Banks, e-commerce sites use device identification to stop fraud

By Marcia Savage, Features Editor, Information Security 28 May 2009 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

For 2Checkout.com Inc., rapid growth came at a price: increased fraud. The problem was the company's growth outstripped the company's ability to build fraud tools in-house.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

"We were fortunate to see our business grow quickly, but at the cost of losing the dynamics of the fraud tools we once had in place," said Sebbe Jones, manager of fraud and disputes at the Columbus, Ohio-based e-commerce company. "Without getting into logistics, we were drowning in fraud charge backs, refunds, and returns."

But four years after deploying device identification technology from 41st Parameter Inc., 2Checkout (2CO) is comfortable doing business anywhere in the world, including countries with historically high rates of Internet fraud, such as Nigeria and Vietnam, Jones said. "We are able to do business in these 'high fraud' countries because we have more visibility of the consumer and/or fraudster."

Many companies battling online fraud, including retailers and banks, have turned to device identification technology – also referred to as device fingerprinting, experts said. Using various techniques, the technology identifies devices to help authenticate users to stop Internet fraud.

Authentication: Global authentication policies made easy: The challenge of implementing global authentication policies can be alleviated. Joel Dubin lays out best practices for overcoming language, culture and architecture problems. Out-of-band authentication: Methods for preventing fraud: Out-of-band authentication can add another layer of data security as customers seek enhanced online banking security. Banking on multifactor authentication: New industry guidance may soon force financial institutions to provide multifactor authentication for their Web-based customers.

Almost all fraud detection systems have an aspect of device identification -- geolocation -- built into them, said Avivah Litan, vice president and distinguished analyst at Gartner Inc. But some vendors, including 41st Parameter, Iovation Inc. and ThreatMetrix Inc., go beyond that by looking for more information about devices such as the users' operating system, browser version and language.

"Certainly there's a lot of interest in it," Litan said. "Lots of retailers and banks are experimenting with it or putting it into production."

Jonathan Penn, vice president at Forrester Research Inc., said banks are using device identification technology either alone or with other mechanisms "to get better assurance that the customer is who they say they are, so going beyond just a user ID and password."

Scottsdale, Ariz.-based 41st Parameter's PCPrint uses JavaScript deployed on a customer's login page to gather information about visiting devices by querying the browser as to time zone, HTTP header information, screen resolution settings, and many other items, said Ori Eisen, 41st Parameter founder and chairman.

"It helps us build a profile of the device," he said. "We see Macs, game consoles like Wii and PlayStations. Anything that connects over HTTP is subject to that script [executing] and asking all these questions," he said.

If a user upgrades or alters their device, PCPrint determines the degree to which the system belongs to the user with the account, he said.

The technology can be used for authentication and detecting compromised accounts, but the most popular use case among its banking customers is preventing fraudulent new account openings, Eisen said. Device identification is popular in the new account opening process because "criminals typically use one PC to open multiple accounts … it will help you identify that," Litan said.

Cookies are a form of device identification but aren't reliable or used much by companies for fraud detection, she said. In a 2007 report, Litan wrote that U.S. banks partly relied on cookies as a means of providing a second factor for user identification, but she noted that up to 15% of cookies are deleted by users or by antivirus and antispyware programs.

SearchSecurity radio:

An alternative device identification method is PC inspection software, which can read information from the operating system registry and serial numbers off a hard drive, according to Litan. Another method uses Flash objects on PCs to identify a user's machine, provided the client has Adobe software, she said.

ThreatMetrix Inc., which relocated from Australia to Los Altos, Calif. earlier this year, measures over 100 different parameters transparently during an online transaction in order to identify returning customers and stop first-time fraud. Reed Taussig, president and CEO, said in an interview in March. Fraudsters often cloak their true location by using proxies, but ThreatMetrix can "pierce the proxy" and determine a device's true IP address and geolocation, he said.

The company maintains a database of 12 million devices known to be fraudulent, which allows customers to anonymously share information device identity and fraud data, he said. ThreatMetrix offers its technology as a Software as a Service (SaaS) solution or customers can deploy it locally via a simple API.

Device identification is a "must have" for companies that are serious about online fraud detection, Litan said, but added, "It's certainly not perfect. Crooks can beat it. They can beat just about anything."

In her 2007 report, Litan wrote that the technology doesn't prevent man-in-the-middle or man-in-the-browser attacks in which the criminal inserts a program that intercepts communication between the user's device and the enterprise server. Some client device identification program can detect MITB attacks, she added.

Jones at 2CO said fraudsters continually evolve their techniques, making it imperative that businesses evolve as well. But with its skills, experience and tools, the company is confident it will continue to succeed doing business across the globe, he said.

Tags: Secure user and consumer authentication methods,  Debit and credit card fraud prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure user and consumer authentication methods Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy Debit and credit card fraud prevention Four hackers indicted in RBS WorldPay breach Bank Trojan used against German accounts evades antifraud systems California man sentenced in online brokerage scam Identity Theft Assistance Center marks five years of helping victims Fighting fraud: Understanding technology and threats Defendants in banking fraud scheme accused of exploiting regulation Credit union launches online banking suite with strong authentication Winning the war: Personal information protection ATM malware used in Russia lets attackers control machines When security outweighs common sense

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary card verification value  (SearchFinancialSecurity.com) PAN truncation  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary