ThreatMetrix Whitepaper - Smart Device Identification 04_11_2011

Smart Device Identification for Cloud-Based Fraud Prevention Alisdair Faulkner Chief Products Officer

Page 2

White Paper: Smart Device Identification for Cloud-Based Fraud Prevention

Contents Basic Device Identification is no longer enough ........ 3

Times have changed but your Device ID hasn’t .......................................................................... 3

Cookies are Obsolete .................................................................................................................. 5

Device Fingerprints Smudge and Fraudsters Wear Gloves ........................................................ 6

Compromised Devices are Commodities .................................................................................... 7

Smart Device Identification Requirements .................................................................................. 8

Smart versus Basic Device Identification Comparison ................................................................ 9

ThreatMetrix Smart Device Identification ................. 11

Identify Fraudsters and Authenticate Customers ...................................................................... 11

Cookieless Device Fingerprinting .............................................................................................. 12

IP, Browser and Packet Fingerprint Interrogation ..................................................................... 13

Real-time complex attribute matching and confidence scoring ................................................. 15

Man-In-The-Middle/Hidden Proxy and True Origin detection .................................................... 17

Compromised Device and Script detection ............................................................................... 18

Integrated Contextual Risk Scoring and Decisioning ................................................................ 19

Recommendations ................................................... 22

Page 3


Basic Device Identification is no longer enough Times have changed but your Device ID hasn’t Device Identification, using a visitor’s computer to provide additional fraud prevention and

authentication intelligence, remains the most effective first perimeter of defense to protect online

transactions including payments, logins and registrations. Benefits include:

• Zero customer imposition, providing passive two factor authentication for online

transactions without requiring software or hardware tokens or challenge questions.

• Not relying on the collection of personal identifying information (PII)

• Stops first-time fraud attempts based on device anomalies and global behavior.

Unfortunately since first generation device identification technologies were introduced the world

has changed dramatically with an increase in the sophistication and globalization of cybercrime

and a corresponding increase in exposure to enterprise fraud, risk and security teams.

In this whitepaper you will learn about reasons to upgrade basic device identification and

fingerprinting methods including:

• The reliance of existing technologies on cookie or cookie equivalents. Browser and

flash cookies are easy to delete and compromise. Private browsing modes make it

easier for fraudsters to hide. Modern smartphones are harder to reliably tag.

• Important security data is being ignored when collecting the device fingerprint. Simple

browser fingerprinting technologies only gather information about the browser which is

easy to spoof or subvert and it ignores important information encoded in the connection

and packet.

• Relying on simple hashing techniques to perform fingerprint matching misses fraud and

causes false positives. Traditional SQL databases cannot perform the complex and

extensive attribute matching needed in real time.

• Lack of sophisticated proxy and Man-In-The-Middle detection. Simple IP proxy lists are

no longer effective.

• No knowledge of when a good customer’s device has been compromised. The

widespread problem of infected computers due to botnets and Trojans means that

simply recognizing an authenticated device is insufficient if that computer is now

controlled or spied upon by hackers.

Page 4


In addition, you will learn new features and benefits associated with the next generation of

ThreatMetrix smart device identification technologies including:

• Cookieless device fingerprinting for better return visitor recognition

• Multiple scoring techniques to truly validate the identity of a device

• Going beyond simple browser fingerprinting technology to prevent more fraud

• Real-time complex device fingerprint matching and confidence scoring for less false

positives

• Automatic detection of hidden proxies, compromised devices and MITM attacks to stop

cybercrime at time of transaction.

• Global device recognition and behavior tracking for proactive protection

• Context aware risk based assessment across customer and transaction authentication

processes for greater enterprise control.

Page 5


Cookies are Obsolete

2010 officially rang in the death knell for cookies as a way to reliably identify a device to prevent

fraud underscored by Gartner analyst Aviva Litan in her report published in February of 2010

titled “ Privacy Collides With Fraud Detection and Crumbles Flash Cookies”. While it might seem

obvious that a fraudster would delete browser cookies to avoid being identified the issue is

slightly more nuanced.

