In the article, “Why Internet crimes go unpunished,” security expert Roger Grimes breaks down some interesting numbers around cybercrime, and how hackers are (to put it mildly) beating the odds. According to the FBI’s 2011 Internet Crime Report, of the more than 300,000 complaints that netted criminals $1.1 billion in 2010, law enforcement agencies convicted an average of one crook for every 50,635 victims. In other words, as Grimes eloquently states:

Steal someone’s identity and your odds of being caught are almost infinitesimal.

With all the hacks and fraud headlines 2011 will be remembered for, that’s definitely not the way we want to ring in the New Year. But as Grimes also warns, if we aren’t careful we could see history repeat itself as criminals not only continue defrauding computer users, but launch recycled attacks against the explosion of worldwide mobile device users, who could fall victim to the same old PC tricks.

While law enforcement certainly has its challenges in tracking down and prosecuting cyber criminals, nobody will argue that we can always be doing something on our part to help reduce the risk of fraud where the criminal is utilizing a computer, as well as emerging mobile platforms like smartphones and tablets.

Whether you’re an individual, small to mid-size business, or even a large international corporation, in many ways you’re sort of on your own in cyberspace. This is why taking matters into your own hands and implementing defense-in-depth fraud preventative strategies is so critical to protecting yourself, your employees and business from both evolving and old-school scams targeting every form of Internet-connected device that we use.

This is the time of year when most businesses are setting their budgets and determining business goals for 2012. While improving customer service and increasing revenues are certainly at the top of any CEO’s to-do list, mitigating costly fraud risks that can take a hefty bite out of annual profits (not to mention cause significant reputation damage) requires organizations to deploy effective security tools like iovation’s ReputationManager 360 solution to reduce the risk of fraud or abuse over all devices and platforms connecting to their online business environment.

The truth is, even diligent businesses running the latest security software remain vulnerable to the growing number of new and unknown forms of online fraud and abuse. Take it from Mark Patterson, co-owner of PATCO Construction Inc: when it comes to fighting ACH fraud the new FFIEC authentication guidance falls short. He says that until banks become legally liable and accountable for such online crimes, businesses will remain susceptible to online fraud.

In the BankInfoSecurity article, “Fraud: The Victim’s Perspective,” Patterson, whose small residential and commercial construction company lost over $550,000 to fraudulent ACH transactions, said that while he’s glad updates have been made to the security guidelines, they don’t go far enough. In order for small businesses to protect themselves from online crimes like ACH fraud and account takeover, they need to take it upon themselves to also incorporate their own internal policies and processes to detect fraud and abuse. Some of his recommendations include:

• Talk to your bank about the ACH fraud policy to understand if fraud losses are covered
• Monitor all online transactions for bad IP addresses, anomalies, and suspicious activity
• Run and analyze reports to recognize patterns and velocities
• Educate yourself about online threats and how bad they really are

Today, too many companies struggle to keep the security of their desktop computers and mobile devices up-to-date, which puts their customers, business and brand reputation at risk. The FFIEC Guidance was designed to outline a multi-layered approach of processes and technologies that banks need to mitigate fraud risks, but if those recommendations aren’t applied and internally enforced businesses could still have trouble identifying and stopping risky transactions.

To combat the millions of online fraud and social engineering schemes attempted on banks and businesses every day (we should know, we stop more than 150,000 fraudulent transactions every day for our clients), an effective defense-in-depth anti-fraud strategy requires the ability to recognize high-risk transactions before they are accepted. iovation’s device reputation technology goes beyond traditional blacklists and personally identifiable information (PII) to identify, re-recognize and root out fraudulent devices and accounts in real time so businesses can proactively stop bad transactions from occurring, as well as shut down hidden fraud rings that are committing repeat fraud within their IT environment.

iovation’s ReputationManager 360 is a fraud prevention solution that provides an added layer of protection for any defense-in-depth anti-fraud strategy. By leveraging the power of device identification, iovation takes complex device ID a step further and equips financial services firms and other businesses with a dynamic collection of device intelligence, association data, analytics and reporting tools that allow fraud managers to assess larger sets of attributes and apply pattern recognition algorithms and pattern-learning processes to identify fraudulent devices, anomalies, velocities and other suspicious behavior taking place on their website every day.

It’s been a busy year with a ton of new features and enhancements ranging from big to small. We thought we’d take a moment to share with you some of the highlights from 2011.

As with any technology, there are many, many things that go into a new feature including design, development, testing, documentation, integration and other operational requirements. We won’t go into that amount of detail here, but instead will focus on the primary achievements within each of the four principle areas of specialization at iovation, which include:

• What does “layered security” actually mean?

