase equipment – This is a costly expense for resellers because they discount the price of the phones below what they actually paid for them. For example, a $100 Blackberry on the market may have cost the carrier $300. When a fraudster purchases a phone with a stolen identity, receives it and adds a new SIM chip, they now have a perfectly good new phone. After paying for service, they will sell it on an Internet auction site. If they get as much as half the retail value, they’ve made out.
4. Prepaid phone fraud – There’s two issues around prepaid. First, there’s the use of stolen credit cards to top-up the service. Because of the anonymity of buying a prepaid phone, there’s no credit check performed if a fraudster purchases through a local retailer or orders online. So when the fraudster goes online to order additional minutes, the carrier is unaware that they’re using a stolen credentials because they don’t know who is behind the phone. Knowing that the top-up request came from a known fraudulent device is an extremely effective way of stopping all of the bad transactions coming from the device.The second issue wireless carriers deal with is answering subpoenas about prepaid phones. Because many organized criminals use multiple phones for fraud activity, when their minutes run dry they toss the phone. With iovation, if the carrier is subpoenaed about a specific phone, forensic intelligence can be provided to law enforcement about additional phone numbers associated with the device that used the stolen credit card to purchase the phones

The biggest driver behind many of these mobile phone crimes is that criminals can obtain phones without walking into a retail store – they can now run their operation from the web. As a result, the carriers are facing rising criminal threat. By layering strong anti-fraud solutions which include the device, carriers can address both the credit application side of the business as well as the retail side.

With four main areas of exposure, mobile phone carriers must be armed with a solution that covers new account origination, existing account management, and prepaid. iovation covers all three sectors. Many times these sectors are distinct and separate with a company, and have different risk and fraud departments to handle them. With iovation, we bridge the gap between all lines of business to prevent the growing fraud challenges of mobile phone theft and fraud.

AlwaysOn asserts that the selected companies are developing game-changing approaches and technologies that are likely to disrupt existing markets. Selection criteria include innovation, market potential, commercialization, shareholder value and media buzz. Quoting Tony Perkins, founder and editor of AlwaysOn:

“As the digital information created by businesses continues to explode at astronomical rates, the need to store, manage, and share this information is becoming extremely challenging. By providing innovative technologies that help enterprises better compete in this new era of information complexity, the OnDemand 100 represent some of the highest growth opportunities in the private company marketplace.”

It’s an honor to be recognized by industry experts for pioneering the use of device reputation to help online businesses fight fraud and abuse. The only thing better is recognition from customers that use our service every single day.

Along with the more obvious benefits of a growing customer base, more customers means more feedback. Just this morning I was checking in with one of our newest financial services customers. They were very happy with the ROI on our service and highly complimentary of our team. And last week I ran into the CIO for the Portland Trail Blazers at a business function – GO BLAZERS! Seeing ‘iovation’ on my name tag he went out of his way to explain how much he appreciates our service and how we have helped them significantly reducing fraudulent ticket sales.

It’s always great to hear that we have a valuable service and even better to hear customers compliment our people. We really do have a great team that genuinely cares and will do whatever it takes to help our customers. While most of the praise is heaped on our client services organization – which makes sense since this is the part of the organization that fights the good fight side-by-side our customers every day – it’s deserved across the board.

And speaking of positive energy, I love that our customers are sending us pictures of their fraud teams from around the world all wearing our coveted iovation ‘virtual crime fighter’ shirts. For a growing number of folks on the iovation team here in Portland, this has also become the unofficial Friday uniform.

A little recognition, happy customers and happy employees. Nice.

Over the years, online schemes operating out of Nigeria have cost victims millions in fraud losses. The proposed conference of worldwide anti-fraud, economic and strategic Nigerian government agencies and groups will evaluate the country’s electronic payment system and ensure that measures are taken to protect public funds for a new payment system and other online transactions.

