- Email: [email protected]
Using geolocation to prevent online fraud
USING GEOLOCATION
Using geolocation to prevent online fraud Dario V Forte, founder and CEO of DFLABS Italy, CFE, CISM
Dario Forte
One of the major trends in today’s market is the prevention of fraud using a mechanism known as anomaly detection. This mechanism determines, autonomously or with human guidance, a normal operations baseline and sets up a series of alerts or alarms for deviations from this baseline. Anomaly detection has always been primarily focused on security and is often used in intrusion detection. However, after the escalation of phishing attacks in the past three years, analysts have also concentrated their efforts on anti-fraud applications. Anti-fraud measures are mainly applied in the financial sector and are focused on transaction monitoring and preventing phishing. Transaction monitoring involves crosschecking banking data to analyse them for anomalies. The transactional poles involved in this type of monitoring are many and are distributed among final users and front and back ends. The monitoring is based on log files, with particular emphasis on assessing the gap between monitored data and users’ normal habits. One of the indicators of potential anomalies is the location of the IP addresses involved in the transaction. This evaluation factor is extremely important because it may differentiate between the normal state of affairs and an exception. When normality exists, the relevant IP addresses are those normally used in the user’s transactions. In the event of an exception (i.e. fraud), however, the deviant IP addresses become relevant. The manner in which transactions are executed (depending on the operating context) means that weeks may pass between the registration of an anomalous transaction and the discovery of fraud. Exceptions occur mainly with online purchases, where it is unlikely that the merchant has the capability to review the above
November 2008
details. Not even the credit card circuit is quickly able to recognise anomalies. In both cases, there is a need to carefully analyse IP addresses to uncover possible anomalies. Analysts realised that one of the most useful data types for combating online banking or retail fraud is IP transaction addresses, with particular reference to their geographical location. Almost all online fraud is perpetrated from IP addresses located outside the victim’s country. This favours the anonymity characteristic of internet architecture. Another online fraud indicator is known as ‘state-level mismatch’, which occurs for example, within the retail market when the source of the transaction is different from the geographical location of the receiver of the goods.
The use of geolocation Many companies working in fraud prevention have decided to include in their business security services a geolocation tool that allows them to identify connections:
obtained via cross-checking data coming from a plurality of sources. Geolocation solutions require effort and back end infrastructure. Most vendors and service providers have IP detectors on all continents and a large group of analysts dedicated to obtaining information via intelligence operations. The algorithms and technologies mentioned above are added to this with the objective of providing the most complete information possible on an IP address and indentifying anonymising proxies. Anonymising proxies mask the actual IP address and are used by hackers and people who attempt fraudulent actions, and who don’t want to be identified, Tor included. In practical terms, the data on the digital connections are like fingerprints that allow investigators to obtain information at varying levels of precision on provider, connection type, connection location, etc. The gathered data are continually updated and compiled for historical searches, allowing forensic regression analysis.
“The data on the digital connections are like fingerprints that allow investigators to obtain • With IP addresses that are different information at varying from those habitually used by the levels of precision” client • That occur at unusual times of the day • With anonymising IP addresses The first two types of information are obtained with geolocation algorithm applications operating with data available on the transaction poles. The third is
A project of this type involves a number of tasks, the first being to choose which transaction type to monitor. Depending on transaction type, there are supersets of information that are necessary for prevention purposes. The second task, also known as the learning phase, is to acquire knowledge Computer Fraud & Security
19
CALENDAR of the client’s typical profiles. This phase is tailored to each individual client and is often performed automatically. The consulting function is more important here than ever, because consultants will optimise the mapping between the baseline information and that analysed by the tool. The third task is to implement and optimise the technology. This represents a phase of fine-tuning that contributes greatly to the overall success of the project. Once these three phases have been completed, the geolocation module can be correlated with the rest of the fraud prevention infrastructure. The correlation point that is added in this way is often decisive in the reconstruction of a criminal event or the identification of the sorts of anomalies we mentioned at the beginning of this article.