“‘Layered security’ refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.”

• What does “multi-factor” authentication actually mean?

“A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.”  

• Who does this guidance affect? And does it affect each type of credit grantor/ lender differently?

“The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment.”

• What will the regulation do to help mitigate fraud risk in the near-term and long-term?

“The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly.”

• How are organizations responding? 

“Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, ‘layered’ approach that the guidance is seeking.”

To learn more, watch Experian and iovation’s webinar, titled Ensuring Optimal Efficacy and Balance with Out-of-Wallet Questions and Device Identification, dedicated to discussing the recent FFIEC guidance and taking a defense-in-depth approach to fraud prevention.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

It’s truly an honor to follow in the footsteps of some of the most recognizable technology companies in the world such as Google, YouTube, Skype and eBay, who have all been previously selected to Red Herring’s prestigious Top 100 Global list.

This recognition is a direct result of years of hard work evolving our fraud protection service into a full spectrum device reputation solution that supports native and web integrations for mobile and desktop devices, tagged and tagless device recognition, real-time transparent risk scoring, and on-demand and scheduled reporting. Our remarkable growth is attributed to the collaborative work and effectiveness of our global device intelligence network, which today protects billions of transactions for our clients representing multiple industries around the globe.

Red Herring Chairman, Alex Vieux, elaborated on the difficulty the editorial staff goes through each year in selecting the Global Top 100.

“Choosing the best out of the previous two years was by no means a small feat. After rigorous contemplation and discussion, we narrowed down our list from 1,100 potential companies to 100 winners. It was an extremely difficult process. iovation should be extremely proud of its achievement, the competition for the Top 100 was fierce. The Top 100 Global are truly the best of the best.”

Companies were evaluated on both quantitative and qualitative criteria such as financial performance, technology innovation, management quality, strategy and market penetration.

The full list of 2011 winners is located at: http://www.herring100.com/RHG/2011/top100.html.

According to the NY Times article, “Cyber Monday Shopping Surpasses Expectations,” both ComScore and IBM Benchmark reported that the $1.3 billion spent by online shoppers represented up to a 33% increase in online sales over last year. This followed record-breaking Black Friday weekend sales of $52.4 billion, which CNN Money reported is a 16% jump over 2010. Either way you cut it, there’s little doubt that retail and online sales over the weekend could make for a very profitable holiday season for merchants.

At iovation, we help our clients know who to trust online, by quickly recognizing their good online customers and isolating the fraudsters through shared device intelligence. By identifying bad actors upfront and flagging suspicious transactions in real-time, we help merchants decline fraudulent orders faster, minimize chargebacks and take more good business with confidence — all especially important during the holiday’s peak traffic.

Looking at iovation’s device reputation network on Black Friday and Cyber Monday, we found some interesting trends and year-over-year comparisons during the two hottest shopping days of the year, including:

• 400% increase in the rate of fraudulent transactions (from 1% to 4%) on Black Friday
• 25% increase in the rate of fraudulent transactions (from 3% to 4%) on Cyber Monday
• 15% greater transaction volume on Cyber Monday compared to Black Friday
• 4% mobile fraud rate on both Black Friday and Cyber Monday

While it was no surprise that credit card fraud, shipping fraud and account takeovers topped the list of fraud types reported to iovation’s database on these days, a noticeable drop in the share of mobile shopping activity was very unexpected.

Despite several industry surveys forecasting significant increases in mobile purchases over the holidays, iovation saw mobile transactions decrease as a share of overall activity on Black Friday and Cyber Monday. While mobile transactions usually account for 5% of queries to iovation’s service, mobile’s share of overall retail transactions dropped to 3.2% on Black Friday and 2.7% on Cyber Monday. At this point any conclusions would be only speculative as to why mobile transactions were down during these peak periods. Are consumers not ready to make purchases over their smartphones? Is the user experience of a smartphone checkout too cumbersome compared to the convenience of a desktop?  As retailers look to the mobile market as an increasingly important channel, it will be critical that they solve these issues.

According to the Politico article, “Free pass for dating site liars,” people can take comfort in knowing that they don’t have to worry about being prosecuted or hauled off to jail for telling a little white lie over the Internet. While this certainly makes sense, at the same time we’re still walking on shaky ground when it comes to online lies, falsifications, profile misinterpretations, or whatever you want to label it. The fact is, when it comes to identity fraud, fake accounts or other crimes on romance sites, lying is typically the basis for the crime. It sets the stage for deeper criminal activity that can cost victims both emotional and financial hardships, not to mention damage to the dating site’s reputation. 

