Device Reputation in a Device Intelligence Network
Article by: Alisdair Faulkner, VP ProductsDate: 29 May 2008
Last Update: 30th April 2008
Device reputation means assigning a device a reputation based on its past behavior, and then making this reputation available through a Device Intelligence Network. Device reputation can be then used in real-time during an e-commerce transaction or a banking logon to help determine the risk of permitting the transaction or logon to occur. In this way, valid logon or credit card details that can be acquired through identity theft are not the only means of identity verification. While Device Reputation is a valuable component in your fraud toolset, ThreatMETRIX recommends looking beyond reputation for additional technologies that can provide first-time fraud protection.
For device reputation to be reliable in itself, there are certain criteria that must be met: relevant net of capture, "closing the loop", subversion resistance, and true device identification.
Net of capture does not just mean that a sufficiently large enough number of devices have been identified, but that there is sufficient overlap between devices caught in this net and those that are attacking your site. Reputation tends to be more valuable the more industry specific it is e.g. Travel, Etail, Finance or Gaming. This makes sense if you think about it from a Fraudster's return on investment perspective. Scams tend to be industry and even merchant specific, so it makes sense to target companies with similar profiles. Also, there are often problems with translating reputation from one industry to another. For example, just because a device has attracted a bad reputation at a gaming or adult site because of an alleged chargeback, does not necessarily mean that they aren't still going to be a valuable travel customer. ThreatMETRIX Device Intelligence Network arms its customers with the information and tools required to extract reputation information that is directly relevant to them. Scoring is not enough. You need context to better understand risk.
"Closing the loop" means feeding back "truth data" into your reputation scoring process. Without feedback confirming the accuracy of a Device's Reputation score, how does a supposed "fraud scrubbing" service actually know whether they are creating false positives or missing fraud? Also, how do you weigh the value of an assertion generated by an automated rules system (e.g. triggered by a risk-based authentication system) and that by a fraud analyst? For example, the former is faster, but likely to be less accurate than the later. Your chosen Device Intelligence Network should have answers to these questions.
Related to the above, any reputation network needs to take into account the variable levels of "trust" that you can place on any given input in such a way as to minimize the risk of subversion through misleading or incorrect input data. Anti-subversion has been built in to the core of the ThreatMETRIX Device Intelligence Network from day one of its development, and is based on trust levels assigned to all sources of assertions about devices.
And most importantly, device reputation can only be of use when devices can be identified to a useful level of accuracy. Device fingerprinting, coupled with TrueIP proxy peer-through and TrueGeo location enable the possibility of identifying the fraudster's machine wherever it is, and however he attempts to hide it behind his network of botnet proxies.