Author Archive

I am blogging this while standing at the ThreatMetrix booth on the last day of iDate 2010 Miami Beach.  The online dating world is an interesting industry – a global industry comprised of many interconnected pieces.  The online dating world has all the essential ingredients to make a great story:  love, sex, money and crime commingling at Internet speed.  Human desire is the engine that drives the online dating world, and online ads and money are the lubricant.  Where you find love, sex and money you’re going to find fraudsters.

There is a dating site for just about any kind of whatever-it-is that attracts people to one another that you can imagine – and some that you probably can’t.  In fact anyone can start their own niche dating site—yes you too can use a web dating application platform to build your own niche dating site that caters to whatever crowd hasn’t been sliced off into a niche dating site yet.  How about a dating site for dating site scammers…or perhaps something narrower like a dating site for dating site scammers who read Shakespeare?  Web dating has a tribal quality to it that helps makes it all work.  Of course scammers have figured out that hope springs eternal on dating sites where there’s an endless supply of people, many of whom will fall for their scams.

Most dating sites are aware of the scammer element to the business and the risk they pose to their members and their brand.  Scammers are their arch nemesis; I spoke to a few at iDate who described scammers in very personal terms—they really want to nail them—it’s personal. The larger the membership, the more the business has to invest in people and technology to try and keep the creeps away from their customers.  It’s not unusual to hear of a large dating site with 10 or more full time fraud analysts dedicated to staying ahead of the scammers.  Device identification has become more common in the online dating and social networking world.  The ability to bypass a hidden proxy to get the true IP address and IP geolocation in real time of the computers visiting a website is one of the most effective ways to spot a scammer on a dating site (just ask our customers).

Dating sites are susceptible to all three types of fraud: account origination (new member fraud), login fraud and payment fraud (CNP, or card not present). The ability to conveniently and securely accept web payments and avoid chargebacks is critical to the online dating business.  Payment processors and alternative payment services are a key part of making it all work.

And what’s next big thing in online dating?  Mobile of course.  When I asked conference attendees what their big takeaway was from the conference, anything to do with mobile was top of mind.  One person explained that mobile is hot to online dating “because it gives people a way to react instantly any time and anywhere…they don’t have to limit themselves to the time they’re tethered to their computers.”

The brave new world of online dating gives new meaning to the old proverb love is blind: when anyone can be someone else online, how can you be sure that lovesyababy422 in Miami is the hotty she claims to be flirting with you—or an offshore scammer named Gromyko setting you up?

- Tom

The online dating world will converge in Miami in a few weeks at the annual iDate 2010 conference billed as “the largest industry gathering of the year” that covers all business aspects of the dating and social networking markets.   ThreatMetrix will be exhibiting at iDate in booth #506, if you’re attending the conference let us know and we can set up a time to meet.

Online dating and matchmaking is over a $1.1 billion dollar industry in the U.S. alone, according to IBISWorld (www.ibisworld.com), the world’s largest independent publisher of U.S. industry research. The heightened awareness in the online dating world around scams and scammers is likely to push the topic into the sessions and conversations at iDate.  ThreatMetrix helps dating sites identify and stop online dating scammers.  Dave Perez, CEO of EDating for Free—a ThreatMetrix customer—underscores the importance of fraud prevention for his online dating sites this way: “We typically process over 350 new registrations a day.  We’ve significantly reduced the number of scammers that gain access to our site’s functionality while reducing the time spent determining who to register or deny to less than 30 seconds.  ThreatMetrix is a ‘no-brainer’ for dating sites like ours. It has made our site a safer, better protected community while enhancing the user experience.”

Online dating companies – like any other online community or subscription site – are subject to fraudsters around the world. In the case of Christian Dating for Free, one scenario involved overseas fraudsters from Nigeria who pretended to be located in the U.S. and then attempted to extract money using a money order scam.  After establishing the confidence of another community user, the overseas fraudster would send a fake money order and ask the U.S.-based user to deposit it into their bank account and wire money back to them in Nigeria via Western Union. Unfortunately, in most instances the money order turned out to be fraudulent and the user was responsible for paying back the money to their bank.

