Proxy Piercing: "to pierce" or "not to pierce"?

Proxy Piercing has an interesting “marketing spin” to it, but it simply means we can acquire a PC’s actual local IP address.

In order to read a PCs local IP address and deliver it reliably back to your own servers you must execute some native code on the PC e.g. Java applet, a toolbar, or an application which will then send that IP Address back to your own servers using a TCP/IP or UDP socket connection, by-passing the HTTP data stream being sent through the proxy server. This is because all IP addresses that are passed within the x-forwarded-for string will be scrubbed (deleted) by the proxy. Alternate methods for transferring an IP address “transparently” might include methods of encrypting the IP Address using JavaScript or ActionScript into some target data field on the PC that will be transmitted within the HTTP stream’s user-agent-string. But since a “smart” proxy is going to re-write ALL of the attributes within the user-agent string, your encrypted IP data is simply going to get dropped on the floor, and lost! So this fraud management technique comes with challenges.

But is knowing the actual PC’s IP address ultimately beneficial for fraud management? If it was possible to reliably acquire the IP Address transparently (and it’s not a unroutable IP address) the answer is going to be yes only sometimes, and its usefulness is going to be temporary at best. Because, as you probably know, IP addresses are not “owned” by a PC. They are not like license plates assigned to an automobile by the DMV. IP addresses are extremely temporary, assigned by an ISP for a real-time connection. But they can be re-cycled as frequently as every time the user reboots their router e.g. possibly everyday. And when another PC is re-assigned an IP address that you have put on your block-list, then you will introduce a false-positive potentially blocking a good customer. Also if a PC is sitting behind NAT (network address translation) firewall then the PC itself will have an unroutable “local” IP Address e.g. in the range of 192.168.xxx.xxx or 10.x.x.x etc., which will basically tell you nothing.

What I have found in my experience to be the most effective fraud management technique relating to IP Addresses and their subsequent geolocation is to monitor for suspicious activity generated by the use of a proxy server, that is what will be most telling. I look for suspicious velocity changes in geolocation that is the actual result of a fraudster’s activity while using an anonymizing proxy for fraudulent and abusive objectives.

PhoCusWright Conference 2009

Are you going to the PhoCusWright Conference? If yes, then come attend my workshop on fraud http://www.miamiherald.com/business/press-releases/travel/story/1336006.html

Well I’m sitting here at SFO waiting for my flight. This is always a fun place to sit with my headphones on and doing fraud investigations; because, I’m always glancing up wondering, “have any of these people been caught by our system before?”

[Criminal Diversification, Repeat Offender in 2005 (Part 1 of 4)

Back in 2005, most of the online fraud and abuse that I saw committed was from what I’d call the “repeat offender”. This is the case where the individual perpetrator is working alone to repeatedly defraud or scam a target online business. This perpetrator might purchase or steal victim’s identity or credit card and then use this data to repeatedly make purchases or commit online abuses. Once a particular “virtual” identity is flagged, caught or stopped, the perpetration then simply moves on to use another identity from his spreadsheet. This is what I saw back in 2005.

Next week’s topic: Criminal Diversification, Fraud Rings Develop in 2006 (Part 2 of 4)

[Fraud Series: Topic 4] Fraudsters are no longer showing site loyalty

I’ve been analyzing the online behavior patterns of criminals for about 4 years now. When I first started, the criminals were clearly “specialists” targeting a particular vertical market with their organized crime operations, e.g., online gaming, Internet dating, eCommerce, or financial institutions. They would craft their schemes to specifically exploit a victim Web site until they got caught. Then, they would simply shift their focus over to the next Web site with similar vulnerabilities in that same vertical market.

However, more recently I’ve been noticing fraud rings crossing over vertical markets and perpetrating their crimes/scams simultaneously upon multiple Web sites. I’ve seen, for example, criminals who have been committing Internet dating scams now moving into other vertical markets like eCommerce. In one case, a fraudster was buying “items” at an online jewelry site using a stolen credit card. Simultaneously, he/she was creating accounts on an Internet dating site, paying for their subscription using a stolen credit card.

Conclusively, fraudsters are “diversifying” their operations and committing various forms of fraud across a spectrum of vertical markets in order to increase their return on investment. However, I do still see the “old school” fraudsters sticking it out within the same vertical and focusing their efforts to try and overcome deployed fraud prevention tools within that vertical market.

My advice is simply this: don’t limit yourself to fraud strategies specific to one vertical market. The most effective fraud strategies today are the ones that leverage fraud intelligence collected from across the Internet, not just a subset community.

[Fraud Series: Topic 3] Credit Card Phone Scam

This isn’t an online fraud, per se, but since both ANI/MIN/CLID spoofing and credit card frauds are current topics of discussion, I thought you’d find this interesting (if only for your own personal protection). The following is an example of both a credit card scams to collect from me all of my key credit card information so the criminal could use my card to purchase stuff online, via ANI/MIN/CLID spoofing (making the caller-ID be some other number) .

I just received a phone call on my cell phone (from a Voice Response Unit-VRU) with a caller-ID number of 321-504-7429. The recorded message said…

“This is your final notice to lower the interest rates on your credit card…blah blah blah…please select 1 to lower your rates now…blah blah blah”. I hung up, as should you!

Notes/Warning Signs:

1. There was no indication for which bank it was calling me (I actually have 3 credit cards from 3 different banks).
2. There was no authentication for who the credit card actually belongs to e.g. they might have said my name so I know it’s me their looking for.
3. They called my work cell phone, which was likely taken off my business card picked up from one of our show booth tables. I NEVER use my business cell phone for credit card accounts.
4. After I hung up I dialed the number back, and as expected it said, “The number you are trying to reach has been disconnected and is no longer in service.”

[Fraud Series: Topic 2] Stolen Credit Cards

There isn’t much I can add to the discussion on the topic of criminals using stolen credit cards to make purchases online. I could talk about various methods used to catch them. However, this week what I thought would be interesting is to comment on the relationship developing between “Easy Identity Theft” and the fraudulent usage of credit cards.

Like many Americans, I used to think that the only way a criminal could use someone’s credit was to steal the plastic card, or at minimum steal the numbers and CVV off of it, to make fraudulent purchases. But now, as I discussed last week, I know that this is not the only use case. In fact, more and more people are starting to fall prey to criminals acquiring their personal information and then applying for credit cards on their behalf. In this scenario, the victim may or may not receive the invoice for the credit card. If they do, they are left with protesting and deactivating this account, if not it could go completely undetected and have lasting consequences.

This is one of the most common uses of identity theft and potentially has the most adverse impact, because unlike a fraudulent charge to your credit card, which most often is credited back to your account, a fraudulent credit application may go undetected and can negatively impact your credit rating for years.

Next blog [Fraud Series: Topic 3] Advanced Fee Frauds