Smart Device Identification for Cloud-Based Fraud Prevention Alisdair Faulkner Chief Products Officer
Contents Basic Device Identification is no longer enough... 3 Times have changed but your Device ID hasn t... 3 Cookies are Obsolete... 5 Device Fingerprints Smudge and Fraudsters Wear Gloves... 6 Compromised Devices are Commodities... 7 Smart Device Identification Requirements... 8 Smart versus Basic Device Identification Comparison... 9 ThreatMetrix Smart Device Identification... 11 Identify Fraudsters and Authenticate Customers... 11 Cookieless Device Fingerprinting... 12 IP, Browser and Packet Fingerprint Interrogation... 13 Real-time complex attribute matching and confidence scoring... 15 Man-In-The-Middle/Hidden Proxy and True Origin detection... 17 Compromised Device and Script detection... 18 Integrated Contextual Risk Scoring and Decisioning... 19 Recommendations... 22 2
Basic Device Identification is no longer enough Times have changed but your Device ID hasn t Device Identification, using a visitor s computer to provide additional fraud prevention and authentication intelligence, remains the most effective first perimeter of defense to protect online transactions including payments, logins and registrations. Benefits include: Zero customer imposition, providing passive two factor authentication for online transactions without requiring software or hardware tokens or challenge questions. Not relying on the collection of personal identifying information (PII) Stops first-time fraud attempts based on device anomalies and global behavior. Unfortunately since first generation device identification technologies were introduced the world has changed dramatically with an increase in the sophistication and globalization of cybercrime and a corresponding increase in exposure to enterprise fraud, risk and security teams. In this whitepaper you will learn about reasons to upgrade basic device identification and fingerprinting methods including: The reliance of existing technologies on cookie or cookie equivalents. Browser and flash cookies are easy to delete and compromise. Private browsing modes make it easier for fraudsters to hide. Modern smartphones are harder to reliably tag. Important security data is being ignored when collecting the device fingerprint. Simple browser fingerprinting technologies only gather information about the browser which is easy to spoof or subvert and it ignores important information encoded in the connection and packet. Relying on simple hashing techniques to perform fingerprint matching misses fraud and causes false positives. Traditional SQL databases cannot perform the complex and extensive attribute matching needed in real time. Lack of sophisticated proxy and Man-In-The-Middle detection. Simple IP proxy lists are no longer effective. No knowledge of when a good customer s device has been compromised. The widespread problem of infected computers due to botnets and Trojans means that simply recognizing an authenticated device is insufficient if that computer is now controlled or spied upon by hackers. 3
In addition, you will learn new features and benefits associated with the next generation of ThreatMetrix smart device identification technologies including: Cookieless device fingerprinting for better return visitor recognition Multiple scoring techniques to truly validate the identity of a device Going beyond simple browser fingerprinting technology to prevent more fraud Real-time complex device fingerprint matching and confidence scoring for less false positives Automatic detection of hidden proxies, compromised devices and MITM attacks to stop cybercrime at time of transaction. Global device recognition and behavior tracking for proactive protection Context aware risk based assessment across customer and transaction authentication processes for greater enterprise control. 4
Cookies are Obsolete 2010 officially rang in the death knell for cookies as a way to reliably identify a device to prevent fraud underscored by Gartner analyst Aviva Litan in her report published in February of 2010 titled Privacy Collides With Fraud Detection and Crumbles Flash Cookies. While it might seem obvious that a fraudster would delete browser cookies to avoid being identified the issue is slightly more nuanced. First generation device identification technologies rely on the general public s and unsophisticated fraudster s ignorance of Flash Cookies (Local Storage Objects) that are not deleted when regular browser cookies are cleared, and are invisible unless you know where to find them. Unfortunately for Basic Device identification vendors, online advertisers also use these same LSOs to resuscitate a cleared cookie which in turn, has incited a furor with privacy advocates. The result has attracted the attention of the FTC and the US Congress to impose privacy regulations to protect consumer s rights. In response the browser and browser plugin companies have instituted private browsing and opt out features into their products to better accommodate consumer opt-out protection. Additionally, version 10.1 of Adobe s Flash product now enables browser companies and consumers to delete LSOs in line with regular cookies. In addition, all the major browser companies have now implemented some form of private browsing mode that allows customers and intrepid fraudsters to temporarily suppress cookies and Flash objects and hence evade re-identification. 2010 also saw an explosive uptake in the number and variety of tablets and touch-based smartphones that make accessing the Internet and performing an online transaction from a mobile device a practical reality. Some of these devices such as the iphone and ipad do not 5