Once a scammer is tagged by ThreatMetrix, they do not receive a confirmation email on their next registration attempt. ThreatMetrix data is integrated to a Christian Dating for Free home grown dashboard so that their staff can quickly and easily review registrant data to determine whether or not to block a user.

Doron Kim, president and founder of Edating for Free, Inc., parent company of Christian Dating for Free, Catholic Dating for Free, and Black Christian Dating for Free explains that “With ThreatMetrix, we can see the bad guys right away.  Now we see the true data, true city, true IP, and true ISP. In less than five seconds, we can determine if a user who claims that they are in Boston is actually using an IP in Lagos.”

Trust is the bedrock on which online dating services are built. Members must trust one another and they must trust their dating sites to do their best to protect them from scammers. Nobody wants their mystery date to be a dud—let alone a scammer.

David Evans, a dating industry expert who publishes the Online Dating Insider has some great pre-conference tips for the Internet Dating conference that I recommend you check out if you’re headed to iDate 2010 in Miami.

- Tom

Twitter me this:  When is Twitter not Twitter?  Answer: when it’s the Iranian Cyber Army.  Last week a simple password breach put Twitter out of commission for an hour or two while its servers were redirected to the Iranian Cyber Army.  It illustrates the thin ice we skate on at any given moment on the Web when an entire global communication medium can be brought down by a password hack. A New York Times article on the latest Twitter outage put it this way: “The incident also highlights a basic vulnerability in the way life is lived as it becomes increasingly digital: With so much vital information stored on the Web, people are only as safe as their passwords.” Well, it’s not just their (consumer) password—as the Twitter hack illustrates it’s also the passwords sitting between the hackers and the systems and applications we use.

We entrust our online banks, social networking sites, email hosts—every web site where we maintain an account to keep our vital and personal data from getting ripped off.  They in turn trust that we will do our best not to be hacked or duped into giving up our personal information so fraudsters can gain access to our “vital” information.  Through regularly monitoring the ebb and flow of fraud related news and information on the Web, I have noticed that most of the fraud news and content is either advice for consumers telling them how they can protect themselves from online scammers, or bad news about web fraud trends and the latest company to get hacked. Even with a handful of narrow Google Alerts to push fraud news to my Google Reader it’s nearly impossible to scan—let alone read even a representative sampling of what constitutes the massive volume of web chatter about online fraud.  If consumers had the full picture of how serious the online fraud problem is (including awareness of the fraud that’s not discovered and not reported) I believe most would rethink how they interact with businesses and people on the Web.

Whether you get phished for passwords, your computer is under the control of a botnet, or your online bank suffers a cyber attack by the Russian mob the results are the same: once someone has your online credentials (name, password, secret questions, etc.) they can be you online, thus you’re at risk of becoming a victim of fraud.  Your computer’s unique device identifier can serve as an additional factor to authenticate you if your credentials have been compromised.  Randall Gamby, former Burton Group analyst now Enterprise Security Architect at MassMutual Financial Group put it this way in an article about device identification:

“What is the name of the city where you were born?” More and more frequently, users of banking websites are greeted with such questions when attempting to login. Why isn’t the user able to view his account information after inputting his username and password?  The customer was using a computer he hadn’t used before, and the bank was verifying he was who he claimed to be by using a device identification (DI) application.

Recently there’s been a boon in deploying device identification as a fraud-prevention strategy.  With cybercriminals targeting online credit card transactions, new account registrations and account logins, financial institutions have begun to require more than just a user’s IP address and login/password to verify that the person trying to access the account is in fact the user.

Nobody likes to manage/remember passwords and logins for scores of web sites.  Convenience (simple, repetitive passwords) often trumps security (strong passwords changed regularly).  Device identification significantly strengthens other forms of web authentication without adding more hassle or risk of losing PII.

Want to learn more about passwords? Here are some tips from the University of Chicago on how to build strong passwords, and here’s the list of the top 500 most frequently used passwords. See if you can guess the #1 most frequently used password before you look.

-          Tom

Thankfully our comic strip illustrator Andy Warner returned from an extended break with a new episode in our ongoing cartoon series starring  two online fraudsters Gromyko and Natasha. Every comic tells a different story of web fraud through the schemes of these two determined cyber criminals.

