According to the article, “Website offers forum on avoiding romance scams,” fraudsters continue to successfully scam unsuspecting lonely hearts by using stolen credit cards to join online dating sites and set up fake profiles. From there, they quickly lure their victims off the dating sites and onto more personal lines of communications such as instant messaging and email before romance sites can discover the stolen credit card and pull their fake profiles.

Barbara Sluppick, the founder of Romancescams.org, said the problem continues to escalate despite having more information.

“I am sorry to say scams are growing all the time. Phonebusters, the Canadian organization that deals with online scams, recently said that more money is earned in online scams than in the drug trade. Australia recently put together a commission to deal with these scams, as they have discovered their losses are topping $1 million a month.”

While Sluppick and other anti-fraud advocates are doing everything they can to educate the public about scammers and their evolving methods, including posting photos of scammers, as long as fraudsters are able to successfully bypass fraud management tools and techniques to create false identities, the industry will continue to see similar increases in online dating scams.

With scammers continuously providing new information to create multiple profiles, we cannot expect to effectively catch them with tools that solely rely on identifying the person or the false data they provide. As they evolve, so should the methods to detect them. New techniques that don’t rely on personal information to identify and stop fraud are needed to provide a defense-in-depth approach that complements and enhances online dating sites’ existing anti-fraud security strategies.

On July 20th, iovation CEO and co-founder, Greg Pierson, presented to 800 webinar registrants, a comprehensive way to detect criminal activity online, without collecting personally identifiable information (PII) or interrupting the user experience. Over 300 major brands (including more than 30 major dating site providers) use iovation’s fraud protection service to protect their members from romance scams, spam, financial fraud and many other forms of online fraud and abuse. To watch the webinar, please visit www.iovation.com/risk-mitigation.

In a similar vein, we can see that any single device recognition strategy on the Web is going to run into some serious limitations, mostly related to the quality and the variety of the data that can be collected from a browser.  There are a number of sources of data that we can use to construct a view of a device on the Web, but most of them can be manipulated, and all of them have problems with uniqueness.  How to build a system that is resilient to so much data uncertainty?  Yeah, I know you’re already a step ahead of me – we design in depth.

The easiest method of identifying a device may be to simply write a cookie to the browser.  But we all know how easy it is to defeat that method when you’re aware of it – you just delete them.

IP address also sounds like a decent attempt at identifying a client.  For a good number of home broadband users, IP address isn’t bad, and even for corporate users, you may luck out and only find a few computers lurking behind any given firewall.  There are many ISPs like AOL) that are known for their use of proxy servers, however, and any decent size organization could be hiding thousands of machines behind any given IP address.

Browsers also publish a User-Agent string, a description of the type and version of browser being run.  These user-agent strings can provide a good deal of rich information about the browser, but they are pretty blunt hammers, narrowing down the range of possible matches to somewhere north of one in a thousand.

Each of these sources of data – browser cookie, IP address, and User-Agent string – is interesting by itself, but using them in concert to begin to build a view of the client computer from a number of different angles starts to look promising.  Each one is spoofable to varying degrees, and each one has issues with uniqueness, but each operates through a different channel to provide its information, and thus requires a different strategy to avoid detection.

All of this is to say that there is no single unique value (or simple combination of values) hiding on the Web – device recognition requires a multi-layered solution.  As iovation’s business has grown over the last five years, we’ve evolved from a native library device recognition service into a full spectrum reputation service supporting native and web integrations, business rules, pattern matching, and risk scoring. The capabilities we have in place have been built with the future in mind to support collection and analysis of reputation tracking on new transaction elements, and discovery of new risk indicators to continually improve real-time decision making for our subscribers while growing the Internet’s definitive online reputation authority.

The end result of such a multi-layered approach, an approach of “recognition-in-depth”, is that we don’t have to rely on any one technology to provide us with enough information to confidently recognize devices on the Web.  In the ever-evolving landscape of Internet technology, that layer of insulation is a must – reliance on a single strategy means brittleness in the face of change.  For example, Gartner Research recently published a research brief titled, Privacy Collides with Fraud Detection and Crumbles Flash Cookies,  suggesting that companies avoid reliance on Flash stored objects completely, as the technology may be short for this world.  Multi-layered device recognition means that we can still sleep at night when Flash fades away – and that means you can, too.

The harsh reality is that today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. That’s why, when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers.

The same basic principle of creating a more comprehensive defense by layering tools and diversifying methods can (and should) be applied to fighting online fraud. To successfully combat online fraud, a fraud management system should include the following layers of defense: 1) validation of credit data; 2) data mining of personal information supplied by the user (i.e. shipping address, address verification, and in some instances even SSN); and 3) device identification and validation of device reputation.

Combining these fraud prevention methods at multiple locations throughout a website establishes important obstacles to both first-time and repeat offenders. Even if criminals are able to bypass one method of detection by using  fraudulent credit or personal information, they may be identified through device identification as a suspected or known criminal. That’s why the best offensive against cyber crime today is a multi-layered defense.