Web-Access Device 'Fingerprints' Identify the Bad Guys

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

by Don Tennant, IT Business Edge

Don Tennant spoke with Scott Waddell, vice president of technology at iovation, a Portland, Ore.-based company that specializes in online fraud and abuse prevention. Waddell explained the concept of approaching fraud prevention and risk mitigation by creating a “device print” for each computer that visits a Web site, and sharing that information among subscribers to develop a “device reputation” database to flag potentially unsavory characters.

Tennant: My sense is that iovation’s clients are mainly companies that do online financial transactions. Is that accurate?

Waddell: It used to be. Increasingly, we’re getting a lot of interest from folks in the growing social community space – the social sites themselves, as well as sites for casual gaming and funds transfer that supports those sites. “

Tennant: I would think you’re doing a lot, as well, to keep bad guys out of social media sites, like MySpace and Facebook.

Waddell: They could, yes. Those two companies are not themselves customers today, but we do have some customers that are working with MySpace and Facebook to deliver the casual gaming content. The kinds of problems that those communities face are different from what we see in the traditional tangible fraud-loss market – financial services, credit issuance and e-tailers. But the same underlying technology supports all of them. Those companies have issues with profile misrepresentation, for example, where folks will come in and lie about age or gender – even issues with child predation and other kinds of problems. They’re trying to identify when multiple bogus accounts are being created from the same device or the same small cluster of devices, and ferret out that kind of fraud.

Tennant: Is keeping out bad guys like child predators a service that iovation is currently providing?

Waddell: It is. The caveat there is that our system is really fraud-type agnostic. It’s based around the concept that we help you recognize whether or not a device visiting your game or Web site or social community is one that you or any of our other subscribers have seen before, and whether or not that has been associated with the 32 or 33 different categories of fraud or abuse [that we’ve developed]. Each subscriber participates in this collective fraud and abuse intelligence-sharing network, where they can place evidence on the accounts with their system. We, in turn, take that evidence and associate it with the end-user devices that are accessing those accounts.

Tennant: Can you explain what it is you capture from a computer that enables you to uniquely identify it to create a device print?

Waddell: There’s really a spectrum of technologies that we apply there. For those customers that have a native application, such as a video game client, we can integrate a native library into that client. Then you have native code access to the device, and you can collect all kinds of attributes from the device – hard drive serial number; depending on the operating system, you might have a specific device serial number provided by the OS; MAC [Media Access Control] address from network cards, and so on. You can also store the equivalent of cookies on the hard drive for later retrieval. That’s the strongest case.

A lot of customers don’t have a native client, so they’re looking at a Web-only integration. In that case we are constrained, just as everyone else is, by the browser sandbox in terms of the kinds of things you collect. So you no longer have access to things like the MAC address from the network card, but anything you can collect through the browser from a Web-analytics standpoint, which still includes things like the operating system, cookies, Flash-stored objects, all of the usual suspects that are involved from the ad companies and the Web trends-type companies, are the same kinds of things that we collect. When those are collected, they come back in real time during the transaction, and we look for a match on all of those collected attributes.

If we don’t get a match, that falls through to a pattern-matching engine that computes how similar the device under review appears to be to other devices we’ve seen in the past. Certain combinations of those attributes give us enough confidence to say, yeah, we think the risk is low enough that we’re going to return a device ID and let the rules apply. If we still get no match, that falls through to a risk module component that uses similar pattern matching, but casts the net a lot wider, and builds profiles of the device, the account, the IP address and several different transactional properties. Examples would be things that indicate the end user is trying to evade device recognition by things like turning off Flash and JavaScript, and going through an IP proxy. We then build a risk score around the transaction, so the subscriber can add that to a review queue.

Tennant: Your subscribers typically download software onto every computer that visits their site so you can collect the data to create a device print. If bad guys do the same thing, that’s spyware, right?

Waddell: It can be. It depends on what’s happening with the data on the back end, what kind of data you’re collecting, and how personally identifiable that turns out to be. But yeah, absolutely – the same sorts of things could be done in a malicious way that would absolutely cause privacy problems.

Tennant: So aren’t there antispyware products that can be used as a defense against what you do?

Waddell: Not so much on the spyware side. There’s nothing really interesting that our software does in a spyware context in terms of modifying parts of an operating system, or injecting itself in places where it’s guaranteed to run and start up, or anything like that, that your typical malware/spyware detection tools will detect.

On the Web, for all intents and purposes, we look much the same as Google Analytics might look in terms of the footprint in the browser and the kinds of data that we’re collecting.

Tennant: What’s your policy with respect to providing information on suspect computers to law enforcement agencies?

Waddell: I think we’ve had one, maybe two cases in our entire history where that has occurred. Our policy is simple: We cooperate with law enforcement, just like everyone else. But that’s really not been a big focus of our subscribers.

Tennant: Suppose law enforcement was investigating a particular bad guy and they came to you and said they wanted the device prints of that bad guy. What do you do?

Waddell: Typically we wouldn’t be able to help, because we’re not tracking user names, for example. Our subscribers are typically sending us a hash or a masking code that they can map back to personally identifiable information on their end, but we’re not getting that information over here. Law enforcement would have to go to the subscriber first, and the subscriber would have to be compelled to identify the account over at iovation. They would come to us and ask for that information, and we would provide it.

Article courtesy of IT Business Edge.