In the recent blog, “Online Trust Remains Risky Business,” I discussed how most of us have at one time or another told some kind of little white lie on the Internet. Would this be cause for criminal prosecution? Probably not. However, if the intent is to steal or commit some type of crime against another person or business, the lie could be a violation of corporate policy covered by the Computer Fraud and Abuse Act (CFAA), which criminalizes “exceeding authorized access” of a computer.

While DoJ spokeswoman, Alisa Finelli, says it’s not the DoJ’s position that lying violates the CFAA, its current position is one that could be open for change.

“We understand the concern that is motivating these criticisms of the statute, and we are willing to work with Congress on legislative proposals in this area.”

While Congress works on legislation that clarifies what would be grounds for prosecution when it comes to lying on the Internet, to protect their members and online environments dating sites need to take action by deploying anti-fraud detection tools that help them identify risky behavior. At the moment, there may not be an actual online “lie detector” that can distinguish when a member is telling the truth or not, but there are tools available, such as iovation’s device identification service, that helps detect online scammers, spammers and bad actors attempting to mine the identity details of legitimate members.

Computerworld reports:

“Tony Perez III, of Hammond, Indiana, pleaded guilty to the charges on April 4. In his plea, Perez said he sold counterfeit credit cards encoded with stolen account information. Perez found customers through criminal ‘carding forums,’ Internet discussion groups set up to aid in the buying and selling of stolen financial account information and related services.”

“During a June 2010 search of Perez’s residence, Secret Service agents found 20,987 stolen credit card accounts on his computers, in his email messages, in an online account and on counterfeit credit cards he was in the process of manufacturing, according to court documents. Credit card companies have reported more than US$3.1 million in fraudulent charges associated with those accounts, court documents said.”

Carding is a full time profession for thousands of hackers worldwide. Retailers’, banks’, credit card processors’, and many other corporations’ databases often contain millions of credit card numbers, and are targeted in “advanced persistent threats.” Any entity that accepts credit cards online or in the physical world is a ripe target for fraud.

It’s in the retailer’s best interest to put online fraud prevention measures in place to thwart credit card fraud use on their sites. This not only helps them keep their chargebacks and fees low, but it also protects their brand reputation with their loyal customers. But how can retailers detect when fraudsters are stealing from their websites in the first place?

Before verifying identity and credit information, first make sure that the computer, tablet or smartphone connecting to the site is not a known fraudulent device – one used to steal from your business in the past, or from other online businesses.

Would you like to know if the device is acting suspicious such as masking its IP address or constantly changing its characteristics between transactions? Is it opening an excessive number of new accounts, or are new countries suddenly accessing your customer’s existing accounts?

There are many indicators of risk and companies like Oregon-based iovation Inc. helps online businesses set up fraud and risk rules in advance so that as transactions come in, the rules run and all checks in a fraction of a second. This device identification service can stop the transaction right then and there.

Carders are just one piece of the cybercrime puzzle. Having a defense-in-depth approach to fraud prevention is essential. And sharing fraud intelligence with other businesses can only help you catch more fraud, and meanwhile, take more business with confidence.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Banks and retailers know better than anyone that people lie. There are countless scenarios and justifications, but people who lie invariably do it in order to get something.

In general, we strive to be a kind and civil species. We trust by default. We want to be helpful and accommodating. We don’t want to believe that people lie, but they do.

Dishonesty poses a challenge to banks and retailers in the form of theft. Theft is a big problem on the Internet, and any online business knows that they can’t afford to trust you, regardless of how honest you may be.

The Federal Financial Institutions Examination Council recently instructed both retailers and banks to enhance their security procedures, in response to the increasingly creative lies concocted by scammers.

One of those FFIEC recommendations involves incorporating complex device identification. This means that banks and retailers should adopt technology that actually recognizes and analyzes the PCs, smartphones, and tablets being used to access their websites. Once the device is identified, knowing the device’s reputation is where it really gets interesting. Is it acting suspicious or is it a known device that has been used in a fraud ring, in money laundering, or has been attempting account takeovers? Knowing the device’s reputation lets businesses know ahead of time who they can trust online.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.”

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.”

You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

And despite the constant stream of bad news, consumers continue divulging a tremendous amount of data to retailers, auction sites, dating sites, and gaming sites. While awareness of fraud and cybercrime is at an all time high, consumers seem to feel they don’t have much of a choice but to provide all their data.

People have grown to love the Internet and all the conveniences it offers, both commercially and socially. In my household, little people under five years old whack away at online iPhone games, never knowing what it’s like not to have the Internet.

Many seem to feel that their privacy is the price they must pay for all this connectedness and convenience, and are even willing to put their personal security at risk in exchange.

