2Checkout.com is a hosted solution that lets small businesses accept credit card and PayPal payments online. With 20,000 to 30,000 companies using its service for hundreds of thousands of customers, fraud is a constant concern.
2Checkout.com used to avoid fraud through address verification (making sure credit card billing address matches the one provided by the user), bank identification number (BIN) matching, and verifying computer IP addresses, according to Sebbe Jones, manager of fraud and disputes. But as the operation grew, and technological changes affected its automatic fraud controls, 2Checkout found it was having to flag more and more of its transactions for review by a human employee before completion. “Our review rate went from around 25 percent to around 45 percent,” Jones says. “We got very behind in verifying orders -- as much as three or four days behind. We knew vendors wouldn’t stay with 2Checkout.com for very long if we didn’t do something about it.”
Device "fingerprinting" solution
For 2Checkout.com, part of the solution is a technology variously called “device detection,” “device identification,” or “device fingerprinting” that allows an e-business or other site to collect and analyze data about the device connecting to the website, wholly separate from that provided by the human using it.
“We can monitor whether the computer’s time stamp matches the location where the user claims to be, whether the fonts in use on the computer match the local language in that location, and whether the computer is pretending to use a different operating system than what is actually installed -- a Linux computer running a Windows simulation, for instance,” says Reed Taussig, CEO of ThreatMetrix, a subscription device detection provider. Of course, there could be a perfectly innocent explanation for any of these -- they simply serve as red flags that indicate a transaction may require human review.
Device detection alone is probably not enough to protect your business, but it can be a powerful addition to your fraud-prevention arsenal, along with address verification, behavior-based analysis, and other more traditional tools. “Unlike some systems, with fraud management you’re fighting an intelligent being on the other end who will intentionally avoid normal behavior. As a result, rational systems have a hard time identifying fraud on their own, without human interaction,” explains David Britton, senior vice president of product development at 41st Parameter, the fraud detection service 2Checkout.com uses. “The best approach is to have a number of tools at your disposal, including device identification. That allows you to have the fewest manual reviews.”
These tools are especially important these days, because checking a device’s IP address no longer provides the fraud protection it once did, he adds. “Most people think it’s a silver bullet, but an IP address can easily be spoofed.”
Tips for successful device detection
If you decide to add device detection to your e-business anti-fraud arsenal, here are some tips for getting the most out of this technology:
- Know the rules -- and how they should apply to your customers. You should understand exactly what attributes are likely to flag a device and which rules are appropriate, or inappropriate, for your customer base. “Once I was talking to the CTO of a gaming company, and I mentioned that our software could flag a computer that was cloaked,” Taussig recalls. “He said, ‘We don’t care about that. Gamers all cloak their computers.’”
- Use device detection at all three stages of interaction with customers. “One advantage is that you can use device identification when a customer first creates an account, when he or she logs in to that account, and when processing a purchase,” Taussig says. This, he notes, gives you the best chance of identifying fraudsters before they can do any harm.
- Plan for change. The one thing you can be sure of when it comes to fraud detection is that nothing will stay the same for long. You should be constantly reviewing and adjusting the rules used to flag possibly fraud, while surveying the horizon for new fraud innovations, and new technologies for fighting them. “Companies that do this well are watching the technology news, and reading about security breaches at other organizations,” says Shane Sims, director at PricewaterhouseCoopers. “They’re using that information to constantly adjust their fraud controls.”