support Flash and also block third-party browse cookies by default further reducing the effectiveness of cookies and first generation device identification solutions for device recognition and reputation. Device Fingerprints Smudge and Fraudsters Wear Gloves Every interaction a customer makes with a website leaves a digital fingerprint about the device, the type of browser and the connection used. First generation device fingerprinting technologies typically use JavaScript or Flash to collect browser and clock information and use a hashing algorithm to generate some form of identifier. The problem is that this device fingerprint routinely changes as customers swap browsers, change physical locations and corresponding IP addresses with laptops, tablets and smartphones. As an illustration, a sample of transactions from ThreatMetrix Fraud Network shows that after 2 months 20% of visitors had changed their browser, and 25% had multiple IP Addresses. Further, fraudsters will deliberately try to manipulate or block browser settings in order to disguise their device fingerprint. The following graphs from the same sample shows that nearly 10% of transactions had one or more of JavaScript, Flash or cookies suppressed. Some of these transactions are fraudulent while at the same time many are transactions executed by privacy conscious customers and are valid. If these devices are not properly identified the end result to an ecommerce merchant, financial institution or other business will be either an increase of false positives resulting in loss revenues or increases in fraud resulting in increased costs. 6
Compromised Devices are Commodities Thanks to sophisticated malware like Zeus, millions of good customer s computers go bad on a daily basis. The problem is that existing fraud prevention and security solutions are blind to evidence that a particular device is infected at the point of a transaction leaving the enterprise exposed to Man-In-The-Browser (MITB), key-logging and Man-In-The-Middle (MITM) attacks. By orders of magnitude, however, the most common use of compromised computers is to turn an innocent s computer into an IP proxy to avoid geolocation filters and known anonymous proxy IP lists. Using a real world example, one ThreatMetrix customer doing an average of 4,500 customer verification transactions a day had nearly 5% of transaction originating from behind a compromised computer being used as a hidden proxy. 7
An examination of a subset of those hidden proxy transactions found that a large cluster originated from compromised servers hosted in the US with The Planet, a popular hosting provider, with the true origin of the transactions coming from several offshore countries. Smart Device Identification Requirements Criteria Requirement Cookieless Device Fingerprinting Passively collected device attributes to identity devices without requiring software or hardware tokens provides a first layer of defense across all website interactions. Unfortunately malware and fraudsters routinely delete, steal and tamper with browser and flash cookies and attributes. Cross correlating device fingerprint attributes and behavior with session and browser cookies provides an additional layer of authentication. Real-time complex attribute matching and confidence scoring Cybercriminals routinely manipulate device parameters to evade detection. Worse, simple attribute matching based on hashing browser and IP attributes can create unnecessary false positives and customer complaints. Smart Device Identification provides complex attribute matching in real time at the time of transaction for persistent identification of a visitor even when IP or browser attributes change. Confidence scores based on global 8
collections of device profiles reduce false positives. Packet & Browser Fingerprint Interrogation Man-In-The-Middle and True Origin detection Compromised Device and Script detection Global Recognition Integrated contextual risk scoring and decisioning Attributes collected from the browser and IP address are trivial to spoof. Smart Device Identification adds passive packet fingerprinting for greater resolution and spoof protection. Based on browser and packet fingerprint interrogation, Smart Device Identification automatically detects and classifies MITM attacks and bypasses hidden proxies to reveal the true IP Address, geolocation and origin of the transaction. Organizations not only need to identify a customer s device, they also need to know whether that device is now compromised and infected. Subscribing to IP reputation feeds is not enough if the botnet intelligence cannot be acted on while the customer is on the page. Provides ability to re-identify customer devices across sites. A risk decision based on device intelligence needs to be made in context with per organization and global transaction patterns. Smart versus Basic Device Identification Comparison Criteria Smart Simple Frictionless customer experience No software or browser plugins required Cookieless Device Fingerprinting Packet, Browser and IP interrogation Real-time Complex Fingerprint Matching û Heavily reliant on cookie or cookie equivalents û Browser Fingerprint, IP Address intelligence only û Simple Hash or Cryptographic algorithm only 9
Cross platform PC, Server, Tablet, Smartphone Man-In-The-Middle and True Origin detection Compromised Device and Script detection û Limited to PC/Laptops û Simple IP Proxy detection and Geolocation only û Blind to botnet and spyware infection Global Recognition û Local only Integrated contextual risk scoring and decisioning û Not real-time, unable to integrate into existing processes 10
