Protecting Online Gaming and e-commerce Companies from Fraud

Transcription

1 Protecting Online Gaming and e-commerce Companies from Fraud White Paper July 2007

2 Protecting Online Gaming and e-commerce Companies from Fraud Overview In theory, conducting business online can be efficient and cost effective. In practice, the damage caused by the use of stolen financial data, identity theft, spam, phishing, hackers and other fraudulent activities can be enormously expensive and difficult to manage. These realities have significantly increased the risks and real costs associated with conducting business on the Internet, especially for the online gaming industry. A key enabler of online fraud is anonymity. The online environment provides little concrete and easily verifiable information related to customers and their accounts. While online gaming networks regularly identify bad accounts after they have misbehaved, it can be difficult to identify high-risk accounts proactively before the damage is done. Moreover, preventing the same fraudsters from repeating their offenses, within a given online network and elsewhere on the Internet, has proven to be a stubborn issue. At iovation, we proactively prevent fraud through the use of our proven reputation services that help expose fraudsters in real-time within and across Web sites protected by our services. iovation s approach is built on capturing and sharing the reputation of Internet-enabled devices such as personal computers (PCs), laptops, and PDAs used to access online services. To effectively combat rising online fraud, online gaming and e-commerce sites need to be able to: > Better understand and utilize the associations between computers and customer accounts to proactively identify potential offenders; > Gain intelligence from other networks allowing businesses to be proactive when encountering high-risk relationships, while maintaining an extremely high level of privacy; > Control access from any device that has been associated with fraudulent or undesirable behavior. In this paper, we ll explore a solution for these issues iovation ReputationManager system, a fraud management solution utilizing the company s proprietary Device Reputation Authority (DRA). Lock Out PCs to Prevent Fraud iovation ReputationManager is the first solution that I ve seen that keeps a negative database of PCs and laptops. It gives us the ability to add an extra degree of security around the organization by not only locking out the person, but by locking out the tools they use to defraud the system. Jim Ryan, CEO, Excapsa 111 SW Fifth Avenue, Suite 3200 Portland, Oregon info@iovation.com

3 Implications of fraud for the Internet economy Most online businesses are all too familiar with the negative bottom line impact associated with fraud. In fact, the problem has become so pervasive and significant that most businesses are reluctant to publicly expose the extent of the financial damage to their operations. Conservative estimates place online chargeback rates at more than 10 times the chargeback rate experienced with traditional card-present transactions. In fact, Gartner group cites online chargeback rates 19 times higher than brick-and-mortar transactions. It is our experience that many online businesses operating in high-risk categories, such as online gaming, suffer chargeback rates that can at times exceed 10 percent of revenues. Without considerable changes to the way potential fraudsters are identified on the Internet, these losses will pose a significant hurdle for many online businesses. A Gartner study found that declining consumer confidence will inhibit U.S. e-commerce growth rates by 1 to 3 percent by The rapid growth of online fraud threatens to undermine customer confidence throughout the Internet economy, limiting its ultimate potential. Some types of online fraud and other negative behaviors The anonymity and immediacy of Internet-based services, such as online gaming, have helped create a fertile environment for the invention and spread of many new types of fraud and otherwise costly behavior. The motives of the perpetrators are varied and range from profit-making scams to the simple challenge of proving that they can beat the system. Whatever the motive, the costs are enormous. Some of the most common forms of fraud and delinquent behavior that currently permeate the Internet and the gaming sites include: > Stolen credit card information, leading to chargebacks (often operated in fraud rings) > Friendly chargebacks > Collusion among multiple players > Phishing > Use of Trojan applications to gather information or control processes > Abusive behavior in online communities and against online support personnel > Unauthorized network access and activities Common online fraud management tools and methodologies Because of the prevalence and impact of fraud, there are a significant number of tools and methodologies that have been used to combat the problem. There is no shortage of vendors in the marketplace with proposed solutions for various aspects of online fraud. Some of these solutions are effective, and some have limited real world application for online businesses that need to remain competitive. And, it is extremely unlikely that any one of them will ever be the silver bullet. Effective fraud control requires a collection of tools, each with its own specific application. When properly paired, each tool can enhance the others for a complete fraud prevention solution. Some examples of commonly used fraud detection methods and tools include: > Address Verification Systems (AVS) > Card Verification Methods (CVM) > Multi-factor User Authentication > Payer Authentication (Verified by Visa & Secure Code) > Transaction Velocity Check > Negative and Positive Lists > Geolocation Services > Screening Services > Risk Scoring > Rules-based Detection > Biometric Identification 2