Scammers know and are capitalizing on this. There isn’t an online gamer, dater, social networker, or consumer today who isn’t at some level of risk.

While all necessary defenses must be employed to prevent hackers from compromising data, an additional layer of protection should be implemented to keep them off websites in the first place.

Every one of these platforms would do well to stem the tide of fraud by incorporating device reputation. One anti-fraud service offering fast and effective results is iovation’s ReputationManager 360. This service incorporates device identification, device reputation, and real-time risk profiling. Hundreds of online businesses prevent fraud and abuse by analyzing the computer, smartphone, or tablet connecting to their websites, and with iovation’s service, they stop 150,000 online fraudulent activities each day.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

If there is a “good” place for your tax dollars to head, it’s to the FFIEC. And very recently the FFIEC has issued updated guidelines for financial institutions in regards to their cyber security and new threats your bank needs to counter.

Over the past decade as we have all (mostly) have banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

The FFIEC has certainly pointed this out and at the same time has made additional security recommendations since the last time they did in 2005 based on new kinds of criminal hacking and new technologies to combat it.

Hacking in its many forms involves compromising a system from numerous vantage points. A network can be hacked from the inside by an employee or former employee with credentialed access or from the outside by seeking vulnerabilities in a networks technology. But more often hacking takes place when an account holders access such as username and passwords are compromised.

To defend against all of these hacks the FFIEC recommends to financial institutions what’s called a “layered approach” of anti-fraud tools and techniques to combat crime. Meaning it’s not simply a matter of applying a firewall and having anti-virus to protect the network, but going much deeper in protecting many interaction points within the banking site (not just login) and using a variety of proven fraud prevention solutions.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

However, to ensure they stay one step ahead of today’s profit-driven fraudsters, banks need to use the most advanced, anti-fraud techniques to prevent criminals from gaining access to legitimate online bank accounts. Michael Grillo’s article, “Combating Online Banking Fraud – A Top 10 List,” provides a checklist of the essential fraud detection methods that all banks should consider to ensure they are doing everything they can to stop online fraud, including:

1. Apply multi-factor logon authentication for online banking systems – such as tokens with one-time password or Adaptive Authentication (risk-based authentication).
2. Utilize real-time analytics – monitor transactional behavior to determine whether activity is standard or anomalous for that customer. When high-risk activity is detected, action can be taken in real time or near-real time to stop the transfer of funds from the customer’s account. Funds can also be held until customer validation can take place (see #4 below).
3. Employ profiling – include non-financial information (IP address, login activities, and device characteristics) to build customer profiles which can be stored to monitor ongoing behavior.
4. Make use of out-of-band notification methods - utilize phone call, text message, e-mail, etc to confirm activity with customers before transactions can be completed.
5. Maintain anti-virus software – Be sure to recommend your customers keep it current on end-user machines. While not fool-proof, it can stop lesser forms of intrusion.
6. Maximize password management – Ensure password management best practices are enacted (e.g. change password every ninety days, minimum length, combination alpha-numeric, varying history, etc.).
7. Leverage dual approval and limit management capabilities in your online banking tool -End-users with transaction initiation or approval entitlements should not also have administrative rights.
8. Implement token management at ACH or Wire release – this approach provides another layer of authentication prior to finalizing the transaction.
9. Employ a prescriptive, layered approach to security – utilize security tools within your online banking solution (e.g. multi-factor authentication, limit management, etc) with a fraud prevention and detection solution (e.g. profiling, analytics, etc.)
10. Education – keep it simple but constant. Partner with your customers to ensure they are aware of today’s threats and know what tools are available today to protect themselves.

As the industry shares information about new types of fraud attacks, iovation’s ReputationManager 360 puts intelligence shared by over 2,000 fraud professionals around the globe to work. By leveraging our knowledge base of 650 million Internet-connected devices and their associations, financial services and other industries can immediately identify suspicious activities through configurable real-time, fraud detection mechanisms that include device identification, device reputation and risk profiling.

In addition to the daily monitoring of transaction anomalies, velocities, geolocation and proxy-busting technology, iovation helps leading online brands stop fraudulent transactions before they are processed, as well as roots out and rids their systems of repeat offenders and fraud rings that are unknowingly perpetrating a multitude of fraud and abuse activities over time.

In the article, “Independent Study Reveals Corporate Account Takeover Fraud Continues to Plague SMBs and Banks,” the 2011 Business Banking Trust Study found that SMBs have struggled to make progress in stopping payments fraud as 56% of businesses said they had experienced fraud within the last 12 months. While 61% said they were victimized more than once over that period, 75% of businesses participating in the study said they experienced online account takeover and/or online fraud.

