Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

IP Address Checking

Dec 9, 2013 9:32PM PST

Good Day,

I hope I came to the right place.

We (my company) are a credit provider for major retail stores in South Africa. We recently launched Web Applications, where customers can apply for credit online.
We have many fraud prevention methods in place - but never enough. As part of Phase 2 of the project we want to try and detect possible fraud by identifying an applicant's location and/or device. The general idea here is that this can be done by identifying the IP Address and flagging those that are used often. Quick research (but very limited knowledge) on this shows me that this is not that straight forward, since someone can have a static or dynamic IP address, meaning the same computer can be used but it may or may not have the same IP Address.

My question is fairly open-ended: Is IP Address tracking at all a viable option for fraud prevention?
If so, how much can be done by our own developers easily and relatively cheaply (i.e. we are not looking at buying the services of a company specializing in this).
Are there any other options/methods for identifying someone doing multiple applications from the same computer?

Thanks in advance,

Gerhard

Discussion is locked

- Collapse -
Answer
No.
Dec 10, 2013 10:59AM PST

With VPN and more, it's simply not reliable.

- Collapse -
Answer
IP address tracking
Dec 10, 2013 3:16PM PST

To expand on R. Proffitt's answer, in your situation I would not recommend automating fraud detection or preventing users from signing up based on the IP address. I do believe it's helpful to log and track every IP addresses and to create a tool that can highlight certain accounts if, for example, 100 applications came through from one IP address in 5 minutes, but because of the points you mentioned, it would still require a human to investigate/research each case individually to make a decision. Even then, a decision could not be made based on the IP address alone, but it would need to be combined with other pieces of information.

The best way would still be to ask for things like a personal identification number (equivalent of social security number in the U.S.) that can be used to look up the real user's information and match it again the application, to ensure the user is who they say they are.

~Sovereign

- Collapse -
RE: IP address tracking
Dec 10, 2013 5:29PM PST

Hi Sovereign,

thanks for your detailed input.

We do require an ID number and many other detail, and do checks with the major SA credit bureaus (which includes their fraud model checks), as well as match against our own personal fraud hot-list for suspicious activity or fields (ID numbers, addresses, contact number, employer detail, etc.) which are used often.

With Web Applications there is just a higher risk of fraud (since a fraudster can sit and retry applications for hours on end), so we would like to add to what we already do. Our initial thought was to track the IP Address and then also add those of older fraudulent accounts to our fraud hot-list (so when it is used thereafter, the application will be referred for possible fraud and a confirmations agent will contact the customer and do further security checks). The problem with this (it seems) is that an IP Address can be "recycled" and then used by someone new.

So it seems we are limited to just tracking all IP Addresses and then doing "after-the-fact" fraud checks by identifying IP Addresses used very often, and/or we need to build in some logic to identify and flag applications where the IP address was used more than X times in the last Y hours, and then to refer the application.

Thanks again,

Gerhard

- Collapse -
Yes, so you could
Dec 16, 2013 3:20PM PST

mostly use it for after-the-fact, but also use it for setting a reasonable limit e.g. how many applications can a user fill out from an IP address / user-agent combo within a certain amount of time. Keep in mind that some IP addresses might belong to companies with more than one user, and in a corporate environment, even user-agents may match, however, you could still set a high limit.

There should always be a way to let the user know why they are unable to fill out an application (if it was blocked) with an easy way to get in touch with someone to report a mistake or possible error.

~Sovereign

- Collapse -
Answer
IP tracking is wrong method
Dec 18, 2013 1:39AM PST

If you think you can detect fraud based on ip then it going to wrong. because many users may share public internet ip address under an organization, office,etc. now how you detect fraud request?

Solution is here..
you recently launched a web application right? then it must have a web address like http://www.whanswers.com. now you can use cookies and sessions to track individual users. then only you can detect frauds.

All the best..