4 The iovation ReputationManager fraud management service iovation ReputationManager software as a service adds a new layer of intelligence and control for online businesses a layer that has never been readily available before now. As with virtually every activity on the Internet, fraudulent behavior begins with a device connecting to an online business s Web site. At its most fundamental level, iovation ReputationManager provides real-time fraud protection to online businesses by identifying devices that are being used for illegal, fraudulent, malicious, inappropriate or otherwise unwanted activities. Once these devices are identified, iovation ReputationManager can share this information with all its subscribers, enabling these businesses to make proactive decisions regarding their customers transactions and/or accounts. At this point, the online business can decide to allow, limit or prevent access to services based on the known reputation of the device. The iovation ReputationManager fraud management system is comprised of three primary components: i) DeviceShield (a technology that uniquely identifies Internet-enabled devices) ii) Device Reputation Authority (a platform for fraud detection and analysis) iii) Administration Console (fraud analysis and reports). > Device Identification iovation ReputationManager utilizes proprietary methods to uniquely identify devices connected to the Internet, creating unique identification for them that remain constant across all subscribing online businesses. For example, a PC device connecting to one online gaming or e-commerce site protected by iovation ReputationManager is assigned a device identifier by the same method used to identify PCs connecting to other e-commerce sites/networks protected by the system. By carrying the same device identifier across multiple Web sites, first time visitors are no longer strangers when fraud information is shared among subscribers. iovation ReputationManager provides enhanced, proactive protection for all subscribers. > Device Reputation Authority (DRA) The Device Reputation Authority is iovation s platform for fraud management and online user device identification. DRA also maintains the relationships between users devices and their accounts/transactions, enabling fraud analysts to unmask hard-to-spot suspicious associations. Once a device has been associated with unauthorized or fraudulent account activity, the information can be stored in the DRA to prevent further online access and transaction attempts from that device. Leveraging the reputation of a device based on its history of usage creates a strong, fact-based authentication and fraud management solution. Each subscribing online business establishes its own rule sets for allowing or denying a particular customer transaction. For example, businesses can chose to share and trust evidence entered against devices by other subscribers. iovation ReputationManager applies these rules to return simple proceed or stop responses to queries at such touch points as login or at the time of a transaction, for real-time fraud prevention. Furthermore, subscribing businesses are armed with an administrative interface in the DRA, providing in-depth research into the relationships between customer devices and account/transaction activities. Online businesses can then maintain their own rule sets, update their own device reputation information, run queries and generate reports through simple HTML and SOAP interfaces. 3

5 White Paper Paper August, July, > Administrative Console (Fraud Analysis and Reports) Using a browser interface, iovation ReputationManager s console provides fraud analysts a powerful analysis and reporting tool for detecting hidden suspicious associations between customer accounts and their devices. By leveraging the system s reporting capabilities, fraud analysts can take appropriate and timely action. Once a fraudulent activity is confirmed, evidence can be entered into the DRA to prevent future fraudulent transactions from the implicated device or accounts. According to the Console screen below, the account prime_time has been denied access due to direct evidence against it. However, prime_time is also associated with the account moneymaker because both accounts have been accessed by the same device. By placing evidence directly against prime_time, other associated devices and accounts are also flagged creating a highly effective defense against fraud rings and repeat offenders. Opening excessive number of new accounts using the same device, in a short period of time, can often be an indicator of new account fraud based on forensic analysis of fraudulent activity patterns. The following Suspicious Activity report allows a subscriber to quickly identify all devices that have X number or more new accounts created within a selected time frame. 4