With mobile banking growth rates on the rise, these findings are alarming to Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, which commissioned the study. With 38% of respondents saying they access their company’s banking accounts from mobile devices such as smartphones and tablet PCs compared to 23% in 2010, Ponemon doesn’t anticipate things turning around for SMBs anytime soon..

“As online and mobile banking adoption continues to grow, the possibility for more fraud and more lost customers escalates. Endpoint security will be challenged to keep up with the growing number of devices and threats, and banks are in the best position to take the lead on proactively protecting all account holders from the wide variety of threats.”

It’s these types of findings that underscore the need for businesses to be proactive and implement fraud preventative strategies that stop new forms of financial fraud that costs businesses millions in profits each year. To protect systems from new and emerging online threats that continue to torment SMBs and the financial services industry, iovation’s ReputationManager 360 uses a combination of device identification, device reputation and risk scoring that effectively stops fraud rings that are committing account takeover, phishing schemes and other types of online fraud, regardless of whether they are using PCs, smartphones or tablets to access a financial institution’s website or mobile application.

In the physical world, as the saying goes, “You are only as good as your word.” And when somebody says one thing and does another, we no longer trust them.

Online, people say and do things they never would in the real world. Internet anonymity fuels bad behavior. Websites’ comments sections are filled with vitriol that you’d never hear real people utter. Pedophiles who’d never approach a child on the street contact kids over the Internet. Sex offenders avoid the stigma of their label on dating sites and social media. Scammers create accounts in order to con people and businesses into forking over money. And identity thieves use your personal information to fill out online applications for credit.

All of this is made possible by the anonymity of the Internet.

As fraudsters develop more sophisticated schemes and collaborate in elaborate fraud rings, the threat of cybercrime increases. Online businesses are getting hit hard by fraud and abuse, and it’s critical that fraud protection solutions save them from significant losses and damaged reputations.

A device reputation service checks for suspect history, but also investigates for characteristics consistent with fraudulent users. And the best part is that it denies criminals, often even before their first attempt.

According to Greg Pierson, Founder and CEO of iovation, “Device reputation helps prevent identity thieves from monetizing the credentials that they have stolen. At the same time we are protecting online businesses, we’re also protecting the consumer.”

Device-based fraud management and a shared device reputation infrastructure play a critical role in identifying online fraud and abuse. Neglecting to take advantage of these tools severely limits a business’s ability to prevent fraud.

With only three months remaining, iovation has already increased the annual growth rate for processed transactions by 67% over 2009. With more than 3.9 billion cumulative device reputation checks processed for e-commerce, financial, travel, gaming and online communities today, we expect to break 4 billion early in Q4.

We’ve also increased the overall number of unique devices by 110% over last year. Starting in 2006 with 5 million devices in our system, we now manage more than 390 million unique devices (including PCs, Macs, iPads, iPhones, Blackberries, Android, etc.). Surpassing 400 million unique devices is just on the cusp.

With cybercrime fraud losses more than doubling in 2009, Internet-based businesses need security solutions that allow them to proactively identify and make educated decisions on all incoming transactions. Through fraud and abuse evidence submitted by our worldwide, cross-industry subscriber base, iovation ReputationManager 360 combines device and account profiles, analytics, custom reporting, real-time business rules, device anomalies, and the experience and expertise of over 2,000 fraud analysts to help customers make quick, confident decisions on every online transaction request.

The harsh reality is that today’s cyber criminals are so tech savvy and innovative that staying one step ahead of them isn’t always possible. That’s why, when it comes to network security, a good defense should be made up of several different layers. That way, even if a hacker is able to exploit vulnerability in one layer of the system, he may be stopped or slowed down by another. This strategy, known as defense in depth, essentially allows organizations to protect the integrity of their systems by slowing hackers down and buying security professionals the time they need to respond to a security breach once it has occurred. This mitigates the damage that malicious hackers can do, even if they are able to make it past initial barriers.

The same basic principle of creating a more comprehensive defense by layering tools and diversifying methods can (and should) be applied to fighting online fraud. To successfully combat online fraud, a fraud management system should include the following layers of defense: 1) validation of credit data; 2) data mining of personal information supplied by the user (i.e. shipping address, address verification, and in some instances even SSN); and 3) device identification and validation of device reputation.

Combining these fraud prevention methods at multiple locations throughout a website establishes important obstacles to both first-time and repeat offenders. Even if criminals are able to bypass one method of detection by using  fraudulent credit or personal information, they may be identified through device identification as a suspected or known criminal. That’s why the best offensive against cyber crime today is a multi-layered defense.

