A safe bet

With proven success in reducing incidence of fraud in the gaming industry, Jon Karl, VP of Marketing and Business Development at Iovation knows a thing or to about what works and whats leave the door open to unacceptable risk. Here, he weighs up some of the options currently available to address fraud and explains why ‘fingerprinting’ of devices is proving so effective.

Is there a single solution to online fraud?

It depends on the nature of the fraud that we’re talking about. There are a vast number of solutions out there, most of which are effective in some way. None of them, however, is a silver bullet. I believe the groups that will be most effective at stemming fraud will be those that most successfully fit the different pieces together.

There are heuristic analysis tools available for managing fraud, and there are fact based evidence systems such as our own that also play an important role. There are also individual authentication tools to ensure you are talking to who you think you are talking to. It would be incorrect to say that any of these is ineffective, but none is completely effective on its own.

What is strong authentication and what different types exist. What are the advantages and disadvantages of these?

Dual authentication is essentially a way of identifying something that you have along with something that you know, adding multiple factors to your authentication. The strength of each of those factors determines the strength of the authentication. Currently, the main ways to do this are through either a software based system or hardware based system – often referred to as a token. This may be a USB device that plugs into your computer and has codes generated on a random basis, or a device that simply generates codes for you that you type into your system.

The software side may involve a system similar to our own, which uniquely profiles a device using specific hardware, software and network information. Matched up with the information you know, this creates the full two-factor solution. The problem with the hardware solution is that while they are great for relatively small, closed systems such as a corporate network, they become extremely expensive to distribute and maintain when you are dealing with a distributed network such as an ecommerce site. They also tend to cause considerable customer support issues. So, I think it’s likely we’ll see more hardware authentication for closed networks, while for open, widely distributed networks a software model will be employed.

How do you go about creating the fingerprint for a device?

We reach out to the device and collect hardware, software and network information surrounding the transaction. In effect, we use that to create a unique profile. What is different about our system is that the device fingerprint really is unique, regardless of the subscriber network that it comes into, as long as they’re tying into our system. It is also able to adapt to device evolution – for example, changes that might take place in the hardware or software. Such natural evolution does not mean the device physically becomes a different device, but some systems would nevertheless recognize it as such. Our system understands that devices do mutate and shift over time.

What is device reputation and why is it beneficial for banks to share that information?

We believe that sharing is extremely important and we have extensive experience in this area in the gaming space. The gaming space was initially a very closed, cloistered environment, where individual gaming operators tended not to want to talk to one another or to share their information. To begin with, we provided point solutions within organization’s individual networks. Over time, however, we were able to make them understand that by sharing information about the ‘reputation’ of a device – its collective history over time – it could empower them to stop or control activity from devices that they’d never encountered before. It would give them significantly more power over controlling new account fraud.

The same lesson applies to the financial services industry. If rather than trying to solve a problem alone, they share the necessary information, then collectively only one of them needs to get hit. From that point onward they will then have protected the rest of that network and are therefore able to spend their time on other important issues.

What control do users have over device access?

Most users have no control over which devices can access their accounts. This is the reason that phishing works as a concept. There is a product available from iovation called User Control, which allows the end user to take control over their and specifiy which devices can access those accounts. This is effectively ‘deputizing’ the customer; you’re providing the end user with the ability to control their own access and to take some control over the access they grant to family members and other devices in the system. They also gain confidence that their account is being well protected.

How do you notify an end-user if someone tries to fraudulently log in to their account?

They are notified by SMS, e-mail or telephone if there is an unauthorized attempt to access their account. By informing them it also gives the customer the benefit of knowing that their system has been secured – that an access was attempted, but that because that device was unauthorized it was denied.

Can you give me any examples of success stories of customers that have seen results and a ROI from your products?

We’ve had customers in the gaming industry that have reduced upwards of 92 percent of their total fraud issues within several months. We had one particular customer, that takes hundreds of millions of dollars of transactions each year, that was losing as much as 10 percent of their total transactions in charge back fraud. We reduced that to less than one percent within five months. That was four years ago and they’ve been able to hold it below one percent for that period, with only 2 people on their fraud staff.

Online fraud is often talked about in terms of the cheetah and the gazelle. How do you ensure you are always one step ahead?

It’s all about committing the resources in our technology development teams to keep watch on the risks and ensure we are always ahead of what the fraudsters are doing. In some cases, we even look to people that were themselves part of the fraudster environment and to use their knowledge to develop our products further.