Suppose a friend wants you to meet her cousin Bill at a black tie affair. You don’t have a photo of Bill to help you find him among the five hundred or so people in attendance—you only have your cousin’s description of Bill. Here’s the description your cousin gave you: Bill has brown hair, he’s about five feet ten inches with a medium build. Your chances of finding Bill are pretty slim because that description lacks a sufficient number of unique characteristics to reliably identity him among the sea of black and white tuxedos. You would need more information from your friend about Bill to spot him quickly—preferably characteristics that would be easy to spot and not shared by many. If you know that Bill always wears a white carnation, your chances of finding him improve. If you know he wears a patch over his left eye, your chances of finding him become excellent.
In this example the sum total of Bill’s characteristics (including the carnation and the patch) form a profile sufficiently unique to spot him in the crowd at the black tie party. Now, suppose that the party is the worldwide web and your computer can supply enough characteristics to form a profile that’s also sufficiently unique to be identified. Welcome to the brave new world of device identification, where chances are pretty good that your computer has been “fingerprinted” by a bank, an e-merchant, a social networking website or any other website where you have created a new account, logged in, or bought something. Why is this being done? Because on the Internet it’s hard to prove that you are you. A popular New Yorker Magazine cartoon expressed this in a caption below a couple of dogs sitting at a computer while one explained to the other, “On the Internet nobody knows you’re a dog.”
Fraudsters take advantage of this situation by buying or stealing personal information, credentials and credit cards to commit cyber crimes. Once the bad guys have enough of your personal information—name, login, e-mail address, etc.— to pass themselves off as you, it falls to other means to detect the deception. The identity of your computer can protect both you and the web sites where you have transactions. Today, online businesses can tap into the anonymous data from a web visitor’s browser, network connection and anonymized personal information to tell if the computer visiting their web site is a fraudster or a customer. The data and context of a web transaction can provide valuable information to manage risk very quickly, without disrupting a web transaction and without requiring web visitors to provide personally identifiable information (PII). The questions asked include:
Have I seen this device at our website before, and is it white-listed or black-listed?
Have other web sites seen this device, and what was their experience with it?
What do we see that’s out of place, missing or inconsistent in the transaction data?
What behavior can we observe from this device that sheds light on risk?
What else can I learn by matching the device information with my database? For example, did this device attempt to use 5 credit cards in 3 minutes?
Has this computer been taken over by a botnet?
Is the device in a geographical location that’s different than where it claims to be—even if it’s hiding behind a proxy
A research project by The Electronic Frontier Foundation (EFF) kicked off in January demonstrates how anonymous data from your browser can be used to identify your computer. EFF created a web application named Panopticlick that “will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of many other Internet users’ configurations” to derive a uniqueness score that indicates how identifiable your computer is among a population of similarly logged computers. As of this writing, Panopticlick determined that my own computer “appears to be unique among the 670,504 tested so far.” Panopticlick shows that gathering collections of anonymous data can indeed be used to identify a computer. This data gathering, paired with a rules engine that can perform complex analysis across more characteristics from a web transaction in just a few seconds, provides an effective way to make better, real-time decisions about whether a computer visiting a web site is a customer or a fraudster.
The fact that a web site can identify a computer by anonymous data has led to controversy. If the idea that your computer may be tattling on you makes you queasy, ask first who’s profiling your computer and for what purpose? It can be annoying when a bank needs to confirm that your login credentials match the computer that’s on the bank’s white list for you, or when you are asked for a photo ID when making a credit card transaction at a retailer. But this extra “hassle” can protect you. The use of anonymous transaction characteristics is similar, but cause much less hassle, because it is transparent to the online customer. Again, if you meet someone on a dating site and the site warns you that the person you’re connecting with claims to be in New York while his computer says he’s really in Nigeria – here again device identification is protecting both you and the dating site.
The privacy flag goes up at the web sites where you want to remain anonymous in order to control who gets to store your personal data and help you avoid the risk of an overzealous marketer’s loose interpretations of data sharing or cavalier attitude towards unintentional loss of your personal data.
According to a 2009 study by Ponemon Institute, a leading independent research firm devoted to studying issues and trends concerning online privacy, 78% of consumers surveyed believe that online merchants, banks and social networks should use technology, such as a cookie or other invisible software, to protect consumers’ identity, while only 21% want online vendors to require more personal data from the consumers themselves. Dr. Ponemon was “surprised to find that an overwhelming majority of consumers surveyed were comfortable with the idea of having their computers profiled in order to be identified by online vendors.” In other words, you can fingerprint my computer when the purpose is to protect me—but not to market to me.
Let’s revisit the black tie affair scenario with a twist. What if your cousin’s friend Bill doesn’t want anyone to find him at the party? Bill would probably alter his appearance or behavior in one or more ways to avoid being spotted—like ditching the carnation and the eye patch. In a similar vein, fraudsters have to actively work at behaving like legitimate customers by watching their behavior and altering their digital appearance to get away with their deception. In order to pass themselves off as legitimate customers they have to take steps to avoid leaving any clues that would raise suspicion. The anonymous data in and around a web transaction contain a treasure trove of clues that can trip up a fraudster such as language, time, fonts—and often it’s the absence of data or inconsistencies that throw a flag.
Any single fraud countermeasure is bound to be incomplete. Layered security is always recommended in order to stop a wide range of ever-changing threats. Device profiling is a useful layer that takes advantage of the anonymous data available in a web transaction to offer an excellent and currently under-utilized form of authentication and anomaly detection. It has the added benefit of being non-intrusive and cost efficient.