Posted on February 16th, 2009 by Alisdair Faulkner
I had the pleasure of sharing a panel with Tom Sullivan at the annual Cybersource ePayment Summit 2009 on trends in fraud and payments management. Tom is Sr. Director, Global Payments & Risk at Expedia and is also Chair of the Merchant Risk Council and a leading authority on payments and ecommerce fraud. The session was moderated by Paul Brock Sr Manager Manage Services for Cybersource.
Online Fraud Prevention Technology Trends Title Page Picture Representing Topic Alisdair Faulkner VP Products ThreatMetrix, Inc. Evolution of Online Fraud Attacks In 2007 11% of influenza viruses were found to be resistant to Tamiflu One year later, 99% were found to be resistant What does this mean for fraud in next 2-3 years? Compromised Identities and Devices: a ‘perfect storm’ You can’t trust the person if you can’t trust the device 12 million active 200 million profiled 100,000 new devices per day Global top-3 countries US China Brazil Compromised PCs used to steal Credit Card details – What’s new is that botnet drones are also facilitating transactions Botnets and Proxies make IP Velocity and Geolocation Ineffective Case Study: Voice Top-Ups With IP Intelligence [Fraud stopped on 5th try] Created 12/9/2008 5:28 12/9/2008 5:26 12/9/2008 5:24 12/9/2008 5:22 12/9/2008 5:19 Account Login lehung truyen2 truyen4 hungkt16 jtungss IP Address IP Geo US US US US US Cookies Enabled no no no no no Javascript Enabled no no no no no Payment Dollars 20 20 20 20 20 Payment Currency usd usd usd usd usd Payment Response Reject Accept Accept Accept Accept With Device Intelligence [Fraud Stopped 1st time] Created 12/9/2008 5:28 12/9/2008 5:26 12/9/2008 5:24 12/9/2008 5:22 12/9/2008 5:19 Account Login lehung Device ID cc4fa496c54511dd800000163e119596 cc4fa496c54511dd800000163e119596 cc4fa496c54511dd800000163e119596 cc4fa496c54511dd800000163e119596 cc4fa496c54511dd800000163e119596 Proxy Ip Proxy Ip Geo US US US US US Proxy Type hidden hidden hidden hidden hidden True IP True Ip Geo VN VN VN VN VN Technology Comparison Different ways to detect proxies? Techniques to identify devices? True IP and Instant Proxy Identification Standard Proxy Attribution IP Reputation Proxy Bypass True IP / True Geo TimeZone / Geo HTTP Fingerprinting TCP/IP Fingerprinting Packet Fingerprinting Content Encoding Net of capture problem IP address moving target Easy to subvert First-time protection Instantaneous detection Risk classification Hard to subvert Instant Proxy Attribution Packet-Level Device Identification E IBL T ER V UB210.123.30.15 S Standard Identification Browser Profiling Browser Tagging IP Geolocation Deep Packet Inspection Proxy Bypass Subversion Resistant True IP / True Geo TimeZone / Geo HTTP Fingerprinting TCP/IP Fingerprinting CPU Time-stamping Botnet Detection IP Forensics Real-Time Matching Strategies Considerations How should you be thinking about the composition of technologies as you evolve your operations? No silver bullet Device identification requires a holistic view of the device Look for real-time solution Subversion resistant Flexible and able to integrate with existing work flow
My talk covered the growing trend in use of compromised computers in order to bypass existing fraud filters, and a comparison of device identification technologies emerging to solve the problem while Tom fielded questions from Paul and the floor on the impact of the economy on managing fraud effectively and efficiently.
The Cybersource Summit provided an excellent opportunity for fraud experts to discuss fraud, botnets and device identification one-on-one with peers from leading online companies including Apple, Microsoft, Yahoo and Visa. Looking forward to the next.
Stay tuned for an announcement on the inaugural ThreatMetrix Botnet Ecommerce report.
