Here are some of tonight’s 2012 Totally Gaming Award winners:

• 888.com for Best Online Product of the Year (iovation was a finalist)
• Betfair for iPhone for Best Mobile Gaming Product
• Holland Casino Amsterdam for Best Casino Operator
• Jan Jones and Ron Goudsmit for Outstanding Service to the Land-Based Industry
• Wes Himes for Outstanding Service to the Remote Industry
• Novomatic for the Media Award
• Inspired Gaming Group for Best Betting Product
• Casinos Austria for Best Marketing Campaign
• Casino Cosmopol Sun vaal for Best Casino 
• Raff Ltd for Best Lottery Product
• JMC Global for Best Street Supplier 

Next up on the ICE agenda is the Combating Cybercrime in Gaming conference at Earls Court. Starting Tuesday, January 24th, attendees will find a great line-up of topics, including jurisdictional approaches to investigating cybercrime, knowing “who” and “where” your gaming customers are, implementing strategies to reduce data leakage from your network, cybercrime hotspots and forecasting future threats, and staying ahead of mobile gaming fraudsters.

iovation’s vice president of global sales, Max Anhoury, leads the mobile gaming fraud panel at 2:00 pm, titled Staying One Step Ahead of Mobile Fraudsters, to help attendees understand the latest cybercrime threats and how gaming operators can better protect their business, brand and customers.  Joining Mr. Anhoury will be Darwyn Palenzuela, Chief Technology Officer at Smart Gaming Group and Christina Thakor-Rakin, Head of Operations at Virgin Games. iovation will be sharing worldwide mobile device trends from its global reputation database of more than 800 million unique devices, which includes PCs, laptops, smartphones, tablets and consoles. 

iovation offers mobile fraud protection by uniquely identifying mobile devices that touch its clients websites or applications. The company employs a “defense-in-depth” approach to identifying, recognizing and developing a reputation for each mobile device, which includes multiple components and strategies that work in concert to help online businesses fight fraud effectively. iovation’s device reputation service includes both web and native device recognition, with SDKs for iOS and Android available globally. Managing the associations between devices provides opportunities for device re-identification even when evasion techniques are in play.

Those attending iovation’s Mobile Gaming Fraud Panel will learn:

• Mobile gaming offerings available and the progress and challenges posed
• Mobile fraud schemes and how gaming sites detect and prevent them
• Popular real-time rules that gaming operators are using to detect and deny fraudulent transactions
• Advanced technologies that will impact your strategy today and in the future
• Regulatory and compliance issues with regard to managing fraud on mobile devices
• Mobile application development and experiences with iOS and Android approval and distribution systems
• Future trends and mobile gaming growth expectations by operators

If you are unable to attend the presentation, but would like to learn how to protect your gaming site from chargebacks, identity theft, bonus abuse and collusion, stop by the iovation booth #5117 during the exhibition and speak with our team!

It’s been a busy year with a ton of new features and enhancements ranging from big to small. We thought we’d take a moment to share with you some of the highlights from 2011.

As with any technology, there are many, many things that go into a new feature including design, development, testing, documentation, integration and other operational requirements. We won’t go into that amount of detail here, but instead will focus on the primary achievements within each of the four principle areas of specialization at iovation, which include:

Now, after five years of pushing standards out to merchants and retailers, a Verizon study has found that 79% of retailers are noncompliant. That means your credit card data is at risk in 8 out of 10 transactions.

InformationWeek reports numerous reasons why credit and debit card data is at risk. The first is that the burden posed by PCI causes businesses to view PCI as a nuisance, rather than a standard. Instead of working towards better security, they shun it.

Another risk factor is that most merchants only maintain basic compliance. Credit card processors hold merchants’ feet to the fire by requiring that PCI standards be met, but only audit annually so merchants don’t maintain security throughout the year. When it comes time to be audited, merchants will often fail because they’re unprepared or because the rules have changed.

Finally, lack of awareness increases risk. According to Verizon, “the greater awareness of PCI found in a business, the greater the actual compliance.” Jennifer Mack, director of global PCI services, says, “The more aware your organization is of the standard, the more prepared you are for the type of approach you take.” Seems like common sense to me!

No matter how you slice it, retailers are a target and must employ multiple layers of fraud protection to thwart cyber criminals. One way that retailers are uncovering suspicious activity on their site is by utilizing powerful tools for early detection. iovation Inc., the leader in device recognition technology, allows retailers to create multiple rules and adjust them as threats emerge and evolve. They do this without collecting any personally identifiable information (PII) from the retailer.