Is geolocation useful? There are relatively few players operating in this field. There are added value integrators, but they work on existing architecture. Nonetheless, geolocation is a technological component of fundamental importance. Some implementations are even able to handle satellite
connections. The costs are not insignificant, though, and thus both sellers and buyers must manage geolocation carefully, proving they are capable of following the trend in fraud. This means that the one who does the monitoring makes the real difference. In the end, the real added value is generated by the human factor – those who manage the investigation in its various phases.
About the author Dario Forte, CFE, CISM, former police detective and founder of DFLabs has worked in information security since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference, and the US Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com
Calendar 25–27 November 2008 3rd International Workshop on Security Location: Kagawa, Japan Website: http://www.iwsec.org/
1–9 December 2008 SANS London Location: London, UK Website: http://www.sans.org
3–5 December 2008 International Conference on Information Security and Cryptology Location: Seoul, Korea Website: http://www.icisc.org/
7–11 December 2008 ASIACrypt 2008 Location: Melbourne, Australia Website: http://www.ics.mq.edu.au/ conferences/asiacrypt2008/
8–10 December 2008 2nd Annual CSO Summit 2008 Location: Geneva, Switzerland Website: http://www.mistieurope.com/ default.asp?Page=65&Return=70&Produc tID=6765&LS=cso
8–12 December 2008 Annual Computer Security Applications Conference Location: Anaheim, CA, USA Website: http://www.acsac.org/
11–12 December 2008 EC2ND 2008 Location: Dublin, Ireland Website: http://2008.ec2nd.org/ ec2nd/597-EE.html
14–17 December 2008 4th International Conference on Information Security and Cryptology Location: Beijing, China Website: http://www.ieee-security.org/ Calendar/cfps/cfp-Inscrypt2008.html Figure 1: A fundamental taxonomy of a fraud prevention project based on geolocation.
20
Computer Fraud & Security
November 2008
Using geolocation to prevent online fraud Dario V Forte, founder and CEO of DFLABS Italy, CFE, CISM
Dario Forte
One of the major trends in today’s market is the prevention of fraud using a mechanism known as anomaly detection. This mechanism determines, autonomously or with human guidance, a normal operations baseline and sets up a series of alerts or alarms for deviations from this baseline. Anomaly detection has always been primarily focused on security and is often used in intrusion detection. However, after the escalation of phishing attacks in the past three years, analysts have also concentrated their efforts on anti-fraud applications. Anti-fraud measures are mainly applied in the financial sector and are focused on transaction monitoring and preventing phishing. Transaction monitoring involves crosschecking banking data to analyse them for anomalies. The transactional poles involved in this type of monitoring are many and are distributed among final users and front and back ends. The monitoring is based on log files, with particular emphasis on assessing the gap between monitored data and users’ normal habits. One of the indicators of potential anomalies is the location of the IP addresses involved in the transaction. This evaluation factor is extremely important because it may differentiate between the normal state of affairs and an exception. When normality exists, the relevant IP addresses are those normally used in the user’s transactions. In the event of an exception (i.e. fraud), however, the deviant IP addresses become relevant. The manner in which transactions are executed (depending on the operating context) means that weeks may pass between the registration of an anomalous transaction and the discovery of fraud. Exceptions occur mainly with online purchases, where it is unlikely that the merchant has the capability to review the above
November 2008
details. Not even the credit card circuit is quickly able to recognise anomalies. In both cases, there is a need to carefully analyse IP addresses to uncover possible anomalies. Analysts realised that one of the most useful data types for combating online banking or retail fraud is IP transaction addresses, with particular reference to their geographical location. Almost all online fraud is perpetrated from IP addresses located outside the victim’s country. This favours the anonymity characteristic of internet architecture. Another online fraud indicator is known as ‘state-level mismatch’, which occurs for example, within the retail market when the source of the transaction is different from the geographical location of the receiver of the goods.