First generation device identification technologies rely on the general public’s and unsophisticated

fraudster’s ignorance of Flash Cookies (Local Storage Objects) that are not deleted when regular

browser cookies are cleared, and are invisible unless you know where to find them.

Unfortunately for Basic Device identification vendors, online advertisers also use these same

LSOs to resuscitate a cleared cookie which in turn, has incited a furor with privacy advocates.

The result has attracted the attention of the FTC and the US Congress to impose privacy

regulations to protect consumer’s rights. In response the browser and browser plugin companies

have instituted private browsing and opt out features into their products to better accommodate

consumer opt-out protection. Additionally, version 10.1 of Adobe’s Flash product now enables

browser companies and consumers to delete LSOs in line with regular cookies. In addition, all

the major browser companies have now implemented some form of private browsing mode that

allows customers and intrepid fraudsters to temporarily suppress cookies and Flash objects and

hence evade re-identification.

2010 also saw an explosive uptake in the number and variety of tablets and touch-based

smartphones that make accessing the Internet and performing an online transaction from a

mobile device a practical reality. Some of these devices such as the iPhone and iPad do not

Page 6


support Flash and also block third-party browse cookies by default further reducing the

effectiveness of cookies and first generation device identification solutions for device recognition

and reputation.

Device Fingerprints Smudge and Fraudsters Wear Gloves Every interaction a customer makes with a website leaves a digital fingerprint about the device,

the type of browser and the connection used. First generation device fingerprinting technologies

typically use JavaScript or Flash to collect browser and clock information and use a hashing

algorithm to generate some form of identifier. The problem is that this device fingerprint routinely

changes as customers swap browsers, change physical locations and corresponding IP

addresses with laptops, tablets and smartphones. As an illustration, a sample of transactions

from ThreatMetrix Fraud Network shows that after 2 months 20% of visitors had changed their

browser, and 25% had multiple IP Addresses.

Further, fraudsters will deliberately try to manipulate or block browser settings in order to disguise

their device fingerprint. The following graphs from the same sample shows that nearly 10% of

transactions had one or more of JavaScript, Flash or cookies suppressed. Some of these

transactions are fraudulent while at the same time many are transactions executed by privacy

conscious customers and are valid. If these devices are not properly identified the end result to

an ecommerce merchant, financial institution or other business will be either an increase of false

positives resulting in loss revenues or increases in fraud resulting in increased costs.

Page 7


Compromised Devices are Commodities Thanks to sophisticated malware like Zeus, millions of good customer’s computers go bad on a

daily basis. The problem is that existing fraud prevention and security solutions are blind to

evidence that a particular device is infected at the point of a transaction leaving the enterprise

exposed to Man-In-The-Browser (MITB), key-logging and Man-In-The-Middle (MITM) attacks. By

orders of magnitude, however, the most common use of compromised computers is to turn an

innocent’s computer into an IP proxy to avoid geolocation filters and known anonymous proxy IP

lists.

Using a real world example, one ThreatMetrix customer doing an average of 4,500 customer

verification transactions a day had nearly 5% of transaction originating from behind a

compromised computer being used as a hidden proxy.

Page 8


An examination of a subset of those hidden proxy transactions found that a large cluster

originated from compromised servers hosted in the US with The Planet, a popular hosting

provider, with the true origin of the transactions coming from several offshore countries.

Smart Device Identification Requirements Criteria Requirement

Cookieless Device

Fingerprinting

Passively collected device attributes to identity devices without

requiring software or hardware tokens provides a first layer of

defense across all website interactions. Unfortunately malware

and fraudsters routinely delete, steal and tamper with browser

and flash cookies and attributes. Cross correlating device

fingerprint attributes and behavior with session and browser

cookies provides an additional layer of authentication.

Real-time complex attribute

matching and confidence

scoring

Cybercriminals routinely manipulate device parameters to evade

detection. Worse, simple attribute matching based on hashing

browser and IP attributes can create unnecessary false positives

and customer complaints. Smart Device Identification provides

complex attribute matching in real time at the time of transaction

for persistent identification of a visitor even when IP or browser

attributes change. Confidence scores based on global

Page 9


collections of device profiles reduce false positives.

