Skip Links

Device fingerprinting defends against online fraud

Online fraud is on the rise increasing the adoption of a new security discipline called device fingerprinting

IT Best Practices Alert By Linda Musthaler, Network World
April 20, 2009 12:04 AM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - At the recent Web 2.0 Expo, PayPal’s senior director of global risk management, Katherine Hutchison, warned that online fraud is on the rise. There are many factors behind this rise, not the least of which is the rapid growth of the underground cybercrime economy. Criminals have established vast botnets comprised of millions of computers that are unknowingly controlled by malicious masters.

In 2008, the Georgia Tech Information Security Center (GTISC) estimated as many as 15% of online computers were part of a botnet – up from 10% in 2007 – and it’s likely to get worse. For example, there’s evidence that the recent Conficker virus is out to create an even greater population of bot computers. (See: Conficker awakens, starts scamming)

With so many bot devices now in place, criminals are able to easily hide both their locations and their identities to commit their assaults. As a result, the online fraud problem is growing bigger and wider. It exists anywhere where someone creates a new account, logs in to an account, or makes a card not present (CNP) credit purchase. Here are just a few examples of places where fraudsters are doing their dirty work.

• E-commerce sites of every ilk, where someone makes a purchase using stolen credit card information.
• Social networks and online dating sites, where fraudsters create accounts or use stolen credentials to establish trust and confidence and then betray that trust for financial gain.
• Banks and financial institutions where the criminal applies for a credit card or logs in with stolen credentials in order to steal funds.
• Private business portals for trusted business partners or customers that are compromised by someone with stolen or fake credentials.
• Federal, state and local government Web sites where fraudsters acquire benefits and services they are not entitled to.

This threat from compromised computers has given rise to a new security discipline whereby the device used in a transaction is quickly profiled in order to assess the risk from allowing that device’s transaction to proceed. Known as “device fingerprinting,” the process is rapidly gaining interest and adoption. As evidence, consider a critical indicator from the latest CyberSource fraud report: 7% of the online $25M+ e-merchants use device fingerprinting today and 47% said they plan to implement it in 2009.

Significantly, the people who are making the decisions to implement device fingerprinting are often the business owners and other people responsible for fraud prevention or safeguarding finance and operations. This is a decision that often bypasses or transcends a company’s IT or computer security experts. It would be worthwhile for you to get educated about device fingerprinting and take the solution to your management before it happens the other way around.

Device fingerprinting uses data from and about the device and browser sessions to assess the risk of doing business with the person utilizing that device. Obviously, the more data you have, the better you can assess the risk. For example, you can pierce the proxy to get the true IP address and geographic location of the user. If the PC says it’s in Dallas but the proxy piercing indicates it’s really in Beijing, there’s a good chance that the transaction it’s trying to initiate is fraudulent. Perhaps a particular PC has been used multiple times to initiate transactions using a different credit card each time. This evidence might indicate that the credit cards are stolen. Or, a compromised PC could be flagged as part of a botnet, so that its “bad reputation” would tell you to deny (or at least more carefully investigate) the transaction before allowing it to proceed.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News