Over the holiday break, I found myself repeatedly explaining to both friends and family the difference between identity based fraud management tools and device-reputation based fraud management tools (I know, I know...who'd have thought this could be a "hit" ice-breaking topic at a holiday party?). But when people ask me, "so, what do you do?", and I say, "I stop identity theft and stolen credit cards." They immediately want to know, how can they protect themselves, including my father-in-law?
My father-in-law uses a MAC and I use a Windows tablet PC. As I stood there this morning looking down at our respective machines, I suddenly realized that after 20 years of having a relationship with him either one of us could positively identify the other one out on any street corner. But then I suddenly felt a growing sense of vulnerability; only 2-mouse clicks away (out in the virtual internet world) either one of us could so easily become the other one and nobody would be the wiser! We each know enough about the other, or have easy access to the personal documents (like wallets, drivers licenses, passports etc.), that the only thing standing in the way of such a crime, and is protected us one from the other, is the combination of personal ethics and mutual "trust".
But as I recall looking around the living room of various holiday parties this year, I suddenly realize that there were many people there neither my wife nor I even knew. Meanwhile, our coats and her purse lie in wait, amidst a mountain of other coasts and purses pilled high onto our hosts bed. I know I trust my close friends and family, but what about all these other people, the ones we are calling friends of friends of friends? How protected am I, online ??
Friday, December 28, 2007
Thursday, November 15, 2007
ItsMyMarket.com (UK) WARNS about Scams
While I've been holding off posting my own list of common frauds, mainly because I haven't decided how to best organize them in a blog, here are some links to other fraud lists....enjoy!
http://www.itsmymarket.com/scams/common.php
(UPDATED) http://www.lookstoogoodtobetrue.com/fraud.aspx
http://www.itsmymarket.com/scams/common.php
(UPDATED) http://www.lookstoogoodtobetrue.com/fraud.aspx
Friday, November 9, 2007
iovation - Intel Capital - TheFraudKahuna
Yesterday, iovation (Portland, OR - U.S.A.) announced that they have partnered with Intel Capital, who has made an initial $10M investment in the company's fraud management solution.
iovation IS NOT simply a "device printing" company, rather, it uses "device recognition" as one of many design components within their Device Reputation Authority.
Beyond fraud management, iovation's manypending patents are designed to protect its IP (intellectual property) in and around what they call "Device Reputation". In today's vernacular, "device" = "PC", or PDA, or mobile phone, or Xbox, can be virtually anything which is used to access the internet. Eventually, when IPv6 becomes more universally deployed, a device will likely refer to anything with built in electronics, such as, automobiles, televisions, even refrigerators. The reputation of a device is not only us asking the question, "has this PC been used to commit online fraud?" But is also us asking the question, "has this PC been used for email spamming, chat abuse, and other sorts of unwanted online behaviors?"
NEWS LINKS
http://www.bizjournals.com/portland/stories/2007/11/05/daily21.html
http://home.businesswire.com/portal/site/home/index.jsp?epi_menuItemID=887566059a3aedb6efaaa9e27a808a0c&ndmViewId=news_view&ndmConfigId=1000017&newsId=20071108005370&newsLang=en
http://www.redherring.com/Home/23128
http://news.google.com/news/url?sa=t&ct=us/0-0&fp=4734e0a5f545a105&ei=ljw0R9PLDZveqwPcsNTrAQ&url=http%3A//www.redherring.com/Home/23128&cid=1123328964&sig2=rCRFk67zoOzDmtFFXKZgVQ
iovation IS NOT simply a "device printing" company, rather, it uses "device recognition" as one of many design components within their Device Reputation Authority.
Beyond fraud management, iovation's manypending patents are designed to protect its IP (intellectual property) in and around what they call "Device Reputation". In today's vernacular, "device" = "PC", or PDA, or mobile phone, or Xbox, can be virtually anything which is used to access the internet. Eventually, when IPv6 becomes more universally deployed, a device will likely refer to anything with built in electronics, such as, automobiles, televisions, even refrigerators. The reputation of a device is not only us asking the question, "has this PC been used to commit online fraud?" But is also us asking the question, "has this PC been used for email spamming, chat abuse, and other sorts of unwanted online behaviors?"