Packet & Browser

Fingerprint Interrogation

Attributes collected from the browser and IP address are trivial

to spoof. Smart Device Identification adds passive packet

fingerprinting for greater resolution and spoof protection.

Man-In-The-Middle and

True Origin detection

Based on browser and packet fingerprint interrogation, Smart

Device Identification automatically detects and classifies MITM

attacks and bypasses hidden proxies to reveal the true IP

Address, geolocation and origin of the transaction.

Compromised Device and

Script detection

Organizations not only need to identify a customer’s device, they

also need to know whether that device is now compromised and

infected. Subscribing to IP reputation feeds is not enough if the

botnet intelligence cannot be acted on while the customer is on

the page.

Global Recognition Provides ability to re-identify customer devices across sites.

Integrated contextual risk

scoring and decisioning

A risk decision based on device intelligence needs to be made

in context with per organization and global transaction patterns.

Smart versus Basic Device Identification Comparison Criteria Smart Simple

Frictionless customer

experience ü ü

No software or browser

plugins required ü ü

Cookieless Device

Fingerprinting ü û Heavily reliant on cookie or

cookie equivalents

Packet, Browser and IP

interrogation ü û Browser Fingerprint, IP

Address intelligence only

Real-time Complex Fingerprint

Matching ü û Simple Hash or

Cryptographic algorithm only

Page 10


Cross platform – PC, Server,

Tablet, Smartphone ü û Limited to PC/Laptops

Man-In-The-Middle and True

Origin detection ü û Simple IP Proxy detection

and Geolocation only

Compromised Device and

Script detection ü ûBlind to botnet and spyware

infection

Global Recognition ü û Local only

Integrated contextual risk

scoring and decisioning ü û Not real-time, unable to

integrate into existing processes

Page 11


ThreatMetrix Smart Device Identification Identify Fraudsters and Authenticate Customers SmartID – Cookieless Device ID ExactID – ‘Evercookie’ Device ID

Instant Cookieless Recognition based on

Packet and Browser Fingerprint and prior visits

Positive Identification and Authentication

across PC, Tablet and Smartphone

Risk-based confidence scoring based on

predictive algorithms and decision trees

Fact-based authentication using on parallel

matching across multiple device identifiers

Pre-customer customization of velocity rules

and spoof detection

Global behavior and correlation

Dual factor authentication for detection of cookie wiping and device manipulation

ThreatMetrix Smart Device Identification technology provides dual identifiers to detect fraudsters

and authenticate returning customers without false positives. SmartID provides cookieless

device identification using attribute matching and confidence scoring, while ExactID provides

parallel matching across multiple cookie equivalents to give the broadest possible coverage

across PC, Tablets and Smartphones. Used together ThreatMetrix SmartID and ExactID provide

cross validation to detect cookie-wiping, private browser modes, hidden proxies, botnets and

cookie and device manipulation. Both ThreatMetrix SmartID and ExactID are generated in real-

time to be used separately or in combination within the ThreatMetrix Cloud-based Fraud

Prevention Platform to accept, reject, challenge or review a transaction while the customer is still

on the page. This second generation device identification capability is based on a more complete

examination of device data matched across global device profiles using a proprietary distributed

computing platform to enable:

ü Cookieless Device Identification

ü Packet, Browser and IP Fingerprinting

ü Real-time Complex Fingerprint Matching

ü Cross platform capability including PC, Server, Tablet and Smartphone detection

ü Man in the middle and True Origin detection

ü Compromised Device and script detection

ü Global recognition

ü Contextual scoring based on customer, enterprise and global transaction patterns.

Page 12


Cookieless Device Fingerprinting Device Identification based on a fingerprint instead of a cookie is similar to radar signal detection,

spam detection and scenarios where you need to differentiate between a valid signal and

background noise. There are costs associated with both missing what you are looking for e.g.

missiles, spam and fraudulent devices, and also costs associated with incorrectly classifying

innocents e.g. passenger airlines, CEO’s emails and loyal customers.

ThreatMetrix SmartID uses a machine learning approach that takes into account per-customer

and global device profile patterns and how they change so that reliable device identifiers can be

generated with confidence. Unlike other fingerprint methods that are effectively static,

ThreatMetrix SmartID provides adaptive cookieless identification that is tolerant to incremental

and non-linear changes.

