Cybercriminals have established vast botnets comprised of millions of computers that are controlled by malicious masters. These bots allow the fraudsters to purchase goods, apply for credit cards, access bank accounts and more – all from the relative obscurity of a compromised device. A new security discipline called device fingerprinting is making it harder for criminals to conduct their illicit business from a device they have overtaken. Learn more about how you can validate if your transactions are coming from a legitimate device or one that has been compromised for criminal purposes.
At the recent Web 2.0 Expo, PayPal’s senior director of global risk management, Katherine Hutchison, warned that online fraud is on the rise. There are many factors behind this rise, not the least of which is the rapid growth of the underground cybercrime economy. Criminals have established vast botnets comprised of millions of computers that are unknowingly controlled by malicious masters.
In 2008, the Georgia Tech Information Security Center (GTISC) estimated as many as 15% of online computers were part of a botnet – up from 10% in 2007 – and it’s likely to get worse. For example, there’s evidence that the recent Conficker virus is out to create an even greater population of bot computers. (See: Conficker awakens, starts scamming)
With so many bot devices now in place, criminals are able to easily hide both their locations and their identities to commit their assaults. As a result, the online fraud problem is growing bigger and wider. It exists anywhere where someone creates a new account, logs in to an account, or makes a card not present (CNP) credit purchase. Here are just a few examples of places where fraudsters are doing their dirty work.
• E-commerce sites of every ilk, where someone makes a purchase using stolen credit card information.
• Social networks and online dating sites, where fraudsters create accounts or use stolen credentials to establish trust and confidence and then betray that trust for financial gain.
• Banks and financial institutions where the criminal applies for a credit card or logs in with stolen credentials in order to steal funds.
• Private business portals for trusted business partners or customers that are compromised by someone with stolen or fake credentials.
• Federal, state and local government Web sites where fraudsters acquire benefits and services they are not entitled to.
This threat from compromised computers has given rise to a new security discipline whereby the device used in a transaction is quickly profiled in order to assess the risk from allowing that device’s transaction to proceed. Known as “device fingerprinting,” the process is rapidly gaining interest and adoption. As evidence, consider a critical indicator from the latest CyberSource fraud report: 7% of the online $25M+ e-merchants use device fingerprinting today and 47% said they plan to implement it in 2009.
Significantly, the people who are making the decisions to implement device fingerprinting are often the business owners and other people responsible for fraud prevention or safeguarding finance and operations. This is a decision that often bypasses or transcends a company’s IT or computer security experts. It would be worthwhile for you to get educated about device fingerprinting and take the solution to your management before it happens the other way around.
Device fingerprinting uses data from and about the device and browser sessions to assess the risk of doing business with the person utilizing that device. Obviously, the more data you have, the better you can assess the risk. For example, you can pierce the proxy to get the true IP address and geographic location of the user. If the PC says it’s in Dallas but the proxy piercing indicates it’s really in Beijing, there’s a good chance that the transaction it’s trying to initiate is fraudulent. Perhaps a particular PC has been used multiple times to initiate transactions using a different credit card each time. This evidence might indicate that the credit cards are stolen. Or, a compromised PC could be flagged as part of a botnet, so that its “bad reputation” would tell you to deny (or at least more carefully investigate) the transaction before allowing it to proceed.
ThreatMetrix is one of a handful of vendors in the relatively new market for device fingerprinting. The company uses a variety of techniques to identify devices in order to prevent fraud. For example, ThreatMetrix uses proxy piercing to determine the true location of a device. The company maintains a database of more than 12 million devices that are known to be compromised, so a PC’s reputation can quickly be verified against the database. There are numerous parameters, such as the velocity of login and the presence of a cloaked device, that lead to a “soft score” of the risk of doing business with the PC user. When a company sees a bad risk score from a specific PC, it could deploy a secondary security measure, such as a challenge question, before completing the transaction.
This risk score can be tuned to a specific business, since risk varies from one company to another and even from one transaction to another with an organization. The risk of allowing a fraudulent $20 transaction is far less than allowing a $2,000 sale to go through.
On the flip side, if a PC is positively identified to be trustworthy, it can be flagged as such to create a quick two-factor authentication for legitimate returning customers.
You might question how much time it takes to conduct all these checks. ThreatMetrix says the validations are so quick that a user won’t notice they are taking place. In other words, the checks happen in real-time and do not add time that may annoy or turn away a legitimate customer. This is important, as every business wants to capture every good customer that it can.
Pulling data from so many sources to validate against a master database and customized parameters reduces the likelihood that the fraudster can manipulate the device data. This results in a high degree of confidence in the risk assessment. What’s more, the fraud can be stopped even if the particular device has never visited your Web site before.
ThreatMetrix allows its customers to deploy the device intelligence solution in a matter of hours. ThreatMetrix provides its customers with a couple of short HTML tags that should be copied into the code for your application or Web page. That’s it. Once done, the real-time validation of devices begins. The solution can be deployed so that no sensitive information about a customer ever leaves the firewall. This helps to satisfy regulatory requirements such as PCI DSS and HIPAA.
In addition to selling the solution direct to customers, ThreatMetrix already has two important channel partners. Entrust resells the solution to financial institutions and CyberSource sells it to retailers.
There are a couple of other players in this market space. 41st Parameter offers solutions for e-commerce and financial institutions that validate the device before processing a transaction. iovation offers a solution based on device reputation, utilizing a database of more than 100 million unique devices.
Device fingerprinting is certainly not a security silver bullet that is going to stop all online fraud. Rather, it’s another weapon to provide a more secure line of defense for your online transactions.