6 How Online Businesses Use iovation ReputationManager Subscriber A Acct Accept Deny Other Subscriber B Acct Acct Subscriber C Acct DRA Platform Practical use of the intelligence provided from the Device Reputation Authority is generally implemented through simple and unobtrusive business process changes within the subscribing network s system. The principal functions implemented within the network include the following: > Subscribers activate the device identification application either by embedding a few lines of code or JavaScript in their webpage or through ActiveX controls; > At user login and/or prior to any high-risk transaction, iovation ReputationManager uniquely identifies the device attempting to transact on the subscriber s Web site. The subscriber will query the DRA to determine the reputation of the user s device to make a decision, based on the subscriber s own rules, whether to proceed. Customer support and audit groups are trained on utilizing the information provided by iovation ReputationManager s analysis and reporting capabilities to make business decisions regarding suspicious relationships. 5

7 iovation ReputationManager Fraud Management Service in Action The best way to illustrate the iovation ReputationManager system s benefits for your business is through examples of how the system is used by subscribers. Example 1 The problem SUPER BOOK NETWORK is notified by a transaction-processing partner that it will not receive payment for a particular transaction because the credit card number is stolen. How can a network control access by known high-risk individuals when there is no easy way to truly identify and locate the individuals involved? The iovation solution After closing the account that created the fraudulent transaction, the audit team at SUPER BOOK NETWORK queries the Device Reputation Authority for a list of all network PCs/laptops that have been used to access the affected account. In this case, SUPER BOOK NETWORK receives a list of ten device identifiers. The audit team then queries the Device Reputation Authority for a list of all account identifiers associated with these ten device identifiers, resulting in a list of six additional accounts. After research by the audit team, a total of seven accounts are closed on SUPER BOOK NETWORK S system, and ten devices are marked as bad in the Device Reputation Authority. In the future, any device that connects to one of these seven bad accounts will be automatically marked in the Device Reputation Authority. In addition, any other account that attempts to log in from one of these PCs will be automatically marked as bad in SUPER BOOK NETWORK S system. Understanding relationships between accounts and specific PCs or laptops allows networks to connect bad accounts that might otherwise appear unrelated. Once the PCs or laptops used by bad accounts are identified, network access can be denied at that level. Example 2 The problem INTERNET GAMING NETWORK, operating out of Canada, finds a customer who has used a stolen card resulting in chargebacks. INTERNET GAMING NETWORK subscribes to a negative card database; however, this card has not been registered on the system. The iovation solution INTERNET GAMING NETWORK S audit team marks the account as bad in the Device Reputation Authority and checks to make sure that no other PCs or accounts are related. By marking the PC in the Device Reputation Authority, INTERNET GAMING NETWORK can be assured that it will not be able to access its network and services again and, at the same time, provides information to other subscribers that this PC has a bad reputation. Minutes later in London, the same PC tries to connect to SUPER BOOK NETWORK, who receives a response from the Device Reputation Authority that the PC has a negative reputation from another online business. Depending on the rules previously established by SUPER BOOK NETWORK, it can make an immediate decision to either grant access with no additional action, grant limited access with notification to an audit group or deny access altogether. Effectively, the iovation ReputationManager system shares information learned through actual behavior, enabling each subscriber to make informed decisions about the risk associated with allowing a connection to its network. 6

8 By sharing information about specific devices, subscribing online businesses can share intelligence without sharing any private customer information. In fact, businesses only share information about bad reputations. More importantly, this information is far more valuable, as bad end-users may not utilize any of the same account information from Web site to Web site. Summary Conclusion The Internet s core strengths speed and the ability to conduct anonymous transactions present significant risks for businesses and organizations that use the Internet as their primary channel to interact with their customers. By definition, the Internet requires a unique PC as an access point for customers. By identifying the PCs and associating them with known activity within participating networks, iovation ReputationManager is capable of introducing a layer of trust and protection for both e-commerce and gaming sites and their customers, without compromising personal privacy. iovation ReputationManager has proven its effectiveness in controlling online credit card fraud. It also has significant benefits for online communities that need to manage behavior in their respective communities; for networks that wish to monitor or limit the number of PCs used by customers; and for internal networks that require an additional layer of trust for certain PCs. Additional Information For more information about iovation s iovation ReputationManager fraud management solution for the online gaming industry, contact: iovation sales@iovation.com Legal Notice: 2007 All rights reserved. iovation ReputationManager, Device Reputation Authority are either trademarks or registered trademarks and the iovation logo is a service mark of iovation. Other product or service names mentioned herein are the trademarks of their respective owners. WP200707/01 7