The following table provides an example of how ThreatMetrix SmartID maintains persistence and

an associated confidence score for a fraudster trying to evade detection:

Visit Fraudster’s Device Configuration SmartID

1 New Visit using Firefox 35ad…1f94 New Device

2 Start Firefox Private Browsing – all cookies are suppressed

35ad…1f94 confidence = 99

3 Close Private Browsing, re-visit in Firefox 35ad…1f94 confidence = 100

4 Wipe all cookies, change IP Address, restart Firefox, revisit


5 Visit in Chrome browser 35ad…1f94 confidence = 98

6 Wipe all cookies, restart Firefox, Change Browser String, revisit


ThreatMetrix is able to outperform in-house and other device fingerprint methods based on the

fact that it collects valuable packet and security data not able to be measured by first generation

device fingerprinting architectures and the fact that it is able to process more data in real-time

using advanced parallelized matching strategies on global device and transaction indexes built on

a distributed hardware and software architecture.

Page 13


IP, Browser and Packet Fingerprint Interrogation The table below shows the evolution of Device Intelligence from IP Address to Browser to Packet

Intelligence. First generation device identification technologies are limited to browser and IP

intelligence only.

Device Intelligence IP Intelligence

Browser Intelligence

Packet Intelligence

IP Geolocation ü ü ü

Known Proxy IP Detection ü ü ü

Known Botnet/Trojan IP Detection ü ü ü

Browser and plugin cookie identification ü ü

Browser and plugin fingerprint recognition ü ü

Time zone and time difference detection ü ü

Packet fingerprint recognition ü

Hidden Proxy / MITM Detection ü

True Origin Detection ü

True OS and Spoofed Browser detection ü

VPN Detection ü

Satellite, Dial-up, Mobile wireless Detection ü

Attributes collected from the browser and IP address are trivial to spoof. For example, common

browser plugins allow both web designers and fraudsters to change the apparent browser and

version that the web server sees with a click of a button. ThreatMetrix Smart Device Identification

overcomes these limitations by adding passive packet fingerprinting for greater accuracy and

Page 14


spoof protection. Because the information is collected as part of the standard networking and

browser security model there is no possibility of leakage of personal information, no interruption

to the customer’s experience, and no additional software or browser plugins to download or

accept.

ThreatMetrix transparently performs a technique similar to how every firewall currently protects

your information. ThreatMetrix SmartID transparently analyzes packet headers and their change

in state over time to determine whether the source is malicious or safe. By examining

anonymous packet header data when the client requests a web page, ThreatMetrix can detect

hidden risk. For example, the table below illustrates a real world fraudulent attack blocked by

ThreatMetrix against automated botnet scripts that were randomizing and mimicking various

browsers but were in fact originating from a Linux server.

Page 15


Real-time complex attribute matching and confidence scoring The quality of any device matching technique is directly proportional to the quality and quantity of

data collected and the effectiveness of the matching process. In addition to the fact that

ThreatMetrix collects more data than first generation device identification alternatives through

packet, browser and IP analysis, ThreatMetrix is unique in the way it performs complex device

fingerprint matching in real-time.

A naïve approach to generating a device identifier based on a fingerprint is to simply use some

form of strict or fuzzy hashing technique that builds an identifier purely based on the attributes

collected at the point of transaction. The problem with strict hashing techniques is that one small

change in device e.g. a change in flash version from 10.1.0 to 10.1.1 will generate a new

identifier. Fuzzy hashing techniques can build additional tolerance but still fundamentally suffer

from the problem that both customers and fraudsters act in non-linear ways that can’t be

compensated for unless context, history and multiple matching scores are used.

ThreatMetrix cookieless SmartID technology is fundamentally different from other Basic Device

fingerprint techniques in that the SmartID is attribute independent and takes global history, per-

organization and transaction context into account when applying multiple matching filters to

generate a persistent immutable device score in real time. Parallelized matching strategies with

confidence scoring based on Machine Learning techniques enable return visitor detection even

when non-linear changes, e.g. changing IP address and browser, are made. The ThreatMetrix

Device ID Engine provides maximum accuracy by performing SmartID selection based on context

at time of transaction, e.g. taking into account metrics such as time between visits and sites

visited across the network to dramatically filter out false positives. The result is dramatic

improvements in fraudulent and good customer device authentication with corresponding

reductions in fraud loss, manual review, risk exposure and customer complaints.

