Fraud is a serious problem in today’s online world.
The effects of fraud are costly and far-reaching for merchants, consumers, and companies that connect their internal systems to the internet.
There are a number of different types of fraud and different points in the transaction to capture and prevent fraud. In an independent survey of online retailers in the U.K., Experian reported that "40 percent of the companies said they had been hit by the same fraudster more than once, with 18 percent saying that they had been hit three times by the same fraudster before the fraud was detected and the account closed." Consumers suffer when fraud is conducted, the first time or repeatedly, using their personal credentials. And companies that have all or part of their systems on the internet are affected when attackers enter their systems to gain access to data or harm servers. The cost of not catching these fraudsters quickly is high, with damages escalating quickly depending on the value of the goods or information stolen.
If online fraud is such a big problem, why haven't companies taken measures to stop it? The answer isn't a simple one because the faceless nature of the internet makes it fairly easy for a fraudster to obfuscate his true identity. In other words, "On the internet, nobody knows you're a dog." Catching a first time fraudster can be quite difficult if there is no way to connect that user with some historical information, such as when a credit card company runs a credit check on an applicant. Fraudulent activity can be identified after fraud has occurred, but the real challenge for companies is to learn how they can leverage that knowledge to prevent repeat fraud.
Finding the link
Fraudsters use different names and email addresses to make themselves appear to be other people and new users. Without a common determinate that links the fraudulent use to a single source, it's nearly impossible to eliminate first time and repeat fraud. Some companies use criteria such as IP address to connect fraud to a source, but this is not a reliable method. IP addresses can change frequently, they can be spoofed, and in the case of companies using network address translation (NAT) proxies or gateways, many user machines behind the gateway all appear to have the same IP address.
Another tracking point, the email address, is even less useful in the war against fraud. It is simple and cost-free to maintain hundreds or even thousands of them. So what can companies use to track and prevent repeat fraud? The hardware configuration associated with a PC or laptop. While it's a trivial task to enter a new email or IP address, it's quite difficult and expensive to change one's hardware. Using the hardware information it is possible to create a unique digital fingerprint of a machine that allows companies to identify the root source of fraud, and then cut it off for good.
Déjà vu all over again?
Some readers may remember that Intel tried something like this back in the late 1990s. The Intel solution proposed using the PSN (processor/personal serial number) to track internet usage by allowing web sites to read the serial number from the computer's processor and use it as an identifier as the machine surfed the internet and conducted transactions. While many companies embraced the idea as a potential tool for managing and monitoring use, it caused a lot of friction with privacy advocates in the U.S. and the European Union. Negative opinion towards the PSN grew so strong that Intel was forced to add a feature that enabled users to control whether or not the PSN was readable by outside sources. This put tracking control back in the hands of the consumer and meant that the PSN could not be used as a reliable way to stop fraud.
Another digital fingerprinting solution that did not meet with approval from the public was the Microsoft product activation technology for registration of XP. When a user registered XP the software 'locked' itself to the existing hardware configuration and would not run on any other configuration. Some consumers have cited product activation as one of the reasons they do not want to upgrade to the XP OS. And Microsoft has had to allow businesses exemption from product activation by offering volume licenses of XP that do not include the technology.
Given previous failures of digital fingerprinting technologies, why would anyone consider using it in the future? Because the very reasons that it failed before can be turned around to make it into success. The biggest concerns about the Microsoft and Intel fingerprinting solutions revolved around the lack of user control over the use of the fingerprinting information. In the case of the PSN, the user would not even know when a remote web site extracted the information and certainly had no idea what the site was doing with it. The Microsoft scheme was also something the user had no control over.
To address privacy concerns a solution needs to provide consent and disclosure. Consent means that a consumer has the option to 'opt in' or 'opt out.' But by opting out a consumer may also be opting out of using a system entirely. For example, if you want to work in the U.S. you must present work authorization credentials, such as a social security card, to your employer. If you do not want to present these credentials, that's fine, but you will not be able to work legally in the U.S. Disclosure is the process of explaining exactly what is happening on the consumer's system and letting them know how the information will be used now and in the future.
Another critical point for acceptance of digital fingerprinting is to re-position it in the consumer's mind. Rather than being perceived as something that will only serve to benefit the merchant or company, fingerprinting needs to be recognized as a technology that provides valuable protection to the consumer and user. There's a great example of this in the non-digital world. Most consumers would be extremely wary of allowing a car manufacturer to install a GPS device that can geographically track the car's location at any time. However, when the device is presented to the consumer as a way to track and recover the car in case it is stolen, it becomes a way to protect their property. In this instance consumers are not only willing to have the system installed, they are also quite happy to pay for it.
In the online world, this could translate into consumer protection of identity and credit card fraud. Credit cards numbers are easy to steal. Armed with nothing more than the number, name on the card, and expiration date, a fraudster could go on a spending spree. But if a consumers have the ability to link a credit card number to a digital fingerprint of their PC, then that number would not be usable by anyone on another machine; a strong deterrent to fraud. Additionally, merchants could generate databases containing digital fingerprints of known fraudulent PCs and disallow those PCs from ever making purchases on their site again, potentially bringing the 40 percent repeat fraud rate down to zero.
The digital fingerprinting model is also attractive when looked at for machines that do not belong to the consumer. In the case of corporations that deploy laptops to remote and traveling users, the corporation owns the machine and may chose to place digital fingerprinting technology on it to prevent theft or unauthorized access to the corporate network.
Digital fingerprints can be powerful fraud reduction tools. Linking the fingerprint to a user's information can prevent misuse of that information and provide protection for both consumers and businesses. In order to be successful, however, companies that wish to deploy digital fingerprint technology must do so with the consumer's buy-in. The business will be able to realize a drop in repeat fraud, a reduction of overall risk, and an increase in profit; a portion of which can be passed along to the consumer. When digital fingerprinting is deployed as a tool to protect consumers and merchants from repeat fraud, everyone, except the fraudsters, stands to win.
Diana Kelley is principal analyst at Baroudi Bloor (www.baroudi.com). At the time of writing this article, Diana was vice president of security technology for Safewww, Inc.