Unfortunately, these kinds of velocity checks are of limited value against more sophisticated fraudsters who have the information, the technology, and the general savvy to set up multiple accounts that all, on paper, look completely different—different names, different credit card numbers, different shipping addresses, different IP addresses.

This is why including the device associated with an account or transaction can be an extremely valuable component of velocity-based rules. Even if all the elements of personal data look different among a set of accounts or transactions, if they all have the same device in common, it’s a good indication that something is wrong. With velocity-based rules focused on the device, you can monitor the number of accounts created, or the number orders placed, from one single computer.

In a world where hackers are making it more difficult for online businesses to verify the real identities of the people they’re doing business with, device fingerprinting combined with velocity-based rules provides a powerful one-two punch for identifying suspicious activities and stopping fraud that operates under the radar of many fraud detection systems. For many of our customers, having visibility into this activity is one of the biggest advantages they gain from including device fingerprinting as part of their fraud prevention process.

The increase in the number of shared devices can in part be understood by analyzing the population of “reactivated” devices. Reactivated devices are devices that iovation re-identifies after having not seen the device for more than 90 days. By studying these devices in contrast to the device population as a whole, it is clear that iovation’s expanding customer base is a significant contributor to this trend as a vast majority of reactivated devices have been seen in multiple customer networks.

Since the beginning of 2008, iovation’s reactivated device rate has doubled every 5 months and continues to climb. This demonstrates that as iovation’s device network continues to grow, device crossover is also increasing.

Inactive Devices

As iovation’s device network grows and evolves, it is useful to distinguish between active and inactive devices since active devices have more interesting behavior and are involved in fraudulent or abusive activity now. To answer the question “what is active?”, I measured the percentage of devices that are re-identified over varying periods of time. Graphing the result of this analysis produces a curve that tails off considerably by 90 days, which means a very small percentage of devices that have not been identified in the preceding 90 days will ever be identified again. Therefore, for this study, devices that had not been re-identified in the last 90 days were considered to be inactive. This data set is based on data from the first 3 months of 2008.

How to read this graph: Devices not seen for 30 days have an approximately 40% chance of returning, whereas devices not seen for 90 days have an approximately 1% chance of returning.

Reactivated Devices

Devices that are re-identified after more than 90 days of inactivity are considered reactivated devices.

For the 18-month period from April 2008–September 2009, the following chart shows the percentage of the active device population that is made up of reactivated devices.

For the month of September 2009, I compared the population of active devices with the population of reactivated devices to see how their characteristics differ. From that comparison, it was determined that:

• Reactivated devices are 3 times more likely than all active devices to have been seen in more than one customer network.
• Reactivated devices are no more or less likely to have a reputation.

The following chart shows the percentage of reactivated devices that had subscriber cross-over as compared to the percentage of all active devices with subscriber cross-over.

Conclusion

Analysis of iovation’s network shows a clear correlation between reactivated devices and devices with cross-over between subscribers, and we are seeing a significant increase in both as the number of our subscribers grows. This upholds our belief that a database of device reputations, shared by online companies, across multiple industries, offers valuable and relevant information to individual sites in their fight against online fraud and abuse.

The Merchant Risk Council (MRC) represents the largest and most influential constituency focused exclusively on making eCommerce more safe and secure. iovation is a proud sponsor of the Merchant Risk Council and brings you this interview and podcast with Executive Director, Tom Donlea.

Listen to the Podcast >

iovation: This is Scott Olson on behalf of iovation. I am here with Tom Donlea, the Executive Director of the Merchant Risk Council. Hi Tom.

Tom Donlea: Hi Scott.

iovation: Tom, as the Executive Director of the Merchant Risk Council, you lead this trade association made up of merchants, vendors, e-commerce management professionals, and law enforcement. I imagine this role gives you a great deal of insight into the key issues facing online merchants. After having just completed the Merchant Risk Council semi-annual platinum meeting and now preparing for the upcoming conference in March, is there one topic you would say is getting more attention than others?

Tom Donlea: Yes, Scott. I think for the MRC it has clearly been the economy. A lot of our merchants are increasingly focused on managing their costs and minimizing losses. They are getting a lot of pressure, so they are coming to the MRC with some very specific requests; three in fact. The first thing is they are looking for benchmarking data. They want to look at their costs, the resources they are using, and investments that they should put toward managing fraud risk.

Another piece of this, another part of the membership value, is utilizing the newest and most proven technologies available. They want to make sure that they have the right things in place, whether it is the device recognition, IP geolocation, or some of the other new technologies that are really key for the merchants.