A new report issued by Javelin Research shows that identity theft is on the increase. Nearly 1 in 20 Americans have experienced direct loss of nearly $5,000 dollars on average. Of these, 11% have been attributed to online fraud.
Based on recent massive data breaches, ThreatMetrix believes that identity theft losses through online channels will increase in 2009, although losses are likely to be smaller on average and distributed across a greater number of people.
In a recent Silicon Business Valley Business Journal profiling ThreatMetrix, “ThreatMetrix fights cyberfraud at the ‘front door’”, Gartner Vice President Avivah Litan, an analyst covering authentication, identity theft, fraud detection and prevention applications said
There’s a lot of value in these types of applications in financial services, e-commerce, online dating sites, gaming sites, health care and government portals, anyone that does business on the internet
The article does a good job of describing ThreatMetrix ability to profile a device in real-time to help stop fraud at the front gate by simply using ThreatMetrix HTML tags on check-out pages, user registration and login pages.
Every business that has a presence on the web and has users logging into their web site could benefit from their offering.
Yesterday the New York Times reported on a new wave of computer infections by a worm that has turned millions of consumer and business PCs into botnets – an army of devices capable of carrying out illegal transactions on behalf of their controller.
So what’s new?
Unlike worms that were previously designed to bring down computer networks or send spam, these infected computers are now able to be used to conduct online credit card transactions. They act like middle-men to trick fraud filters into thinking that the transaction originated domestically instead of from Nigeria, Estonia, Russia and other high risk countries.
This ready availability of infected PCs, combined with millions of breached credit card details sets up a perfect storm for online credit card fraud which is very bad news for merchants, gateways and credit card issuers.
Security companies like Symantec and Mcafee try to protect consumers from having their computers infected in the first place. But when the inevitable does happen, who protects online merchants and websites from these PC’s once they are infected?
2009 was the year the worlds most popular flu vaccine Tamiflu was rendered 99% ineffective due to a spontaneous mutation. Last year major flue strains were only 11% resistant.
The Washington Post reported that another large Payment Processor disclosed that they had been breached, potentially exposing 100’s of millions of credit card details to fraudsters.
Robert Baldwin, CFO of Heartland Payment Systems conceed that credit card numbers, expiry dates and names were compromised but commented that
The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address
Im wondering if fraudsters and hackers with this level of sophistication also have access to a White Pages or Facebook search?
Even if information such as CVV code data is not compromised along with the card data, an online merchant still has the option not to decide to make this extra verification information mandatory. Worse, I had a meeting with an Online Payment Gateway yesterday who described how fraudsters pose as legitamet merchant accounts but will then authorize a large volume of stolen credit card transactions which ultimately leave the payment gateway holding hundreds of thousdands in losses.
The Heartland Breach is only one of many, which calls into question the entire notion of a merchant or gateway being able to confidently process a credit card transaction based just on the user’s credentials alone. The shear number of both compromised credit card accounts and compromised computers that fraudsters can conduct transactions through mean that new solutions need to be sought out.
Programs like Verified by Visa mitigate this risk somewhat by requiring an additional password to authentiate the transaction, however this introduces friction into the purchasing experience and is not widely supported.
ThreatMetrix provides its Merchant and Payment Gateway customers with an alternative identity verification method that has zero impact to the customer and her purchasing experience by transparently profiling, identifying and recognizing the actual device used in the transaction.
This provides a number of unique benefits.
Detect credit card list washing: If the credit card details are stolen, ThreatMetrix will detect multiple credit card details linked to the same computer even if fraudsters attempt to spoof their location and IP Address with Proxies, even if transactions are conducted across multiple sites.
Stop first time fraud attempts: Even if a device in the transaction is not recognized, ThreatMetrix provides real-time anomaly detection such as if the transaction is being conducted through a botnet proxy or compromised PC that is infected and under the control of a fraud ring.
Accept more orders and registrations: ThreatMetrix enables merchants and websites to verify whether the combination of the user’s credit card and the device in the transaction has previously been successfully transacted before, allowing the confident acceptance of orders and registrations that might otherwise be rejected.