As devices (such as computers and mobile devices) with fraudulent histories connect to the retailer’s website, the business is alerted in real time. And when velocity or geolocation alerts are triggered, the retailer knows in real time. iovation’s living database of device intelligence is shared across its global base of finance, gaming, travel, shipping, dating and retail clients. They share information to detect fraudulent activity as soon as possible, before product is shipped and chargebacks and fees are incurred. They call it device reputation. I call it another bit of common sense for retailers.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

In the recent Network World article, “Federal agency issues new security rules for financial institutions,” the FFIEC is instructing financial institutions to deploy layered security systems and recommends they update their risk assessments to detect anomalies and effectively respond to suspicious activity as more profit-driven hackers focus on business computers to perpetrate fraudulent online transactions.

According to the IC3 Annual Internet Crime Reports:

Cyber crime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts.  Fraudsters are responsible for losses of hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers.

The new rules instruct banks and financial institutions to focus their network defenses on layered security that involves fraud monitoring, dual customer authorization through different access devices, out-of-band verification, and technologies that limit the fraudulent transactional use of an account.

According to Scott Waddell, Vice President of Technology at iovation, who has been helping the nation’s largest financial institutions and credit issuers implement layered defense programs for years:

We’re glad to see the FFIEC guidelines catching up to the device reputation best practices that our customers enjoy. Complex device recognition, reputation, and real-time risk assessment are powerful additions to any bank’s fraud-fighting arsenal.   

The 2005 FFIEC Guidance described customer authentication as more than the initial authorization of the customer at login.  Including defenses at multiple interaction points such as accessing customer information, or movement of funds within or outside of the financial institution, is equally important.  Risk assessments should consider changes in the internal and external threat environment, changes in customer adoption, changes in electronic banking functionality and incidents of security breaches, identity theft or fraud experienced by the bank or industry.

With business or commercial banking accounts more susceptible to risk (as compared to retail banking) due to the frequency and high dollar amounts of the transactions, a defense-in-depth approach to security is even more important.

As explained specifically by the FFIEC, layered security programs may include:

• Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response
• The use of dual customer authorization through different access devices
• The use of out-of-band verification for transactions
• The use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account
• Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows
• Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities
• Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud
• Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels
• Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate risk

The FFIEC recommends that an institution’s security program include device identification strategies that are more sophisticated than the simple cookie or IP address schemes used by many banks today as part of their authentication process.

At iovation, our financial services clients have been doing more than simple device ID for years.  In fact, they’ve been doing more than complex device ID for the last 7 years.  Complex device recognition techniques involve assessing larger sets of attributes and applying both pattern recognition algorithms and pattern-learning processes to identify devices.

While useful, complex device identification is just one part of an effective solution. The big players are tapping into the power of device reputation. Device reputation builds on device recognition with real-time risk assessment, leveraging both the attributes and the behavior of the device.  iovation takes that further still by showing our customers the relationships between devices as they interact with online businesses across iovation’s shared device intelligence community. And understanding how individuals are connected through devices and the accounts they access, as well as past and current behavior, is critical.

Device Reputation is what provides this depth of insight at transaction time.

Read the Supplement:

The Federal Financial Institutions Examination Council (FFIEC), Supplement to Authentication in an Internet Banking Environment

In a similar vein, we can see that any single device recognition strategy on the Web is going to run into some serious limitations, mostly related to the quality and the variety of the data that can be collected from a browser.  There are a number of sources of data that we can use to construct a view of a device on the Web, but most of them can be manipulated, and all of them have problems with uniqueness.  How to build a system that is resilient to so much data uncertainty?  Yeah, I know you’re already a step ahead of me – we design in depth.

The easiest method of identifying a device may be to simply write a cookie to the browser.  But we all know how easy it is to defeat that method when you’re aware of it – you just delete them.

IP address also sounds like a decent attempt at identifying a client.  For a good number of home broadband users, IP address isn’t bad, and even for corporate users, you may luck out and only find a few computers lurking behind any given firewall.  There are many ISPs like AOL) that are known for their use of proxy servers, however, and any decent size organization could be hiding thousands of machines behind any given IP address.

Browsers also publish a User-Agent string, a description of the type and version of browser being run.  These user-agent strings can provide a good deal of rich information about the browser, but they are pretty blunt hammers, narrowing down the range of possible matches to somewhere north of one in a thousand.

Each of these sources of data – browser cookie, IP address, and User-Agent string – is interesting by itself, but using them in concert to begin to build a view of the client computer from a number of different angles starts to look promising.  Each one is spoofable to varying degrees, and each one has issues with uniqueness, but each operates through a different channel to provide its information, and thus requires a different strategy to avoid detection.

All of this is to say that there is no single unique value (or simple combination of values) hiding on the Web – device recognition requires a multi-layered solution.  As iovation’s business has grown over the last five years, we’ve evolved from a native library device recognition service into a full spectrum reputation service supporting native and web integrations, business rules, pattern matching, and risk scoring. The capabilities we have in place have been built with the future in mind to support collection and analysis of reputation tracking on new transaction elements, and discovery of new risk indicators to continually improve real-time decision making for our subscribers while growing the Internet’s definitive online reputation authority.