Page 16


In order to provide real-time device fingerprint matching and risk scoring, ThreatMetrix employs a

distributed cloud-based architecture. The design provides for real-time data processing and

delivery, Internet scalability, anonymous shared intelligence across components, redundancy and

speed. Excluding data warehousing and the Fraud Control Portal, The key components are:

• Profiling Server: Performs both passive (IP/TCP/HTTP profiling) and active

(JavaScript, ActionScript, Silverlight, HTML5, CSS) inspection of devices when a

user loads a web page that includes ThreatMetrix profiling tags. Suitable for all

device types including PC, tablet and smartphone. In addition integrates with mobile

and PC applications via a standard API.

• Attribute Cache Server: Collects and assembles a complete view of a device’s

browser, operating system and network characteristics, and performs first level in-

memory anomaly analysis.

• Device ID Engine: Manages logic and processes related to device identities

including attribute retrieval, creating unique device identities and matching

• Transaction Intelligence Engine: Processes shared device, transaction, behavioral

and reputation history

• Real-time Risk Engine: high-velocity rules and pattern recognition engine detects

device risk in real-time based on per-customer and global device transaction histories

• API Server: Customer interface to ThreatMetrix Network for in-house or third-party

risk-based authentication and authorization applications

Page 17


Man-In-The-Middle/Hidden Proxy and True Origin detection Based on browser and packet fingerprint interrogation, ThreatMetrix Smart Device Identification

automatically detects and classifies MITM attacks and bypasses hidden proxies to reveal the true

IP Address, geolocation and origin of the transaction.

Rather than rely on Proxy IP Address lists that are continually outdated and blind to more

sophisticated hidden proxies, ThreatMetrix instantly examines, scores and classifies device

interactions to determine whether the originating device is being masked or tunneled by an

anonymous or hidden proxy or MITM attack, or is simply a valid customer behind an enterprise or

ISP proxy gateway. Examples of the types of analysis performed in real time by ThreatMetrix to

detect the existence of intermediate devices and the true origin location include:

• Detection of VPN usage and use of out-of-country satellite, dialup or mobile broadband

connections based on unique Packet Fingerprint data.

• Employing proxy bypass methods to cause the device being profiled to directly connect

back to the profiling server in order to expose the true IP Address and IP Geo

• Detection of mismatches between the operating system information reported by the

browser compared with operating system information reported by the TCP/IP operating

system fingerprint

• Examining HTTP protocol fields such as client IP and inconsistencies in HTTP/browser

field order

• Detection of removed or modified content in the webpage

• Detection of a mismatch in other browser elements including time-zone, language and

geo-location

• Filtering out legitimate corporate and ISP proxies

• DNS geo-location mismatches

Page 18


Compromised Device and Script detection Organizations not only need to identify a customer’s device, they also need to know whether that

device is now compromised and infected. Subscribing to IP reputation feeds is not enough if the

botnet intelligence cannot be acted on while the customer is on the page. ThreatMetrix Smart

Device Identification provides evidence-based compromised device and bot intelligence in real-

time so that an organization can make the appropriate decision to block, challenge or review the

attempted transaction. For example a customer logging in to an online banking portal may

appear to be positively authenticated using a Device ID in combination with Username and

Password, however ThreatMetrix Smart ID detects that the user’s IP Address has recently

appeared on a botnet infection list and an analysis of the packet fingerprint reveals a hidden Man-

In-the-middle attack. Because the intelligence is provided in real-time the bank can either block

the transaction or notify their customer to download a new virus definition before allowing the

transaction.

To detect when a device is either infected or under the control of a bot or script, ThreatMetrix

uses a combination of real-time analytics and mass forensic processing. Real-time analytics

looks for device fingerprint anomalies indicating infection as well as global historic pattern data

while ThreatMetrix mass forensic processing aggregates, correlates and scores botnet reputation

data across these multiple submission sources and sensors e.g. firewall logs, honey pots, dark

net sensors, spam feeds, submissions, command and control host interception and forums.