The use of geolocation Many companies working in fraud prevention have decided to include in their business security services a geolocation tool that allows them to identify connections:
obtained via cross-checking data coming from a plurality of sources. Geolocation solutions require effort and back end infrastructure. Most vendors and service providers have IP detectors on all continents and a large group of analysts dedicated to obtaining information via intelligence operations. The algorithms and technologies mentioned above are added to this with the objective of providing the most complete information possible on an IP address and indentifying anonymising proxies. Anonymising proxies mask the actual IP address and are used by hackers and people who attempt fraudulent actions, and who don’t want to be identified, Tor included. In practical terms, the data on the digital connections are like fingerprints that allow investigators to obtain information at varying levels of precision on provider, connection type, connection location, etc. The gathered data are continually updated and compiled for historical searches, allowing forensic regression analysis.
“The data on the digital connections are like fingerprints that allow investigators to obtain • With IP addresses that are different information at varying from those habitually used by the levels of precision” client • That occur at unusual times of the day • With anonymising IP addresses The first two types of information are obtained with geolocation algorithm applications operating with data available on the transaction poles. The third is
A project of this type involves a number of tasks, the first being to choose which transaction type to monitor. Depending on transaction type, there are supersets of information that are necessary for prevention purposes. The second task, also known as the learning phase, is to acquire knowledge Computer Fraud & Security
19
CALENDAR of the client’s typical profiles. This phase is tailored to each individual client and is often performed automatically. The consulting function is more important here than ever, because consultants will optimise the mapping between the baseline information and that analysed by the tool. The third task is to implement and optimise the technology. This represents a phase of fine-tuning that contributes greatly to the overall success of the project. Once these three phases have been completed, the geolocation module can be correlated with the rest of the fraud prevention infrastructure. The correlation point that is added in this way is often decisive in the reconstruction of a criminal event or the identification of the sorts of anomalies we mentioned at the beginning of this article.
Is geolocation useful? There are relatively few players operating in this field. There are added value integrators, but they work on existing architecture. Nonetheless, geolocation is a technological component of fundamental importance. Some implementations are even able to handle satellite
connections. The costs are not insignificant, though, and thus both sellers and buyers must manage geolocation carefully, proving they are capable of following the trend in fraud. This means that the one who does the monitoring makes the real difference. In the end, the real added value is generated by the human factor – those who manage the investigation in its various phases.
About the author Dario Forte, CFE, CISM, former police detective and founder of DFLabs has worked in information security since 1992. He has been involved in numerous international conferences on information warfare, including the RSA Conference, Digital Forensic Research Workshops, the Computer Security Institute, the US Department of Defense Cybercrime Conference, and the US Department of Homeland Security (New York Electronic Crimes Task Force). He was also the keynote speaker at the Black Hat conference in Las Vegas. He provides security consulting, incident response and forensics services to several government agencies and private companies. www.dflabs.com
Calendar 25–27 November 2008 3rd International Workshop on Security Location: Kagawa, Japan Website: http://www.iwsec.org/
1–9 December 2008 SANS London Location: London, UK Website: http://www.sans.org
3–5 December 2008 International Conference on Information Security and Cryptology Location: Seoul, Korea Website: http://www.icisc.org/
7–11 December 2008 ASIACrypt 2008 Location: Melbourne, Australia Website: http://www.ics.mq.edu.au/ conferences/asiacrypt2008/
8–10 December 2008 2nd Annual CSO Summit 2008 Location: Geneva, Switzerland Website: http://www.mistieurope.com/ default.asp?Page=65&Return=70&Produc tID=6765&LS=cso
8–12 December 2008 Annual Computer Security Applications Conference Location: Anaheim, CA, USA Website: http://www.acsac.org/
11–12 December 2008 EC2ND 2008 Location: Dublin, Ireland Website: http://2008.ec2nd.org/ ec2nd/597-EE.html
14–17 December 2008 4th International Conference on Information Security and Cryptology Location: Beijing, China Website: http://www.ieee-security.org/ Calendar/cfps/cfp-Inscrypt2008.html Figure 1: A fundamental taxonomy of a fraud prevention project based on geolocation.
20
Computer Fraud & Security
November 2008