Velocity-based rules have long been used by merchants to help identify potentially fraudulent online behavior. Typically, velocity-based rules function by looking at commonalities in personal information, across accounts and transactions. For example, a warning may be set off if multiple accounts, or multiple orders, all have different names but the same shipping address. Another example might be if multiple accounts were all set up using the same password.

Unfortunately, these kinds of velocity checks are of limited value against more sophisticated fraudsters who have the information, the technology, and the general savvy to set up multiple accounts that all, on paper, look completely different—different names, different credit card numbers, different shipping addresses, different IP addresses. (more…)

Well it’s been a good year for our blog. We’ve tried to address a number of topics all relevant to helping businesses fight online fraud. As the year wraps up, I thought it would be a good time to summarize some of the themes from the year and highlight some of our posts. While we touched on a number of topics, a few main themes remained consistent:

Device reputation is an important component of best practice fraud management – 2009 was a difficult year for business, but one trend that emerged was an increased visibility into how valuable device fingerprinting and reputation solutions can be as part of any sophisticated fraud prevention architecture. Some of our articles on this topic:

• The First Five Benefits You Will See From Device Reputation
• Not All IP Addresses are Created Equally
• Device Fingerprinting Techniques – Several Choices

Online retailers are under attack – Online retailers continue to find themselves under attack and we touched on this topic a number of times this year. Here are some of the highlights: (more…)

IP Addresses have long been used in device fingerprinting solutions, but their utility has been hit-and-miss due to differences in how groups of IP addresses are managed. As a result, solutions relying on the IP address for device identification generally experience high false positive rates; this is especially true in cases where the same IP address has been issued to different end users over time.

Based on data iovation has collected from performing over two billion device identification requests, we’ve developed techniques to more accurately assess the relevance of an IP address in identifying and re-recognizing a device. This allows us to use IP address as a factor, when appropriate, and ignore it when not. (more…)

This week the Associated Press reported that a Miami man and two Russian co-conspirators stole over 130 million credit card numbers in the largest theft of credit information ever.

Anyone who doesn’t think that online crime has transitioned into big time business should take note.  Online criminals are coordinated and remarkably well organized. They are becoming increasingly adept and efficient at not only obtaining, but sharing, valuable data: namely credit and identity information.

The extent to which online commerce companies rely on their ability to trust in this very same data cannot be overstated. Today, most online transactions are checked for fraud based upon credit and identity checks. If trust in that data is undermined, then the business models of hundreds of thousands of online retailers will suffer. (more…)

Device fingerprinting is a technology that has been growing in importance over the past few years. Online businesses are dealing with the problem of increased identity theft and manufactured identities being used to create new accounts, purchase goods, and in general transact with the online business in some way. Device fingerprinting complements existing identity based techniques to address this problem and to identify repeat offenders and fraud rings that target these businesses. In a recent online fraud survey put out by Cybersource, device fingerprinting was identified as the number one technology to be adopted, in terms of percentage of planned new adoption, over the course of the next year due to its high effectiveness.

At iovation, many of the questions we field revolve around how we do device fingerprinting. Rather than get into a detailed definition of device fingerprinting, I will address the basic choices available to companies and explain how iovation uses them. Essentially, device fingerprinting is used online to identify and then re-recognize a PC or other Internet device that visits an online site. There are really 4 different ways that this can be accomplished: (more…)

I have recently answered several questions from individuals asking about device reputation. They have asked about the value of reputation data built by identifying infected PCs, i.e. botnets, as opposed to identifying PCs that have been used to commit actual online fraud or abuse. iovation pioneered the use of device fingerprinting in a shared database to build device reputations in 2004 and we have a lot of experience with this issue. There is a big difference between the two types of reputations and their relevant value. (more…)

There has been some recent discussion in different articles regarding whether or not device identification (also referred to as device fingerprinting) constitutes a violation of privacy, in the context of fighting online fraud. The topic came up recently at a panel at RSA on the Benefits and Dangers of Device Fingerprinting. Device fingerprinting provides significant benefits for online businesses; it provides an additional factor for authentication, used by many online banks, and aides in the fight against fraud by identifying computers that have been used in the past for fraudulent activities and stopping future transactions from those systems.

The argument against this type of technology, however, is that the device information could be collected and sold, constituting a violation of privacy of the online user. What needs to be taken into consideration, however, is how device fingerprinting compares with existing identity-based fraud prevention techniques. Device fingerprinting solutions, such as the device reputation system offered by iovation, ideally work to reduce fraud while simultaneously protecting the privacy of the individual. iovation’s ReputationManager service, as an example, collects and requires no personal information from our customers. Our online service is completely incapable of assigning any online activity to an individual and we market it that way.

The reality is that device fingerprinting systems provide online businesses with some of the only fraud management tools that don’t rely heavily on personally identifiable information. Instead of decrying privacy violations, privacy advocates should be looking to embrace systems that achieve the purpose of reducing online fraud while still protecting the privacy of good online users.

Richi Jennings at ComputerWorld has a nice summary of blogs and articles on the activation of the Conficker botnet that is going to provide new avenues for online fraud. What began as a mass worm infection has now moved into the serious business of establishing a botnet that can be used for black market commerce.

This is a good of an example of the way that Fraud as a Service is enabled which I talked about in my previous blog post. Now that Conficker has established a botnet, it can be used for a variety of ends. Here are a few to consider:

• Spam distribution – many of this morning’s articles have focused on the first use of this botnet to distribute spam. Spam can be for illegal services or can also be links to phishing sites.
• Identity theft – any botnet or trojan horse can simply be used to steal and transmit personal information. The way it generally works is that the user’s online web activity is monitored to capture user IDs and passwords from targeted sites like online banks, massively-multiplayer online games (MMOs), or commerce sites. That stolen data is then transmitted back to the scammer’s database.
• Hosting phishing websites or download sites – Many times individual’s PCs can be turned into hosting sites for phishing websites or illegal data download sites.

Botnets continue to be a big problem and are an important part of online criminal activity. Certainly individuals need to ensure their anti-virus software is up to date, and the industry needs to take steps to make account takeover more difficult, through more common use of authentication tokens and personal information less valuable online through the use of other fraud detection techniques like device fingerprinting and device reputation.