Stopping fraud by blackballing PCs

Instead of locking out specific users, sites using Iovation's technology can nail suspected fraudsters' hardware.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
3 min read
In the old west, card cheats got shot. Today, an Oregon company stops them by effectively taking away their computers.

Iovation has devised a service that identifies PCs that have been used to make purchases or wagers on a given site with stolen credit cards. These PCs are then blackballed from the site permanently or put on a watch list.

Identified fraudsters can change their name and password as much as they like, says company CEO Greg Pierson: As long as they continue to use the same machine, they can't get back onto the Iovation-protected site.

A blackballed PC will likely get similar treatment from other Iovation users, Pierson said. "The fellow subscribers know you are on a warning list."

To date, most of the company's customers have been card game sites. Online poker has become a popular way to launder money from stolen credit cards, he said. A fraudster creates a poker account in the name of a credit card owner. With that account, he plays against several other players he's also controlling. The aliases inevitably win.

To the Web site owner, it won't look like anyone is taking a dive but rather like the ordinary ebb and flow of a poker game. And to further hide tracks, the fraudster often takes his winnings and plays against more of his aliases.

"These people are gamers. So what do they try to do? They try to game the system," Pierson said.

Iovation is expanding its business into other areas. Large multiplayer game sites have signed up for the service upon discovering that some players were buying virtual assets like weapons and real estate with stolen credit card numbers. So this year, it is pitching its service to online merchants, Pierson said. Another potential customer segment could be Web sites targeted at teens or kids that want to keep pedophiles out. Keeping such people at bay has proved to be tough.

The "blame the equipment" approach taken by Iovation exists to get around the open user registration policies of most Web sites. Technically speaking, the vast majority of Web sites never verify that individuals opening accounts are who they say they are. Amazon.com might be more than happy to open an account for Genghis Khan.

"These sites can't do anything but close the account" of someone who violates the site's policies, Pierson said. "Two seconds later, (a violator) can create a new account."

Iovation identifies suspicious machines through two methods. First, when a user first registers and opens an account on a Web site that employs Iovation's service, the site inserts a bit of code on the new customer's machine.

The company subsequently monitors patterns of behavior from data forwarded by the site. Most users have two or three accounts on a network. Someone trying to commit fraud typically signs up for several more.

"Normal people don't have 1,000 accounts (on a single Web site) issued to two computers," he said. "It looks odd."

If and when fraudulent activity occurs, the code loaded onto the machine during the registration process becomes a permanent black mark. Individuals can re-enter the network by getting a new PC, but being forced to buy (or steal) new hardware slows them down.

Web sites that buy the service do worry about the implications about putting a bit of code onto someone's computer, Pierson admitted.

Still, he speculated that the service could be marketed as a positive. When opening an account, a new user could specify the exact computers and exact credit cards he or she will use on that site. If a different PC tries to complete a transaction with one of the specified credit cards, the Web site can send questions to the prospective buyer that will help authenticate her.