ThreatMetrix Smart Device Identification Identify Fraudsters and Authenticate Customers SmartID Cookieless Device ID ExactID Evercookie Device ID Instant Cookieless Recognition based on Packet and Browser Fingerprint and prior visits Positive Identification and Authentication across PC, Tablet and Smartphone Risk-based confidence scoring based on predictive algorithms and decision trees Fact-based authentication using on parallel matching across multiple device identifiers Pre-customer customization of velocity rules and spoof detection Global behavior and correlation Dual factor authentication for detection of cookie wiping and device manipulation ThreatMetrix Smart Device Identification technology provides dual identifiers to detect fraudsters and authenticate returning customers without false positives. SmartID provides cookieless device identification using attribute matching and confidence scoring, while ExactID provides parallel matching across multiple cookie equivalents to give the broadest possible coverage across PC, Tablets and Smartphones. Used together ThreatMetrix SmartID and ExactID provide cross validation to detect cookie-wiping, private browser modes, hidden proxies, botnets and cookie and device manipulation. Both ThreatMetrix SmartID and ExactID are generated in realtime to be used separately or in combination within the ThreatMetrix Cloud-based Fraud Prevention Platform to accept, reject, challenge or review a transaction while the customer is still on the page. This second generation device identification capability is based on a more complete examination of device data matched across global device profiles using a proprietary distributed computing platform to enable: Cookieless Device Identification Packet, Browser and IP Fingerprinting Real-time Complex Fingerprint Matching Cross platform capability including PC, Server, Tablet and Smartphone detection Man in the middle and True Origin detection Compromised Device and script detection Global recognition Contextual scoring based on customer, enterprise and global transaction patterns. 11
Cookieless Device Fingerprinting Device Identification based on a fingerprint instead of a cookie is similar to radar signal detection, spam detection and scenarios where you need to differentiate between a valid signal and background noise. There are costs associated with both missing what you are looking for e.g. missiles, spam and fraudulent devices, and also costs associated with incorrectly classifying innocents e.g. passenger airlines, CEO s emails and loyal customers. ThreatMetrix SmartID uses a machine learning approach that takes into account per-customer and global device profile patterns and how they change so that reliable device identifiers can be generated with confidence. Unlike other fingerprint methods that are effectively static, ThreatMetrix SmartID provides adaptive cookieless identification that is tolerant to incremental and non-linear changes. The following table provides an example of how ThreatMetrix SmartID maintains persistence and an associated confidence score for a fraudster trying to evade detection: Visit Fraudster s Device Configuration SmartID 1 New Visit using Firefox 35ad 1f94 New Device 2 Start Firefox Private Browsing all cookies are suppressed 35ad 1f94 confidence = 99 3 Close Private Browsing, re-visit in Firefox 35ad 1f94 confidence = 100 4 Wipe all cookies, change IP Address, restart Firefox, revisit 35ad 1f94 confidence = 96 5 Visit in Chrome browser 35ad 1f94 confidence = 98 6 Wipe all cookies, restart Firefox, Change Browser String, revisit 35ad 1f94 confidence = 97 ThreatMetrix is able to outperform in-house and other device fingerprint methods based on the fact that it collects valuable packet and security data not able to be measured by first generation device fingerprinting architectures and the fact that it is able to process more data in real-time using advanced parallelized matching strategies on global device and transaction indexes built on a distributed hardware and software architecture. 12
IP, Browser and Packet Fingerprint Interrogation The table below shows the evolution of Device Intelligence from IP Address to Browser to Packet Intelligence. First generation device identification technologies are limited to browser and IP intelligence only. Device Intelligence IP Intelligence Browser Intelligence Packet Intelligence IP Geolocation Known Proxy IP Detection Known Botnet/Trojan IP Detection Browser and plugin cookie identification Browser and plugin fingerprint recognition Time zone and time difference detection Packet fingerprint recognition Hidden Proxy / MITM Detection True Origin Detection True OS and Spoofed Browser detection VPN Detection Satellite, Dial-up, Mobile wireless Detection Attributes collected from the browser and IP address are trivial to spoof. For example, common browser plugins allow both web designers and fraudsters to change the apparent browser and version that the web server sees with a click of a button. ThreatMetrix Smart Device Identification overcomes these limitations by adding passive packet fingerprinting for greater accuracy and 13
spoof protection. Because the information is collected as part of the standard networking and browser security model there is no possibility of leakage of personal information, no interruption to the customer s experience, and no additional software or browser plugins to download or accept. ThreatMetrix transparently performs a technique similar to how every firewall currently protects your information. ThreatMetrix SmartID transparently analyzes packet headers and their change in state over time to determine whether the source is malicious or safe. By examining anonymous packet header data when the client requests a web page, ThreatMetrix can detect hidden risk. For example, the table below illustrates a real world fraudulent attack blocked by ThreatMetrix against automated botnet scripts that were randomizing and mimicking various browsers but were in fact originating from a Linux server. 14