NEWS LINKS
http://www.bizjournals.com/portland/stories/2007/11/05/daily21.html
http://home.businesswire.com/portal/site/home/index.jsp?epi_menuItemID=887566059a3aedb6efaaa9e27a808a0c&ndmViewId=news_view&ndmConfigId=1000017&newsId=20071108005370&newsLang=en
http://www.redherring.com/Home/23128
http://news.google.com/news/url?sa=t&ct=us/0-0&fp=4734e0a5f545a105&ei=ljw0R9PLDZveqwPcsNTrAQ&url=http%3A//www.redherring.com/Home/23128&cid=1123328964&sig2=rCRFk67zoOzDmtFFXKZgVQ
Wednesday, October 31, 2007
NCFTA...more help is on it's way!!!
I recently visited the guys at NCFTA. Check out their web-site at www.ncfta.net. This is a new organization focused on the exchange of intelligence data. I fully support their charter. In their own words...
The National Cyber-Forensics and Training Alliance provides a neutral collaborative venue where critical confidential information about cyber incidents can be shared discreetly, and where resources can be shared among industry, academia and law enforcement.
The National Cyber-Forensics and Training Alliance provides a neutral collaborative venue where critical confidential information about cyber incidents can be shared discreetly, and where resources can be shared among industry, academia and law enforcement.
The Alliance facilitates advanced training, promotes security awareness to reduce cyber-vulnerability, and conducts forensic and predictive analysis and lab simulations.
Thursday, October 11, 2007
Do you know where your PC has been?
I was looking at a device the other day (PC) in our database. It had been flagged with repeat counts of identity theft in 1 particular vertical market. I then looked at the other markets this PC has visited. What I found interesting was this: although they have been repeatedly flagged for identity theft in the target market, but at the same time, they have been flagged with no fraudulent activity in any other markets; they appear to be "good" citizens in other community while a "bad egg" in the other.
Has anyone else seen this sort of profile by fraudsters?
Has anyone else seen this sort of profile by fraudsters?
Monday, July 23, 2007
Fraud does not discriminate
This past week I investigated two extreme cases finding that the same fraudsters (fraud ring) had quickly hit multiple web-sites crossing multiple vertical markets. For example, they hit hard and broad across multiple iDating sites, and then, jumped over into the online purchase space at some of the largest online merchants. This same group was also caught frequenting online poker sites.
Thursday, May 31, 2007
What is state of the art?
State of the art today, in the war against fraud, is a combination of risk scoring engines plus various types of "Block Lists". But, how effective are these methods? (http://help.yahoo.com/help/us/store/risk/risk-25.html)
Reputation of a device is emerging as the next generation technology and raises best practices up to the next level.
Reputation of a device is emerging as the next generation technology and raises best practices up to the next level.
Friday, May 18, 2007
Back to "Old" School Security
Old School Security
The best fraud solutions today are still based upon "old school" architectures. The web was invented for surfing information freely and anonymously. Browsers are not well equipped for security and commerce. The most secure communications today over TCP/IP are still client-server based architectures. Haven't you wondered why iTunes is NOT a web-site? Two fundamental reasons, 1) client-server is still the most secure method of doing commerce, and 2) you can program so many more capabilities into a downloadable application then you can into a web-page.
The best fraud solutions today are still based upon "old school" architectures. The web was invented for surfing information freely and anonymously. Browsers are not well equipped for security and commerce. The most secure communications today over TCP/IP are still client-server based architectures. Haven't you wondered why iTunes is NOT a web-site? Two fundamental reasons, 1) client-server is still the most secure method of doing commerce, and 2) you can program so many more capabilities into a downloadable application then you can into a web-page.
Wednesday, April 25, 2007
Delayed Confirmation Fraud Strategy
Recently I've engaged in a number of discussions on the topic of delayed confirmation. I think this fraud strategy definitely has some merit in certain applications. The objective is to simply slow down a fraudster who is trying to game the site by circumventing any deployed fraud detection systems.
In theory, providing a fraudster with real-time "denied" confirmation tells them that what they're doing isn't working, thus, try something different. I have seen no statistical research on how effective this methodology is, but it makes sense around the lunch table. Frustrate the bad guys so they'll go someplace else.
In theory, providing a fraudster with real-time "denied" confirmation tells them that what they're doing isn't working, thus, try something different. I have seen no statistical research on how effective this methodology is, but it makes sense around the lunch table. Frustrate the bad guys so they'll go someplace else.
Thursday, April 12, 2007
Saturday, April 7, 2007
Does device identification affect privacy policy?
The pendulum of opinion swings on this subject. First read my post ("Can device identification stop fraud?") for an intro on what information is typically collected to identify a device.
Below are my thoughts on this topic that may help you answer this question. Feel free to comment?