The latest installment is based on the very real challenge of online dating fraud that exposes millions of consumers around the world to scammers trolling dating sites using love to mask their true intent. Here it is:

If you want to learn more about online dating scams check out this earlier blog entry Fraudster seeks SWF with loaded bank account willing to be duped then read how Chellaul uses ThreatMetrix to keep the scammers out of their dating network.

You can read all the ThreatMetrix comic installments here.

- Tom

You don’t need a crime scene chalk outline to figure out why a customer left never to return to your web site to shop if the customer was victimized by fraud in a prior transaction.  According to the new 2009 LexisNexis® True Cost of Fraud Benchmark Study more than four in ten victims will avoid certain merchants consequent to being victimized due to fear resulting from an unauthorized purchase made at a particular merchant.

The LexisNexis study backed by research from Javelin Strategy and Research delves further into this subject suggesting that merchants should do more than just educating their customers on how to protect themselves from online fraud.  The study says that merchants must show customers that they’re taking a proactive role in protecting their customers from online fraud in ways that are “visibly robust” to consumers as a critical factor to promote customer retention and loyalty.  Further, three in ten fraud victims cut back on overall online purchases.  This chilling effect that online fraud has on its victims is one of the cost elements of fraud assigned to merchants, banks and consumers to quantify the “true” cost of fraud.

You could say the buck stops with consumers—literally—when they fall victim to fraud and associate negative feelings with the merchant.  I believe that the impact consumer’s perceptions have on merchants and banks when it comes to anti-fraud efforts will have a much greater impact on their business and how aggressively they invest in visibly making their customer’s experiences safe from fraud.  Consumers will vote with their wallets by selectively engaging with online businesses that promote and prove that they are doing everything possible to make their customers safe and their online experience convenient.

This consumer chilling effect from online fraud extends beyond merchants. Twenty-two percent of the respondents said they no longer bank online as a result of being a victim of online fraud. You can bet it doesn’t end there: online dating, gaming, and social networks are subject to the big chill effect too—Web 2.0 say hello to online fraud.

If you’re a merchant or financial institution this LexisNexis study is a must-read.  In fact any online business can benefit from its findings and recommendations. The cost figures in the study are staggering with merchants suffering $100 billion in fraud losses from unauthorized transactions and fees/interest associated with chargebacks.

A key finding in the report notes the low satisfaction and effectiveness ratings merchants have for fraud technology solutions, pointing out that this presents an opportunity for merchants to “assess the cost-effectiveness of the latest fraud-fighting technologies and apply improvements.” Device identification (AKA device fingerprinting) is a strong contender here, offering a new source of anti-fraud data and decision-making power that can further reduce fraud rates, lower costs and improve online customer experience.

Caveat emptor/venditor emptor. Buyers and sellers beware when online fraud shapes consumer perceptions that put a chill on ecommerce.

- Tom

With 2010 just around the corner, it’s not too soon to be thinking about how to strengthen your online fraud detection capabilities next year. Whatever you’re doing today to defeat fraudsters and scammers can be more effective with device identification—whether you’re manually checking orders or using home-grown or off-the-shelf anti-fraud tools like case management or transaction monitoring.  Here are eight reasons to put device identification on your list of anti-fraud technology initiatives for next (or this) year:

1. Stop fraud before it happens

The computer reveals risk before the person—so you can decide whether to accept, challenge or reject within seconds.  The computer provides the first actionable look at who’s knocking on your website door.

2. No personal data required

You don’t need to wait for or rely on information about the person to detect fraud or recognize a customer because device ID uses anonymous computer characteristics. Device identification is made possible through advances in computer capabilities that make use of stores of both static and dynamic data managed by browsers, operating systems, and Internet connections to perform their work. The data available from these sources is sufficient to establish a unique ’handle’ for a visiting computer to be referenced and recognized on the worldwide web—no personally identifiable information required.

3. Returning computers are verified instantly by the unique characteristics of their computer

Instant validation that’s entirely transparent to your customer enables better and smarter delivery of online services.

