Device Risk Profiling Overview
Device Risk Profiling is a process that is performed in real-time by a remote device profiling server when a user initiates an online transaction, and is ideally transparent to the end user and requires no enrollment process. Instead of merely attempting to Identify a Device, Device Risk Profiling also attempts to fingerprint a Device's posture, intent and behavior. Due to its ability to look beyond superficial user-supplied credentials and browser attributes, Device Risk Profiling is particularly effective for preventing online credit card fraud and account takeover.
The need for Device Risk Profiling in Fraud Prevention.
The core problem is that today's online fraud prevention tools is that they primarily rely on verification of user submitted credentials that are routinely bought and sold on the black market. In an age when an estimated 50% of US and UK adult identities have been breached, today's fraud and risk tools are loosing the arms race against professionally motivated and technologically sophisticated fraudsters. In this new era of identity theft and online fraud, the criminal's weapons of choice are spyware, malware and phishing sites and their accomplices are legions of infected and compromised devices.
Accurate Device Risk Profiling Requirements.
Unlike stand-alone point technologies, accurate Device Risk Profiling requires a comprehensive view of a Device's Identity, Reputation and Biometrics. Look for a Device Risk Profiling solution that provides the following fraud intelligence for increased detection accuracy and reduced false positives:
- Device Identification - the use of modern Device Fingerprinting techniques to uniquely identify a fraudsters device whether they change their IP Address, Cookies or Browser.
- Instant Proxy Detection - the use of connection profiling in order to determine whether the device is connecting behind an intermediate server in order to disguise their network identity and location. Proxy Detection also requires effective Proxy Risk Classification in order to differentiate between ISP, Enterprise and Botnet Proxies
- True IP and True Geo detection - piercing the proxy in order to detect the true IP Address and IP Geolocation of a fraudulent device, valuable for detecting when a transaction that looks like it is initiated in New York actually originated from Estonia.
- Infection Detection - determining whether a computer is infected and under the command and control of a botnet master
- Device Reputation Risk - using evidence of previous fraudulent transactions committed using the device in order to provide proactive protection to members of a Device Reputation Network.
- Subversion Detection - using Browser, Operating System and Connection anomalies in order to detect evasion attempts.
Clientless Device Profiling Methods.
To be effective in an ad hoc ecommerce transaction environment, Device Risk Profiling technologies must be as transparent as possible to the end customer or risk cart-abandonment. Client-less Device Profiling methods can be classed as either Passive, Active or Reputation-based.
- Passive Profiling - Passive Profiling is the term used to describe the process of extracting device biometric information from a client-initiated connection with the profiling server. It is so-called 'passive' because it is unobtrusive, and if performed correctly, undetectable by the client device. Passive Profiling is therefore well suited for credit card fraud protection.
- Active Profiling - Active Profiling is the term used to describe the process of extracting device biometric information from a Profiling Server initiated connection. All networked devices are open to Active Profiling based on the nature of the internet protocol, however, depending on how aggressive the technique Active Profiling is likely to be flagged by Intrusion Detection Systems or blocked by Firewalls.
- Reputation Profiling - Reputation Profiling is the use of submitted reports and direct evidence by third-parties in order to determine threat, risk, fraud and vulnerability profiles of a device. This allows profiling to be performed without maintaining an Active or Passive Profiling Connection.
Device Fingerprinting and Identification.
Comprehensive Device Risk Profiling that goes beyond the browser allows for more accurate and persistent Device Fingerprinting and Identification. The following provides a summary of the types of information available during the profiling process.Browser Fingerprinting
Browser Profiling is the use of HTML, Javascript, Flash or other methods available in the browser in order to profile
a device. Information available through the browser includes, but is not limited to, screen resolution, browser type,
clock time, time zone, languages and media supported.
HTTP Fingerprinting
HTTP Fingerprinting is a method of extracting additional risk information communicated during the HTTP
connection between the client and the server. Such information includes, but is not limited to the types of
compression supported, proxy support and language.
TCP Fingerprinting
TCP Fingerprinting provides information about the type of connection being used, connection speeds, and for more
sophisticated approaches, can be used to individually fingerprint devices based on the network protocol stack.
Device Driver Fingerprinting
Device Driver Fingerprinting enables the identity of the device to be differentiated based on the unique attributes of
a vendor specific implementation of a network device driver.
OS Fingerprinting
By profiling connection characteristics in realtime is it possible to accurately determine the operating system, and
often version, being used to establish the internet connection characteristics such as speed and type.
Comments
Write New Comment ▼
Write New Comment
Sorry! This knol's owner(s) have blocked you from editing, making suggestions, or commenting here.