Recently I've engaged in a number of discussions on the topic of delayed confirmation. I think this fraud strategy definitely has some merit in certain applications. The objective is to simply slow down a fraudster who is trying to game the site by circumventing any deployed fraud detection systems.
In theory, providing a fraudster with real-time "denied" confirmation tells them that what they're doing isn't working, thus, try something different. I have seen no statistical research on how effective this methodology is, but it makes sense around the lunch table. Frustrate the bad guys so they'll go someplace else.
Wednesday, April 25, 2007
Thursday, April 12, 2007
Saturday, April 7, 2007
Does device identification affect privacy policy?
The pendulum of opinion swings on this subject. First read my post ("Can device identification stop fraud?") for an intro on what information is typically collected to identify a device.
Below are my thoughts on this topic that may help you answer this question. Feel free to comment?
How can generic device information uniquely identify a device? It can when you combine all of the individually non-unique data elements into one long continuous stream of information. The sum of these data elements can create a unique “device fingerprint". This fingerprint effectively becomes a “virtual” device within the fraud system. It’s more like a “pointer” to a real device that is located somewhere out in cyberspace, but we truly have no idea where it is located, and frankly, we don’t care! Besides, we can’t tell where the device really is (anonymizing proxy or simple dial-up connections breaks any hope that geo-location is a guarantee) and with a laptop the device may be moving around naturally.
We also don't know “who” is actually using the device, the web-site collects identity info but we don't know if this is really the person logging in. So just like we create a virtual device identifier, we can create a virtual account identifier and use it with the virtual device identifier. So, from a device identification perspective we don’t know who the “real” identity is of the person using the device and we don’t know where it is located.
The power and effectiveness behind this method of fraud management is that it doesn’t matter “who” or “where” the person and device is. And, the responsibility to correlate these “virtual” identities back into their true identities lies in the hands of the merchant anyway. Only the merchant has the necessary information to map these virtual identities back into any personal information that they have collected.
Yugoslav Proverb
A good rest is half the work.
Below are my thoughts on this topic that may help you answer this question. Feel free to comment?
How can generic device information uniquely identify a device? It can when you combine all of the individually non-unique data elements into one long continuous stream of information. The sum of these data elements can create a unique “device fingerprint". This fingerprint effectively becomes a “virtual” device within the fraud system. It’s more like a “pointer” to a real device that is located somewhere out in cyberspace, but we truly have no idea where it is located, and frankly, we don’t care! Besides, we can’t tell where the device really is (anonymizing proxy or simple dial-up connections breaks any hope that geo-location is a guarantee) and with a laptop the device may be moving around naturally.
We also don't know “who” is actually using the device, the web-site collects identity info but we don't know if this is really the person logging in. So just like we create a virtual device identifier, we can create a virtual account identifier and use it with the virtual device identifier. So, from a device identification perspective we don’t know who the “real” identity is of the person using the device and we don’t know where it is located.
The power and effectiveness behind this method of fraud management is that it doesn’t matter “who” or “where” the person and device is. And, the responsibility to correlate these “virtual” identities back into their true identities lies in the hands of the merchant anyway. Only the merchant has the necessary information to map these virtual identities back into any personal information that they have collected.
Yugoslav Proverb
A good rest is half the work.
Can device identification stop fraud?
Yes! I do it everyday.
Any PC, mobile phone, BlackBerry is a device that can be identified by reading multiple data points from the device itself. This data can include things like IP address, type of device etc.
But unlike fraud risk scoring engines, which base their models on collecting personal and/or transactional information (such as name, mailing address, shipping address, telephone number, social security number, credit card numbers etc.) device identification works independently of the actual activity the end-user is currently engaged in.
Whenever a device returns to my sight, if it has previously engaged in fraudulent activity (like identity theft, stolen credit card, account-takeover etc.) I know about it and can stop them.
Any PC, mobile phone, BlackBerry is a device that can be identified by reading multiple data points from the device itself. This data can include things like IP address, type of device etc.
But unlike fraud risk scoring engines, which base their models on collecting personal and/or transactional information (such as name, mailing address, shipping address, telephone number, social security number, credit card numbers etc.) device identification works independently of the actual activity the end-user is currently engaged in.
Whenever a device returns to my sight, if it has previously engaged in fraudulent activity (like identity theft, stolen credit card, account-takeover etc.) I know about it and can stop them.
Welcome to TheFraudKahuna's Blog!
Welcome to TheFraudKahuna's blog! Glad to have you on board. Today surfing, buying, selling, chating, just about anything online or mobile can incur risks. And many risks are not well known or understood by the surfing public. The purpose of this blog is to educate and to communicate. In a very general sense, I will be discussing current fraud trends, fraud practices, and anything else relating to the space of fraud without of course exposing any of the actual technologies deployed by various fraud management companies.
What's most interesting to me are the actual "use cases" of fraud. What are the criminals doing out there today? Sometimes just exposing the mo of fraudsters is enough to give each of us clues on how to spot them and stop them.
While this blog is about fraud, I do not expect to see a whole lot of discussion from fraud investigators sharing best practices here. Just remember this blog is a public space...
What's most interesting to me are the actual "use cases" of fraud. What are the criminals doing out there today? Sometimes just exposing the mo of fraudsters is enough to give each of us clues on how to spot them and stop them.
While this blog is about fraud, I do not expect to see a whole lot of discussion from fraud investigators sharing best practices here. Just remember this blog is a public space...
Subscribe to:
Posts (Atom)