Page 19


Integrated Contextual Risk Scoring and Decisioning ThreatMetrix smart device identification solution provides an integrated cloud-based fraud

platform for combining global and per enterprise device identity with behavior and transaction

context to reduce manual review and the total cost of fraud.

Included in the platform is an analyst workbench to screen and review high risk and related

transactions and an enterprise policy engine to automate fraud decisioning.

Page 20


The table below outlines the key components of the ThreatMetrix cloud-based fraud platform.

Component Description Bullet Proof Security and

Privacy Protection

ThreatMetrix provides smart device identification technology to

detect and alert based on suspicious device anomalies. For even

more powerful fraud detection transaction identifiers such as an

email address, payment account hash, phone number, etc. can be

passed to allow for more correlation. When provided, ThreatMetrix

protects these identifiers with encryption and one-way hashing so

that the data is never exposed or shared. In addition, power role-

based permissions and full auditing meet or exceed enterprise

security compliance requirements.

Enterprise Policy Engine ThreatMetrix provides real-time contextual scoring based on device,

customer and transaction attributes and historic analysis through a

customer configurable rules engine. Default rules and algorithms

will detect many anomalies such as hidden proxies, high risk

geographies, anomalous language and time settings, potential

cookie wiping and blacklisted attributes. More advanced rules allow

for correlation of other transaction data such as detecting multiple

identities, payment accounts or shipping addresses used by the

same device, or an unusually high volume of transactions from a

device across the ThreatMetrix network. ThreatMetrix rules can be

directly updated by analysts and activated immediately to respond

to changing threats.

Transaction Monitoring

and Link Analysis

In addition to a real-time API that immediately returns device

identifiers, anomaly indicators and risk scores in milliseconds,

ThreatMetrix provides an online portal to review past transactions

and perform forensic analysis. It includes a dashboard that shows

recent high-risk transactions and trends as well as advanced

search capabilities to assist fraud analysts to find related

transactions and discover links between suspicious activity

Queue Management Manual review of transactions is time consuming and expensive. To

address this, ThreatMetrix allows for custom tuning of rules to

reduce false positives with automated assignment of transactions to

analyst queues by configurable rules. This enables analysts to

Page 21


focus on the highest risk transactions, for example based on score,

transaction amount, or criteria such as geographical origin. When a

transaction is reviewed, it can be marked as rejected/accepted to

improve the ability of ThreatMetrix to score transactions through

predictive scoring.

Customizable Alerting ThreatMetrix supports automated alert rules to notify an analyst by

email when a transaction meets specified criteria. These alerts can

be triggered on risk, transaction or device attributes or associated

with specific fraud behavior. Alert content can be customized and

linked directly back to the transaction for review.

Predictive Global Intelligence

ThreatMetrix customers benefit from anonymous and aggregated

device and transaction behavior seen across the global

ThreatMetrix network using both automated scoring as well as

customizable fraud filters. The ThreatMetrix Cloud-Based Fraud

Prevention Platform provides proactive protection that gets smarter

with every customer and transaction without requiring extensive

manual input.

Page 22


Recommendations 1. Review legacy solutions and competitive vendor offerings to understand where they fit

with respect to smart versus Basic Device identification capabilities

2. Educate your organization on the key requirements and benefits of smarter device

identification

3. Plan rollout of an upgrade to current customer device identification technology for 2011

4. Initiate customer and transaction authentication and monitoring based on improved

device, behavior and contextual risk scoring.

About ThreatMetrix, Inc.

ThreatMetrix profiles daily tens of millions of customer devices and screens hundreds of

thousands fraudulent transactions many of the world’s largest online brands. ThreatMetrix cloud-

based fraud prevention and risk management platform protects online account creation, login

authentication and payment authorization processes based on automated anonymous

intelligence across its global fraud prevention network. ThreatMetrix serves a rapidly growing

customer base in the U.S. and around the world across a variety of industries including online

retail, financial services, social networks, and alternative payments.

Documents

ThreatMetrix Whitepaper - Smart Device Identification 04_11_2011