Honestly Speaking

Suppose I decided my computer were “tainted” and wanted to get a fresh start on the Internet as cheaply as possible. What are some quick and easy options? Well, there’s a bargain basement Dell for $299. I could consider a refurbished PC for, say, $180. Basically, I can get what I’ll call a “clean internet device” off-the-shelf for no more than $300 and possibly under $200. Overall there are conservatively over 200 million clean internet devices sold annually. I’ll get back to this economic analysis shortly, but first a discussion of online fraud detection…

Online identity verification and online fraud detection occupy roughly overlapping circles. Identity verification attempts to prevent people from misrepresenting themselves; fraud detection attempts to prevent people from misrepresenting their online transactions (e.g., using stolen credit cards).

Common approaches to fraud detection include identifying invalid attributes associated with a given transaction (e.g., a stolen credit card), and identifying patterns of invalid behavior (e.g., a user account repeatedly associated with fraudulent activity).

One relatively recent variation on online fraud-detection is to associate patterns of fraudulent behavior with internet-enabled devices. By tracking devices where fraud has originated, subsequent activity originating from those devices can be flagged as potentially fraudulent.

That leads me to an item that appeared last week on the Online Dating Insider, an internet-dating trade blog, covering a corporate blog post by a “device reputation” company that took a swipe at background check services for online dating sites. That blog post talked about supposedly how easy it is to defeat online background checks.

The problem I have with this post is that it addresses background checks in the absence of identity verification. Sure, if you don’t verify a user’s identity, s/he can give you a false identity that passes a background check. One of the strengths of Honesty Online’s Verification service is that we ask the user to check him/herself out and meet a much higher standard that requires both submitting a valid identity and proving your claim to that identity. Our Certification service, which includes a criminal and sex-offender background check, is built on top of our identity Verification service.

Seems to me it’s straightforward to defeat fraud-detection based on device reputation. You have to switch accounts and IP addresses frequently, since like other fraud-detection schemes this one includes account and location information in its fraud-tracking network. The other thing you need to do is get a clean device — a device with an untainted “reputation.” As I discussed above, there are 200+ million clean devices joining the party every year, and they’re available at prices as low as $200 or less (much less if I’m able to build PCs from parts, which I haven’t even considered here). So I’d say that’s the price of avoiding device-reputation fraud detection.

(Somewhere there’s a disgruntled former employee of this device-reputation company who knows the secret sauce behind their device-identification technique, and how — whether by swapping out the CPU, deploying the kind of “crack” that hackers use to defeat Microsoft’s anti-piracy checks, or the like — to defeat it at little or no cost.)

I welcome comments on this post from those who can explain any flaws in my assessment of the vulnerabilities in fraud-detection by tracking device reputation.

All content Copyright © 2008 Honesty Online, LLC. All rights reserved.