Real-time complex attribute matching and confidence scoring The quality of any device matching technique is directly proportional to the quality and quantity of data collected and the effectiveness of the matching process. In addition to the fact that ThreatMetrix collects more data than first generation device identification alternatives through packet, browser and IP analysis, ThreatMetrix is unique in the way it performs complex device fingerprint matching in real-time. A naïve approach to generating a device identifier based on a fingerprint is to simply use some form of strict or fuzzy hashing technique that builds an identifier purely based on the attributes collected at the point of transaction. The problem with strict hashing techniques is that one small change in device e.g. a change in flash version from 10.1.0 to 10.1.1 will generate a new identifier. Fuzzy hashing techniques can build additional tolerance but still fundamentally suffer from the problem that both customers and fraudsters act in non-linear ways that can t be compensated for unless context, history and multiple matching scores are used. ThreatMetrix cookieless SmartID technology is fundamentally different from other Basic Device fingerprint techniques in that the SmartID is attribute independent and takes global history, perorganization and transaction context into account when applying multiple matching filters to generate a persistent immutable device score in real time. Parallelized matching strategies with confidence scoring based on Machine Learning techniques enable return visitor detection even when non-linear changes, e.g. changing IP address and browser, are made. The ThreatMetrix Device ID Engine provides maximum accuracy by performing SmartID selection based on context at time of transaction, e.g. taking into account metrics such as time between visits and sites visited across the network to dramatically filter out false positives. The result is dramatic improvements in fraudulent and good customer device authentication with corresponding reductions in fraud loss, manual review, risk exposure and customer complaints. 15
In order to provide real-time device fingerprint matching and risk scoring, ThreatMetrix employs a distributed cloud-based architecture. The design provides for real-time data processing and delivery, Internet scalability, anonymous shared intelligence across components, redundancy and speed. Excluding data warehousing and the Fraud Control Portal, The key components are: Profiling Server: Performs both passive (IP/TCP/HTTP profiling) and active (JavaScript, ActionScript, Silverlight, HTML5, CSS) inspection of devices when a user loads a web page that includes ThreatMetrix profiling tags. Suitable for all device types including PC, tablet and smartphone. In addition integrates with mobile and PC applications via a standard API. Attribute Cache Server: Collects and assembles a complete view of a device s browser, operating system and network characteristics, and performs first level inmemory anomaly analysis. Device ID Engine: Manages logic and processes related to device identities including attribute retrieval, creating unique device identities and matching Transaction Intelligence Engine: Processes shared device, transaction, behavioral and reputation history Real-time Risk Engine: high-velocity rules and pattern recognition engine detects device risk in real-time based on per-customer and global device transaction histories API Server: Customer interface to ThreatMetrix Network for in-house or third-party risk-based authentication and authorization applications 16
Man-In-The-Middle/Hidden Proxy and True Origin detection Based on browser and packet fingerprint interrogation, ThreatMetrix Smart Device Identification automatically detects and classifies MITM attacks and bypasses hidden proxies to reveal the true IP Address, geolocation and origin of the transaction. Rather than rely on Proxy IP Address lists that are continually outdated and blind to more sophisticated hidden proxies, ThreatMetrix instantly examines, scores and classifies device interactions to determine whether the originating device is being masked or tunneled by an anonymous or hidden proxy or MITM attack, or is simply a valid customer behind an enterprise or ISP proxy gateway. Examples of the types of analysis performed in real time by ThreatMetrix to detect the existence of intermediate devices and the true origin location include: Detection of VPN usage and use of out-of-country satellite, dialup or mobile broadband connections based on unique Packet Fingerprint data. Employing proxy bypass methods to cause the device being profiled to directly connect back to the profiling server in order to expose the true IP Address and IP Geo Detection of mismatches between the operating system information reported by the browser compared with operating system information reported by the TCP/IP operating system fingerprint Examining HTTP protocol fields such as client IP and inconsistencies in HTTP/browser field order Detection of removed or modified content in the webpage Detection of a mismatch in other browser elements including time-zone, language and geo-location Filtering out legitimate corporate and ISP proxies DNS geo-location mismatches 17