The third thing that merchants are looking for is figuring out how to squeeze every dollar possible out of their program and their operational expenses. We are helping them connect with other members and learn about industry best practices to make sure that they are as efficient as they can be.

iovation: In recent e-commerce fraud surveys, Merchant Risk Council members show consistently lower fraud rates than the industry average. So from your experience, what are these businesses doing right?

Tom Donlea: Belonging to an organization like the MRC allows our member merchants to collaborate and then determine and discover best practices. Through our organization, the merchants have access to industry leaders. And through those presentations and forums, they are staying on top of the latest services from solution providers.

We introduce those topics and issues through webinars that we hold. We do about 20 a year right now. We hold two big conferences each year and we also have a wide enough member base from the merchant community that allows deep collaboration. Merchants from travel, gaming, the apparel industry, electronics—they are all able to gain a greater understanding of the solutions that are most widely adopted and are benefiting the bottom line, and that are, of course, appropriate for the business model.

Increasingly, merchants are looking to the MRC for advocacy. When we gather folks from the travel industry, for example, and we are hearing common issues that they have that are industry-wide issues, the MRC is positioning itself to go to battle, to cause positive change in the industry on behalf of those merchants. And we are excited to play that role.

iovation: You have followed iovation as one of the vendors and the growing interest in device-based fraud solutions for several years now. Would you say the use of this technology is now being considered a best practice for your members?

Tom Donlea: Yes, absolutely. On an annual basis, we do a fraud survey. Every year that we conduct this survey we ask our members, “What sort of third-party solutions or technology solutions are you adding to your arsenal of fraud detection tools?” Device reputation technology is one of the latest advances, and we see our merchants increasingly utilizing that type of technology to develop and enhance their fraud screening tools.

Of course, our merchants know that there is no single silver bullet that is going to eliminate fraud risk when it comes to accepting payments online. But they do know that they have got to have a diverse portfolio of tools. Not only do our members have lower fraud rates than the general industry standards for companies at the same level of revenue, but they also employ more tools than your typical e-commerce company. Through the MRC, and through meeting companies like iovation, they have learned that they must have a broad array of tools in order to meet the challenges of taking diverse payments online.

iovation: Speaking of tools and the different fraud types that your members address, most people think the Merchant Risk Council members deal primarily with financial fraud such as fraudulent chargebacks and payment fraud. What are the other risks that your Merchants are addressing?

Tom Donlea: It’s interesting that both security and authentication are becoming important issues. We’ve seen in recent headlines that data security is more and more of an issue with retailers and with consumers. The challenge for many of our e-commerce and multi-channel retailers is that they not only want to offer an inviting and convenient shopping environment for the consumer, they also want to provide the safety and security for that customer’s personal data. It’s a huge motivator for us to boost that consumer confidence in e-commerce as a channel; a focus on security is a part of that. We know that it’s important for the customers, as well as our members. The shoppers who are conducting business online, they’ve got to trust those MRC members before, during, and after placing an online transaction.

We’ve been very proactive in providing programs and events to educate retailers on the root causes of the data breaches, the regulatory issues involving the Payment Card Industry—or PCI, as we call it —and then providing them examples of compromised systems. What could have been done in advance to avoid that? Then, certainly, the remediation that happens following mistakes like the TJX breach, for example.

Authentication is another issue that we’re really focused on. Of course, authentication for financial transactions is always paramount for our members. I know iovation has lots of clients in the dating, social networking, gaming area. This has become an increasing percentage of our membership as well. For those companies, the customer experience, again, is paramount, which includes: “if I become a member of a social networking site, I want to avoid any sort of predatory behavior, phishing or any scams that are going on.” That non-financial authentication is a very, very big deal for those companies because they have to make sure that the customer experience is continually excellent.

iovation: Earlier, you mentioned that the economy was one of the major issues, and this past year, certainly, has been very challenging for a great majority of retailers across all categories. Yet the Merchant Risk Council has grown in both membership and participation. Why do you think this is?

Tom Donlea: Well, I like to think that our membership base is savvy enough to understand that it’s more vital to address fraud risk, security risk, and electronic payment issues during these hard times. They’re trying to squeeze cost out of operational systems, maximize the number of transactions they can take online, and the consumers, where they are as far as their level of safety with doing business online. MRC is bridging the gap between the merchant community and the issuer community, which includes financial institutions, who often times provide the primary interactions for that consumer in relationship to making payments online.

We’re developing forums that are allowing these communities to communicate with each other, and break down artificial walls that really do affect the consumer’s experience of placing a transaction online. We want the banks who are issuing credit cards and the retailers who are hoping to accept those legitimate transactions to have open communication and improve the industry through those efforts. We also provide active year-round forums for networking, for education, and then for advocating on behalf of our merchant members. The members that belong to the MRC, they benefit from having a distribution list that allows them to interact with their peers and competitors in a non-competitive way.

