For 2Checkout.com Inc., rapid growth came at a price: increased fraud. The problem was the company's growth outstripped the company's ability to build fraud tools in-house.
"We were fortunate to see our business grow quickly, but at the cost of losing the dynamics of the fraud tools we once had in place," said Sebbe Jones, manager of fraud and disputes at the Columbus, Ohio-based e-commerce company. "Without getting into logistics, we were drowning in fraud charge backs, refunds, and returns."
But four years after deploying device identification technology from 41st Parameter Inc., 2Checkout (2CO) is comfortable doing business anywhere in the world, including countries with historically high rates of Internet fraud, such as Nigeria and Vietnam, Jones said. "We are able to do business in these 'high fraud' countries because we have more visibility of the consumer and/or fraudster."
Many companies battling online fraud, including retailers and banks, have turned to device identification technology – also referred to as device fingerprinting, experts said. Using various techniques, the technology identifies devices to help authenticate users to stop Internet fraud.
Almost all fraud detection systems have an aspect of device identification -- geolocation -- built into them, said Avivah Litan, vice president and distinguished analyst at Gartner Inc. But some vendors, including 41st Parameter, Iovation Inc. and ThreatMetrix Inc., go beyond that by looking for more information about devices such as the users' operating system, browser version and language.
"Certainly there's a lot of interest in it," Litan said. "Lots of retailers and banks are experimenting with it or putting it into production."
Jonathan Penn, vice president at Forrester Research Inc., said banks are using device identification technology either alone or with other mechanisms "to get better assurance that the customer is who they say they are, so going beyond just a user ID and password."
"It helps us build a profile of the device," he said. "We see Macs, game consoles like Wii and PlayStations. Anything that connects over HTTP is subject to that script [executing] and asking all these questions," he said.
If a user upgrades or alters their device, PCPrint determines the degree to which the system belongs to the user with the account, he said.
The technology can be used for authentication and detecting compromised accounts, but the most popular use case among its banking customers is preventing fraudulent new account openings, Eisen said. Device identification is popular in the new account opening process because "criminals typically use one PC to open multiple accounts … it will help you identify that," Litan said.
Cookies are a form of device identification but aren't reliable or used much by companies for fraud detection, she said. In a 2007 report, Litan wrote that U.S. banks partly relied on cookies as a means of providing a second factor for user identification, but she noted that up to 15% of cookies are deleted by users or by antivirus and antispyware programs.
An alternative device identification method is PC inspection software, which can read information from the operating system registry and serial numbers off a hard drive, according to Litan. Another method uses Flash objects on PCs to identify a user's machine, provided the client has Adobe software, she said.
ThreatMetrix Inc., which relocated from Australia to Los Altos, Calif. earlier this year, measures over 100 different parameters transparently during an online transaction in order to identify returning customers and stop first-time fraud. Reed Taussig, president and CEO, said in an interview in March. Fraudsters often cloak their true location by using proxies, but ThreatMetrix can "pierce the proxy" and determine a device's true IP address and geolocation, he said.
The company maintains a database of 12 million devices known to be fraudulent, which allows customers to anonymously share information device identity and fraud data, he said. ThreatMetrix offers its technology as a Software as a Service (SaaS) solution or customers can deploy it locally via a simple API.
Device identification is a "must have" for companies that are serious about online fraud detection, Litan said, but added, "It's certainly not perfect. Crooks can beat it. They can beat just about anything."
In her 2007 report, Litan wrote that the technology doesn't prevent man-in-the-middle or man-in-the-browser attacks in which the criminal inserts a program that intercepts communication between the user's device and the enterprise server. Some client device identification program can detect MITB attacks, she added.
Jones at 2CO said fraudsters continually evolve their techniques, making it imperative that businesses evolve as well. But with its skills, experience and tools, the company is confident it will continue to succeed doing business across the globe, he said.