According to The New York Times the leading flu drug is now ineffective against 99% of infections. Last year resistance was found in only 11% of cases, with the dramatic change blamed on a spontaneous mutation of the virus and not just through overuse.
What does this have to do with online fraud detection?
Flu drugs like Tamiflu and Relenza are equivalent to first generation online fraud detection filters that rely on IP Intelligence, such as IP Velocity Checks and IP Geolocation. Based on our experience ThreatMetrix believes the effectiveness of these technologies are equivalent to Tramiflu circa 2008. They are still resistant to fraudulent attempts performed by opportunistic or unsophisticated fraudsters, but about to move through a phase of wide-spread obsolesence.
This spontaneous mutuation can be blamed on the nexus of three key factors:
The first is the rapid transfer of knowledge from sophisticated and professional fraudsters to the unwashed underbelly of opportunistic fraudsters
The third is the ready availability of botnets, infected PCs connected to always on broadband connections, which are used to spoof IP Addresses to bypass IP-based filters like IP Velocity checks and IP Geolocation checks.
So what are the implications?
The majority of fraud teams at leading ecommerce and online retail companies have been successful in keeping fraud costs to under 1% of total revenue by using a combination of manual review, identity verification and IP Intelligence.
ThreatMetrix has seen this new strain of botnet fraud cause a rapid spike in fraud rates from 2008 into 2009, causing many online businesses to not only loose significant amounts of money but also to fall afowl of credit card company chargeback thresholds and being turned off at the tap.
Last week I was discussing this very issue with a home entertainment electronics company that had lost access to the Discover Network due to a rapid spike in stolen credit card authorization attempts. Once fraudsters exploit a hole in your defenses they tend to be fast and effective in bleeding you dry.
This is a big concern that many fraud managers across online merchants of all sizes and across all industries secretly share – that even if they have a handle on fraud today, they feel that there is a real and present threat of being wiped out by the next big fraud outbreak.
At ThreatMetrix we are fortunate enough to work with the smartest and the brightest in online fraud detection for the largest and most successful online companies.
In recent conversations with three separate businesses across online retail, credit card processing and social networking it emerged as a definite trend that the Nigerians have been learning from the Russians.
Paraphrasing one of the conversations:
It used to be that Nigerians would just connect directly from their computer in Nigeria. They were pretty easy to pick off just based on the Geolocation of their IP Address alone. The Russians on the other hand will attempt to use some from of cloaking such as a proxy or compromised computer. Now, we are seeing a definite trend for Nigerian fraudsters getting smarter about covering their tracks. By doing some back-end analysis we can tell that the same patterns consistent with the Nigerians are there, but our front end systems are not as effective in screening them out anymore
This is the trickle down effect in action. In the security relm this effect was the birth of ’script kiddies’ or just ’skiddies’, for those in the know, that would reuse previously developed hacker programs for fun and fame. In fraud, this same trend sees the online world at an interesting juncture where even third world counties and teenagers have access to technology capable of circumventing the protections of first class fraud detection teams.
As a data point take a look at this youtube instructional video, over a year old now, of a young teenage hacker walking you through how to do an SQL injection in response to being teased as a ’skiddie’.
The embed video below shows teenage hacker CMZ walking through his attack on Twitter using a brute force password attack. CMZ exploited the fact that Twitter did not put time-outs on login attempts by running a series of dictionary attacks against the admins account to correctly determine the password as ‘Happiness’. The admin’s details were posted on digitalgangster, which were then used to send spam through Barack Obama and Britney Spears accounts.
This kind of brute force attack using a guessed user name and password generator by a teenager should send chills down any company that thinks that a user name and password is sufficient to keep their crown jewels safe.
Device Intelligence and Device Identification can’t fix bad admin security practice but many social networks are now turning to the device as a form of transparent two-factor authentication to determine whether an account is being accessed from an unauthorized computer, or to detect when the same computer is accessing multiple unrelated accounts.
