It has been said that on the Internet no one knows you are a dog, but if you are a financial institution, or even a dating service, authentication is very serious business. User names and passwords are no longer secure enough, and complicating matters are vast networks of computers that can be directed to open and close thousands of accounts worldwide in mere seconds. That’s why Device ID, the practice of fingerprinting the means by which an account is accessed, is seen as a growth security industry in 2009.
“As long as you behave as a normal individual, it is difficult to capture first time fraudster,” said Threatmetrix CEO Reed Taussig. “Ordinarily, he would have to do something outside the norm. With Device ID, if he’s cloaking his device, hiding behind a proxy, we inform the customer.”
The market for Device ID is currently dominated by financial institutions aiming to curb ID fraud and credit card account theft, but Taussig said he sees social networking is an emerging growth space as well. If you have a gaming site, for example, where you have the same character logging in from two different locations at the same time, then you have a problem. In another case, Device ID could help stop prostitution rings from operating on dating sites. Finally, Taussig said there’s a compelling market for retail sites both in affiliate programs and in processing Card Not Present purchases online.
Threatmetrix, which is sold as a SaaS solution, provides a deep inspection of the TCIP packet so that when someone logs into a bank online, over 150 parameters are inspected in real time. Among these are use of a proxy, using a known compromised PC, and turning off Javascript or cookies.
Any of these events could happen to the best of us–and for the best of reasons–so Threatmetrix scores these and delivers that final score to the enterprise customer, which may or may not choose to follow up with the customer in a phone call or delay the transaction until further notice. The scores produced by Threatmetrix also have reason codes, said Taussig, so a lower score can be explained quickly upon review, keeping customers happy.
New in this version are tools to determine whether this is a single computer concurrently logging into several different account names, or one username being logged in by multiple PCs, activity say from a botnet, a loose network of compromised desktop computers. Additionally, the service looks at how fast a given account is accessed (humans can react only so fast). In most cases the abnormalities are fraud scenarios. Threatmetrix knows of about 200 million compromised machines worldwide, but Taussig said his company only keeps an active database of about 12 million.
So why doesn’t Threatmetrix attempt to shut down these machines? Taussig offered two reasons. One, he said 70 percent are on foreign soil and the government there may be supporting them or may not really care about them. Also, these machines have very short lifetimes: often they are pulled and rebuilt, and then appear disguised as another machine. He said ultimately it’s like “chasing rats through a barn.”