4. Block returning fraudsters already flagged

The ability to instantly identify returning fraudsters by their computer enables you to block them from entering your website.  Whether it’s online banking, social networking or making a purchase online—keeping the bad guys out keeps more of the good guys in and promotes trust between provider and customer and among members/customers.

5. More convenient and less risk to customers

Device ID serves as an additional form of authentication that does not rely on personally identifiable information (PII) and passwords for verification. Fraudsters can steal (PII) to impersonate someone, but they can’t steal a computer’s unique device identity.

6. No prior history required

Even without prior contact with a computer visiting your website for the first time, its anonymous characteristics give you insights that help you detect fraud. For example, device identification can reveal that a computer is using a hidden proxy and determine its true geolocation or when a single computer attempts multiple logins with different credentials too quickly.

7. Increases effectiveness of other anti-fraud tools

Device identification is a powerful addition to home-grown and off-the-shelf anti-fraud tools. Device risk adds context to make better decisions more quickly.  When it comes to data that helps detect and prevent online fraud, more is better.  For example, device fingerprint and corresponding risk information can be used in conjunction with other eCommerce order attributes to detect anomalies.

8. Effective for all three entry points on a website where fraud can occur

Device identification detects fraud and validates customers for web logins, new account registrations and payments.  You have better decision-making capability when you understand the computers visiting your website(s) through a composite view of risk across all activities.

Every computer hitting your website has a story to tell that can help you lower fraud rates, reduce fraud management costs, and improve your bottom line.  Want to see what you’ve been missing without device identification?  Consider putting it at the top of your list for 2010 and see for yourself what name.com, Ebates and dozens of other ThreatMetrix customers can see that you can’t.

- Tom

In case you haven’t heard, there’s real money in virtual goods—serious money. Just read this weeks’ TechCrunch article on how the big three (Zynga, Playfish and Playdom) rake in a combined $335M in estimated revenue. The combined number of monthly users named in the TechCrunch article pushes 300 million. Need more proof that virtual goods are hot? For the second day in a row virtual goods made TechCrunch in a report about Live Gamer, an online marketplace for players to trade and buy video game virtual goods. The TechCrunch article says “Live Gamer has over 72 customers and supports over 56 million registered users across all of partner implementations, exceeding 3 million micro-transactions per month.”

The TechCrunch article goes on to explain the revenue model for social gaming like this: “Get new users playing for free, give them incentives to message all their friends to signup, hit them hard for cash or lead generation for revenue, and move them up the levels. Rinse. Repeat.” Of course the hard cash exchanges hands in the form of an online credit card transaction—and whenever lots of money, credit card purchases and millions of transactions come together on the Internet there’s online fraud.

This interview by Michael Zenke of MMO web daily Massively with John Smedley, CEO of Sony Online Entertainment reveals one of the areas where fraud rears its ugly head in online gaming: gold farming. Gold farming describes when a player tries to acquire items of value in a massively multiplayer online role-playing game (MMORPG) to sell for in-game currency. SOE’s Smedley comments on the high cost of chargebacks in gold farming:

Massively: Earlier you mentioned the problem of farmers with regards to Station Access. I know that’s something the company feels very strongly about?

John Smedley: I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card–sometimes stolen, sometimes not – to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it’s getting extremely expensive for us. What’s happening is that when they do this all the time, the credit card companies come back to us and say “You have a higher than normal chargeback rate, therefore we’ll charge you fines on top of that.” We’re really trying to get on top of that. We’re taking our current efforts up about five notches to Defcon 1 on this issue. They bug us even more than they bug our customers, and we’re definitely taking steps to implement rigorous anti-farming efforts.

It’s actually really amazing to sit and watch these people work. I’ve personally sat with them as they’re tracking a farmer, and you’ll see a mob spawn – this guy’s got a bot that within half a second has them moving towards the creature even if it’s halfway across the zone. It’s a serious problem.

Massively: And you can’t fight the chargebacks with the credit card companies?