The decision to meet in Nigeria was based on statistics that revealed increasing levels of cyber crime globally. Bassey Etim, Coordinator of the National Assembly Anti-Money Laundering and Cyber Security Coalition, said Nigeria’s case is especially disturbing because there is an absence of adequate legislation to protect agencies, corporations and the federal government from falling victim to online fraud.  “The global economy is invaded by cyber crimes and terrorism of which, if urgent steps are not taken to stem down the increasing wave of internet fraud globally, especially in Nigeria, government would be losing so much to cyber criminals.”

The fact that many of the world’s countries are starting to work together to combat online fraud tells me that online fraud is becoming front and center on many political and economic agendas. And that’s a good thing. Meeting in the backyard of one of the world’s most notorious cyber crime hotspots is a big step for the lawless Nigeria, and for the rest of the world, as well.

In a similar vein, we can see that any single device recognition strategy on the Web is going to run into some serious limitations, mostly related to the quality and the variety of the data that can be collected from a browser.  There are a number of sources of data that we can use to construct a view of a device on the Web, but most of them can be manipulated, and all of them have problems with uniqueness.  How to build a system that is resilient to so much data uncertainty?  Yeah, I know you’re already a step ahead of me – we design in depth.

The easiest method of identifying a device may be to simply write a cookie to the browser.  But we all know how easy it is to defeat that method when you’re aware of it – you just delete them.

IP address also sounds like a decent attempt at identifying a client.  For a good number of home broadband users, IP address isn’t bad, and even for corporate users, you may luck out and only find a few computers lurking behind any given firewall.  There are many ISPs like AOL) that are known for their use of proxy servers, however, and any decent size organization could be hiding thousands of machines behind any given IP address.

Browsers also publish a User-Agent string, a description of the type and version of browser being run.  These user-agent strings can provide a good deal of rich information about the browser, but they are pretty blunt hammers, narrowing down the range of possible matches to somewhere north of one in a thousand.

Each of these sources of data – browser cookie, IP address, and User-Agent string – is interesting by itself, but using them in concert to begin to build a view of the client computer from a number of different angles starts to look promising.  Each one is spoofable to varying degrees, and each one has issues with uniqueness, but each operates through a different channel to provide its information, and thus requires a different strategy to avoid detection.

All of this is to say that there is no single unique value (or simple combination of values) hiding on the Web – device recognition requires a multi-layered solution.  As iovation’s business has grown over the last five years, we’ve evolved from a native library device recognition service into a full spectrum reputation service supporting native and web integrations, business rules, pattern matching, and risk scoring. The capabilities we have in place have been built with the future in mind to support collection and analysis of reputation tracking on new transaction elements, and discovery of new risk indicators to continually improve real-time decision making for our subscribers while growing the Internet’s definitive online reputation authority.

The end result of such a multi-layered approach, an approach of “recognition-in-depth”, is that we don’t have to rely on any one technology to provide us with enough information to confidently recognize devices on the Web.  In the ever-evolving landscape of Internet technology, that layer of insulation is a must – reliance on a single strategy means brittleness in the face of change.  For example, Gartner Research recently published a research brief titled, Privacy Collides with Fraud Detection and Crumbles Flash Cookies,  suggesting that companies avoid reliance on Flash stored objects completely, as the technology may be short for this world.  Multi-layered device recognition means that we can still sleep at night when Flash fades away – and that means you can, too.

The harsh reality is that today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. That’s why, when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers.

The same basic principle of creating a more comprehensive defense by layering tools and diversifying methods can (and should) be applied to fighting online fraud. To successfully combat online fraud, a fraud management system should include the following layers of defense: 1) validation of credit data; 2) data mining of personal information supplied by the user (i.e. shipping address, address verification, and in some instances even SSN); and 3) device identification and validation of device reputation.

Combining these fraud prevention methods at multiple locations throughout a website establishes important obstacles to both first-time and repeat offenders. Even if criminals are able to bypass one method of detection by using  fraudulent credit or personal information, they may be identified through device identification as a suspected or known criminal. That’s why the best offensive against cyber crime today is a multi-layered defense.