How can generic device information uniquely identify a device? It can when you combine all of the individually non-unique data elements into one long continuous stream of information. The sum of these data elements can create a unique “device fingerprint". This fingerprint effectively becomes a “virtual” device within the fraud system. It’s more like a “pointer” to a real device that is located somewhere out in cyberspace, but we truly have no idea where it is located, and frankly, we don’t care! Besides, we can’t tell where the device really is (anonymizing proxy or simple dial-up connections breaks any hope that geo-location is a guarantee) and with a laptop the device may be moving around naturally.
We also don't know “who” is actually using the device, the web-site collects identity info but we don't know if this is really the person logging in. So just like we create a virtual device identifier, we can create a virtual account identifier and use it with the virtual device identifier. So, from a device identification perspective we don’t know who the “real” identity is of the person using the device and we don’t know where it is located.
The power and effectiveness behind this method of fraud management is that it doesn’t matter “who” or “where” the person and device is. And, the responsibility to correlate these “virtual” identities back into their true identities lies in the hands of the merchant anyway. Only the merchant has the necessary information to map these virtual identities back into any personal information that they have collected.
Yugoslav Proverb
A good rest is half the work.
Below are my thoughts on this topic that may help you answer this question. Feel free to comment?
How can generic device information uniquely identify a device? It can when you combine all of the individually non-unique data elements into one long continuous stream of information. The sum of these data elements can create a unique “device fingerprint". This fingerprint effectively becomes a “virtual” device within the fraud system. It’s more like a “pointer” to a real device that is located somewhere out in cyberspace, but we truly have no idea where it is located, and frankly, we don’t care! Besides, we can’t tell where the device really is (anonymizing proxy or simple dial-up connections breaks any hope that geo-location is a guarantee) and with a laptop the device may be moving around naturally.
We also don't know “who” is actually using the device, the web-site collects identity info but we don't know if this is really the person logging in. So just like we create a virtual device identifier, we can create a virtual account identifier and use it with the virtual device identifier. So, from a device identification perspective we don’t know who the “real” identity is of the person using the device and we don’t know where it is located.
The power and effectiveness behind this method of fraud management is that it doesn’t matter “who” or “where” the person and device is. And, the responsibility to correlate these “virtual” identities back into their true identities lies in the hands of the merchant anyway. Only the merchant has the necessary information to map these virtual identities back into any personal information that they have collected.
Yugoslav Proverb
A good rest is half the work.
Can device identification stop fraud?
Yes! I do it everyday.
Any PC, mobile phone, BlackBerry is a device that can be identified by reading multiple data points from the device itself. This data can include things like IP address, type of device etc.
But unlike fraud risk scoring engines, which base their models on collecting personal and/or transactional information (such as name, mailing address, shipping address, telephone number, social security number, credit card numbers etc.) device identification works independently of the actual activity the end-user is currently engaged in.
Whenever a device returns to my sight, if it has previously engaged in fraudulent activity (like identity theft, stolen credit card, account-takeover etc.) I know about it and can stop them.
Any PC, mobile phone, BlackBerry is a device that can be identified by reading multiple data points from the device itself. This data can include things like IP address, type of device etc.
But unlike fraud risk scoring engines, which base their models on collecting personal and/or transactional information (such as name, mailing address, shipping address, telephone number, social security number, credit card numbers etc.) device identification works independently of the actual activity the end-user is currently engaged in.
Whenever a device returns to my sight, if it has previously engaged in fraudulent activity (like identity theft, stolen credit card, account-takeover etc.) I know about it and can stop them.
Welcome to TheFraudKahuna's Blog!
Welcome to TheFraudKahuna's blog! Glad to have you on board. Today surfing, buying, selling, chating, just about anything online or mobile can incur risks. And many risks are not well known or understood by the surfing public. The purpose of this blog is to educate and to communicate. In a very general sense, I will be discussing current fraud trends, fraud practices, and anything else relating to the space of fraud without of course exposing any of the actual technologies deployed by various fraud management companies.
What's most interesting to me are the actual "use cases" of fraud. What are the criminals doing out there today? Sometimes just exposing the mo of fraudsters is enough to give each of us clues on how to spot them and stop them.
While this blog is about fraud, I do not expect to see a whole lot of discussion from fraud investigators sharing best practices here. Just remember this blog is a public space...
What's most interesting to me are the actual "use cases" of fraud. What are the criminals doing out there today? Sometimes just exposing the mo of fraudsters is enough to give each of us clues on how to spot them and stop them.
While this blog is about fraud, I do not expect to see a whole lot of discussion from fraud investigators sharing best practices here. Just remember this blog is a public space...
Subscribe to:
Posts (Atom)