We provide benchmarking studies. We provide online learning. We have in-person conferences. We’re also expanding into Europe. I’m not sure that we talked about that but it’s very exciting for us. Then, we also have active year-round committees where folks are, again, focusing on common issues that need to be addressed by an industry group in order to improve the industry for the better. Now, more than ever, the MRC is providing resources that allow our members to address their current fraud and secured payment processes, improve their productivity, and increase profitability. Really, what we’re trying to do is make sure our members are looking out further on the horizon and are prepared for those challenges in our three program areas for fraud, security issues, and related payments on a global basis so that they’re really prepared for the future.

iovation: Certainly, the Merchant Risk Council plays a very important role in addressing online fraud and abuse. I really appreciate you taking the time today, Tom, to share with us some of the insights from the Merchant Risk Council and your members.

Tom Donlea: That’s great, Scott. We appreciate the chance to talk with you and we appreciate iovation’s involvement in the MRC.

To learn more about iovation’s fraud-fighting solutions that enable online retailers to prevent thousands of fraudulent activities each day—including credit card fraud, shipping fraud, identity theft, carding and more—watch this video, titled Preventing Fraud and Abuse in Online Retail.

Based on data iovation has collected from performing over two billion device identification requests, we’ve developed techniques to more accurately assess the relevance of an IP address in identifying and re-recognizing a device. This allows us to use IP address as a factor, when appropriate, and ignore it when not.

One of the keys to successfully utilizing IP addresses in device fingerprinting is to understand how different service providers manage their IP addresses. Some service providers go to great lengths to assign the same IP address to the same user over time, even when DHCP (Dynamic Host Configuration Protocol) is used for obtaining an IP address. Other providers make use of a smaller pool of IP addresses, requiring them to reissue the same IP addresses to different users over time. Mobile service providers present the most extreme example of this type.

To better understand the issue, I decided to take a closer look at some of our data. Over a recent 30-day window, I collected data from device identification requests in which we could definitively say that the correct device was identified via its fingerprint. (By limiting the study to these requests, the correlation of IP addresses to devices can be done with confidence because the device identifier is a statistical truth value.)

Analysis of this data (presented below) shows which IP addresses are associated with multiple end-user devices, ultimately allowing for a better understanding of different service providers’ policies with respect to reusing IP addresses. This information, in turn, allows us to determine how effective different IP addresses will be for unique device identification.

Metrics Computed
For each service provider, the following metrics were computed:

• Number of IP addresses (IPA)
• Number of IP address and device combinations (IPD)
• The ratio of IPD to IPA

Many service providers have an IPD to IPA ratio very close to 1, suggesting a policy that attempts to assign a user with the same IP address over time. On the other hand, some service providers have an IPD to IPA ratio over 100, suggesting a policy that liberally reuses IP addresses among users. Of course, there are service providers everywhere in-between.

Examples

1. On the low end of the scale (where a single IP address tends to correlate directly to a single device) is H3G Italy. During the study period, 20,509 IP addresses managed by this service provider were encountered, with 22,545 device and IP address combinations, giving them an IPD to IPA ratio of 1.09.
2. On the high end of the scale (where a single IP address tends to be associated with multiple devices) is danger.com. From this service provider we encountered 54 unique IP addresses covering 4,967 device and IP address combinations, resulting in an IPD to IPA ratio of 91.9.

Results
On aggregate, I grouped the values of IPD to IPA ratios into ranges and each range was analyzed using frequency distributions. Based on a device fingerprinting system’s optimal performance goals and tolerance for false positives, the service provider’s IPD to IPA ratio can be used to determine the role of the IP address in device identification.

The argument against this type of technology, however, is that the device information could be collected and sold, constituting a violation of privacy of the online user. What needs to be taken into consideration, however, is how device fingerprinting compares with existing identity-based fraud prevention techniques. Device fingerprinting solutions, such as the device reputation system offered by iovation, ideally work to reduce fraud while simultaneously protecting the privacy of the individual. iovation’s ReputationManager service, as an example, collects and requires no personal information from our customers. Our online service is completely incapable of assigning any online activity to an individual and we market it that way.

The reality is that device fingerprinting systems provide online businesses with some of the only fraud management tools that don’t rely heavily on personally identifiable information. Instead of decrying privacy violations, privacy advocates should be looking to embrace systems that achieve the purpose of reducing online fraud while still protecting the privacy of good online users.