Compromised Device and Script detection Organizations not only need to identify a customer s device, they also need to know whether that device is now compromised and infected. Subscribing to IP reputation feeds is not enough if the botnet intelligence cannot be acted on while the customer is on the page. ThreatMetrix Smart Device Identification provides evidence-based compromised device and bot intelligence in realtime so that an organization can make the appropriate decision to block, challenge or review the attempted transaction. For example a customer logging in to an online banking portal may appear to be positively authenticated using a Device ID in combination with Username and Password, however ThreatMetrix Smart ID detects that the user s IP Address has recently appeared on a botnet infection list and an analysis of the packet fingerprint reveals a hidden Man- In-the-middle attack. Because the intelligence is provided in real-time the bank can either block the transaction or notify their customer to download a new virus definition before allowing the transaction. To detect when a device is either infected or under the control of a bot or script, ThreatMetrix uses a combination of real-time analytics and mass forensic processing. Real-time analytics looks for device fingerprint anomalies indicating infection as well as global historic pattern data while ThreatMetrix mass forensic processing aggregates, correlates and scores botnet reputation data across these multiple submission sources and sensors e.g. firewall logs, honey pots, dark net sensors, spam feeds, submissions, command and control host interception and forums. 18
Integrated Contextual Risk Scoring and Decisioning ThreatMetrix smart device identification solution provides an integrated cloud-based fraud platform for combining global and per enterprise device identity with behavior and transaction context to reduce manual review and the total cost of fraud. Included in the platform is an analyst workbench to screen and review high risk and related transactions and an enterprise policy engine to automate fraud decisioning. 19
The table below outlines the key components of the ThreatMetrix cloud-based fraud platform. Component Bullet Proof Security and Privacy Protection Enterprise Policy Engine Transaction Monitoring and Link Analysis Queue Management Description ThreatMetrix provides smart device identification technology to detect and alert based on suspicious device anomalies. For even more powerful fraud detection transaction identifiers such as an email address, payment account hash, phone number, etc. can be passed to allow for more correlation. When provided, ThreatMetrix protects these identifiers with encryption and one-way hashing so that the data is never exposed or shared. In addition, power rolebased permissions and full auditing meet or exceed enterprise security compliance requirements. ThreatMetrix provides real-time contextual scoring based on device, customer and transaction attributes and historic analysis through a customer configurable rules engine. Default rules and algorithms will detect many anomalies such as hidden proxies, high risk geographies, anomalous language and time settings, potential cookie wiping and blacklisted attributes. More advanced rules allow for correlation of other transaction data such as detecting multiple identities, payment accounts or shipping addresses used by the same device, or an unusually high volume of transactions from a device across the ThreatMetrix network. ThreatMetrix rules can be directly updated by analysts and activated immediately to respond to changing threats. In addition to a real-time API that immediately returns device identifiers, anomaly indicators and risk scores in milliseconds, ThreatMetrix provides an online portal to review past transactions and perform forensic analysis. It includes a dashboard that shows recent high-risk transactions and trends as well as advanced search capabilities to assist fraud analysts to find related transactions and discover links between suspicious activity Manual review of transactions is time consuming and expensive. To address this, ThreatMetrix allows for custom tuning of rules to reduce false positives with automated assignment of transactions to analyst queues by configurable rules. This enables analysts to 20
focus on the highest risk transactions, for example based on score, transaction amount, or criteria such as geographical origin. When a transaction is reviewed, it can be marked as rejected/accepted to improve the ability of ThreatMetrix to score transactions through predictive scoring. Customizable Alerting Predictive Global Intelligence ThreatMetrix supports automated alert rules to notify an analyst by email when a transaction meets specified criteria. These alerts can be triggered on risk, transaction or device attributes or associated with specific fraud behavior. Alert content can be customized and linked directly back to the transaction for review. ThreatMetrix customers benefit from anonymous and aggregated device and transaction behavior seen across the global ThreatMetrix network using both automated scoring as well as customizable fraud filters. The ThreatMetrix Cloud-Based Fraud Prevention Platform provides proactive protection that gets smarter with every customer and transaction without requiring extensive manual input. 21
Recommendations 1. Review legacy solutions and competitive vendor offerings to understand where they fit with respect to smart versus Basic Device identification capabilities 2. Educate your organization on the key requirements and benefits of smarter device identification 3. Plan rollout of an upgrade to current customer device identification technology for 2011 4. Initiate customer and transaction authentication and monitoring based on improved device, behavior and contextual risk scoring. About ThreatMetrix, Inc. ThreatMetrix profiles daily tens of millions of customer devices and screens hundreds of thousands fraudulent transactions many of the world s largest online brands. ThreatMetrix cloudbased fraud prevention and risk management platform protects online account creation, login authentication and payment authorization processes based on automated anonymous intelligence across its global fraud prevention network. ThreatMetrix serves a rapidly growing customer base in the U.S. and around the world across a variety of industries including online retail, financial services, social networks, and alternative payments. 22