John Smedley: No, and the reason for that is very simple. Visa and MasterCard have these rules about chargebacks, and I personally think they’re antiqued. Digital delivery isn’t covered by their rules very well. So if you order something from Amazon and pay thirty bucks for a book, if it doesn’t show up at your house you can fight it because you can say “I never received that thing.” They do not cover that with digital delivery. In my opinion the world has changed a lot and I think that needs to be addressed.

ThreatMetrix device identification can (and does) help detect and prevent in social networks, social gaming and virtual goods payments—to stop fraud and authorize good customers more quickly with less hassle.

Virtual goods is on the news radar this week because the Virtual Goods Summit hits San Francisco on Thursday and Friday. VG Summit 2009 is definitely on ThreatMetrix’s radar since we’ll be there both days as a sponsor.

The 3rd annual Virtual Goods Summit will take place in San Francisco, CA on October 29-30, 2009. The event will bring together thought leaders in this space to talk about what’s changed, what’s working, and the key challenges facing the industry. This year’s lineup features executives from the leading companies in the virtual goods ecosystem, including Tencent, Playfish, DeNa Global, Nexon, Zynga, Playdom, Bigpoint, IMVU, Outspark, Zong, PayPal, Perfect World, MyYearbook, InComm, NHN, Ning, TrialPay, Super Rewards, Viximo, Offerpal Media, Serious Business, Slide, Giant Interactive, and many others. An assembled panel of experts will share their thoughts on key issues such as trends in monetization in the United States and Asia, key learnings on how to best drive revenue from social games via virtual goods, market sizing estimates for the US and global virtual goods opportunities, and similarities and differences between user behavior in the United States and Asia

In addition to the exciting lineup at this year’s edition of the annual must-attend event in the virtual goods space, the Virtual Goods Summit is expanding in 2009 with the creation of “Virtual Goods Summit University” or VGSU. VGSU will offer attendees the opportunity to go in-depth on the fundamental business practices and capabilities required for success with a virtual goods business model. The Virtual Goods Summit University will cover some of the most important issues facing publishers today, including how to get started with virtual currencies, how to manage a virtual economy, key decisions when rolling out a payments infrastructure, and how to manage multiple virtual currencies.

If you’re thinking of going but you haven’t purchased tickets yet, you can save 15% on tickets by using the code THREATMETRIX at checkout when registering at Eventbrite.

- Tom

Which is more important: detecting a fraudster or authenticating a customer? Detecting fraud gets top billing in the news most of the time, but four years ago (an eternity in tech years) ComputerWorld’s Jay Cline put customer authentication front and center in an article titled “How to Build Privacy Into Customer Authentication.” Yesterday one of my Google alerts surfaced this article prompting me to consider what it says in the context of today’s technology.

Mr. Cline made a case for adopting a “tiered authentication policy,” meaning that the sensitivity of the account being accessed determines the level of authentication. In other words, require more pieces of personal information to authenticate access to higher risk accounts.

He further pointed out that there’s a downside to this approach: “Giving companies more information is dangerous, privacy advocates say, because no business has perfect security. And all customers have a point at which they’ll abandon a registration process if too much information is required.”

Biometrics, such as scanning human fingerprints for identification are even more invasive. But in the four years since this article appeared device fingerprinting has entered the picture providing a new and elegant solution to authenticating customers without forcing the person to give up more personal information.

More recently, the privacy experts at Ponemon Institute have looked into privacy, device fingerprinting and what consumers think about having their PCs fingerprinted. I wrote about this subject in more depth a few weeks ago, read it here.

- Tom

If you were an online fraudster, which would you target: banks, etailers, payment gateways, online dating sites—or domain registrars? It turns out that more than a few target domain registrars. And there’s more to it than simply testing stolen credit cards to see if they work. The numbers tell the story when you listen to Kellie Peterson, executive vice president at domain registrar Name.com describe how ThreatMetrix device identification helped reduce the number of fraudulently purchased domain names by 90%. Fraudsters use stolen credit cards to purchase hundreds of domain names at a time. Registrars have five days to discover fraudulent domain name purchases and delete them. Failure to remain below the 10% threshold for bogus domain deletions set by upstream partners results in a financial penalty to registrars—potentially tens of thousands of dollars and damages its reputation with partners. Read the rest of this entry »