The end result of such a multi-layered approach, an approach of “recognition-in-depth”, is that we don’t have to rely on any one technology to provide us with enough information to confidently recognize devices on the Web.  In the ever-evolving landscape of Internet technology, that layer of insulation is a must – reliance on a single strategy means brittleness in the face of change.  For example, Gartner Research recently published a research brief titled, Privacy Collides with Fraud Detection and Crumbles Flash Cookies,  suggesting that companies avoid reliance on Flash stored objects completely, as the technology may be short for this world.  Multi-layered device recognition means that we can still sleep at night when Flash fades away – and that means you can, too.

The increase in the number of shared devices can in part be understood by analyzing the population of “reactivated” devices. Reactivated devices are devices that iovation re-identifies after having not seen the device for more than 90 days. By studying these devices in contrast to the device population as a whole, it is clear that iovation’s expanding customer base is a significant contributor to this trend as a vast majority of reactivated devices have been seen in multiple customer networks.

Since the beginning of 2008, iovation’s reactivated device rate has doubled every 5 months and continues to climb. This demonstrates that as iovation’s device network continues to grow, device crossover is also increasing.

Inactive Devices

As iovation’s device network grows and evolves, it is useful to distinguish between active and inactive devices since active devices have more interesting behavior and are involved in fraudulent or abusive activity now. To answer the question “what is active?”, I measured the percentage of devices that are re-identified over varying periods of time. Graphing the result of this analysis produces a curve that tails off considerably by 90 days, which means a very small percentage of devices that have not been identified in the preceding 90 days will ever be identified again. Therefore, for this study, devices that had not been re-identified in the last 90 days were considered to be inactive. This data set is based on data from the first 3 months of 2008.

How to read this graph: Devices not seen for 30 days have an approximately 40% chance of returning, whereas devices not seen for 90 days have an approximately 1% chance of returning.

Reactivated Devices

Devices that are re-identified after more than 90 days of inactivity are considered reactivated devices.

For the 18-month period from April 2008–September 2009, the following chart shows the percentage of the active device population that is made up of reactivated devices.

For the month of September 2009, I compared the population of active devices with the population of reactivated devices to see how their characteristics differ. From that comparison, it was determined that:

• Reactivated devices are 3 times more likely than all active devices to have been seen in more than one customer network.
• Reactivated devices are no more or less likely to have a reputation.

The following chart shows the percentage of reactivated devices that had subscriber cross-over as compared to the percentage of all active devices with subscriber cross-over.

Conclusion

Analysis of iovation’s network shows a clear correlation between reactivated devices and devices with cross-over between subscribers, and we are seeing a significant increase in both as the number of our subscribers grows. This upholds our belief that a database of device reputations, shared by online companies, across multiple industries, offers valuable and relevant information to individual sites in their fight against online fraud and abuse.

• Expose relationships between transactions –Device recognition gives fraud management teams instant visibility into the relationships between all online transactions (fraudulent or not). This provides immediate value in assisting with investigations and resolving issues.
• Receive velocity alerts –The number of purchases, applications, account creations, etc. that originate from one user in a given period of time is highly indicative of fraudulent behavior. For example, wouldn’t it be valuable to know that in the span of one hour, ten credit card applications were all submitted by one person? Unfortunately, since most fraudsters use fake or stolen identities, this can be incredibly hard to detect—unless you focus on the device. With device recognition, you can monitor the velocity of transactions coming from a single device, regardless of the identities provided.
• Identify risky devices –Using a device reputation service allows you to benefit from an increased understanding of the correlation between device attributes and behavior. At iovation, we’ve processed over 2.4 billion online transactions and we’re able to use that information to profile and analyze which device characteristics are mostly likely to indicate fraudulent behavior. With this kind of device intelligence, you’ll be a step ahead by knowing which transactions to review more closely—even if a device has never visited your site before and doesn’t have a known history of fraud or abuse.
• Recognize scammers who have defrauded your peers –From the time you turn on a device reputation service (if it is a shared system, like iovation’s), you immediately have access to the fraud experiences of other companies who subscribe to the service, so if a device accessing your site has already committed fraud elsewhere, you’ll be able to know about it and protect yourself.
• Expose repeat offenders – The ability to identify repeat offenders—who often successfully evade identity-based checks— is one of the key reasons people adopt device reputation systems. It’s like having a wanted poster for the scammer’s PC. If you have been defrauded, you certainly don’t want to let that user back even if they try to mask their identity.

There are significant benefits from using device reputation and many of these benefits can be seen immediately. Device reputation is an essential component of a best practice fraud management system.