Web-Access Device 'Fingerprints' Identify the Bad Guys
Our colleagues at IT Business Edge speak with Scott Waddell, vice president of technology at iovation, about fraud prevention and risk mitigation.
by Don Tennant, IT Business Edge
Don Tennant spoke with Scott Waddell, vice president of technology at iovation, a Portland, Ore.-based company that specializes in online fraud and abuse prevention. Waddell explained the concept of approaching fraud prevention and risk mitigation by creating a device print for each computer that visits a Web site, and sharing that information among subscribers to develop a device reputation database to flag potentially unsavory characters.
Tennant: My sense is that iovations clients are mainly companies that do online financial transactions. Is that accurate?
Tennant: I would think youre doing a lot, as well, to keep bad guys out of social media sites, like MySpace and Facebook.
Waddell: They could, yes. Those two companies are not themselves customers today, but we do have some customers that are working with MySpace and Facebook to deliver the casual gaming content. The kinds of problems that those communities face are different from what we see in the traditional tangible fraud-loss market financial services, credit issuance and e-tailers. But the same underlying technology supports all of them. Those companies have issues with profile misrepresentation, for example, where folks will come in and lie about age or gender even issues with child predation and other kinds of problems. Theyre trying to identify when multiple bogus accounts are being created from the same device or the same small cluster of devices, and ferret out that kind of fraud.
Waddell: It is. The caveat there is that our system is really fraud-type agnostic. Its based around the concept that we help you recognize whether or not a device visiting your game or Web site or social community is one that you or any of our other subscribers have seen before, and whether or not that has been associated with the 32 or 33 different categories of fraud or abuse [that weve developed]. Each subscriber participates in this collective fraud and abuse intelligence-sharing network, where they can place evidence on the accounts with their system. We, in turn, take that evidence and associate it with the end-user devices that are accessing those accounts.
Tennant: Can you explain what it is you capture from a computer that enables you to uniquely identify it to create a device print?
Waddell: Theres really a spectrum of technologies that we apply there. For those customers that have a native application, such as a video game client, we can integrate a native library into that client. Then you have native code access to the device, and you can collect all kinds of attributes from the device hard drive serial number; depending on the operating system, you might have a specific device serial number provided by the OS; MAC [Media Access Control] address from network cards, and so on. You can also store the equivalent of cookies on the hard drive for later retrieval. Thats the strongest case.
A lot of customers dont have a native client, so theyre looking at a Web-only integration. In that case we are constrained, just as everyone else is, by the browser sandbox in terms of the kinds of things you collect. So you no longer have access to things like the MAC address from the network card, but anything you can collect through the browser from a Web-analytics standpoint, which still includes things like the operating system, cookies, Flash-stored objects, all of the usual suspects that are involved from the ad companies and the Web trends-type companies, are the same kinds of things that we collect. When those are collected, they come back in real time during the transaction, and we look for a match on all of those collected attributes.
Tennant: Your subscribers typically download software onto every computer that visits their site so you can collect the data to create a device print. If bad guys do the same thing, thats spyware, right?
Waddell: It can be. It depends on whats happening with the data on the back end, what kind of data youre collecting, and how personally identifiable that turns out to be. But yeah, absolutely the same sorts of things could be done in a malicious way that would absolutely cause privacy problems.
Tennant: So arent there antispyware products that can be used as a defense against what you do?
Waddell: Not so much on the spyware side. Theres nothing really interesting that our software does in a spyware context in terms of modifying parts of an operating system, or injecting itself in places where its guaranteed to run and start up, or anything like that, that your typical malware/spyware detection tools will detect.
On the Web, for all intents and purposes, we look much the same as Google Analytics might look in terms of the footprint in the browser and the kinds of data that were collecting.
Tennant: Whats your policy with respect to providing information on suspect computers to law enforcement agencies?
Waddell: I think weve had one, maybe two cases in our entire history where that has occurred. Our policy is simple: We cooperate with law enforcement, just like everyone else. But thats really not been a big focus of our subscribers.
Tennant: Suppose law enforcement was investigating a particular bad guy and they came to you and said they wanted the device prints of that bad guy. What do you do?
Waddell: Typically we wouldnt be able to help, because were not tracking user names, for example. Our subscribers are typically sending us a hash or a masking code that they can map back to personally identifiable information on their end, but were not getting that information over here. Law enforcement would have to go to the subscriber first, and the subscriber would have to be compelled to identify the account over at iovation. They would come to us and ask for that information, and we would provide it.
Article courtesy of IT Business Edge.