In the old west, card cheats got shot. Today, an Oregon company stops them by effectively taking away their computers.
Iovation has devised a service that identifies PCs that have been used to make purchases or wagers on a given site with stolen credit cards. These PCs are then blackballed from the site permanently or put on a watch list.
Identified fraudsters can change their name and password as much as they like, says company chief executive Greg Pierson: As long as they continue to use the same machine, they can't get back onto the Iovation-protected site.
A blackballed PC will likely get similar treatment from other Iovation users, Pierson said. "The fellow subscribers know you are on a warning list."
To date, most of the company's customers have been card game sites. Online poker has become a popular way to launder money from stolen credit cards, he said. A fraudster creates a poker account in the name of a credit card owner. With that account, he plays against several other players he's also controlling. The aliases inevitably win.
To the Web site owner, it won't look like anyone is taking a dive but rather like the ordinary ebb and flow of a poker game. And to further hide tracks, the fraudster often takes his winnings and plays against more of his aliases.
"These people are gamers. So what do they try to do? They try to game the system," Pierson said.
Iovation is expanding its business into other areas. Large multiplayer game sites have signed up for the service upon discovering that some players were buying virtual assets like weapons and real estate with stolen credit card numbers. So this year, it is pitching its service to online merchants, Pierson said. Another potential customer segment could be Web sites targeted at teens or kids that want to keep pedophiles out. Keeping such people at bay has proved to be tough.
The "blame the equipment" approach taken by Iovation exists to get around the open user registration policies of most Web sites. Technically speaking, the vast majority of Web sites never verify that individuals opening accounts are who they say they are. Amazon.com might be more than happy to open an account for Genghis Khan.
"These sites can't do anything but close the account" of someone who violates the site's policies, Pierson said. "Two seconds later, (a violator) can create a new account."
Iovation identifies suspicious machines through two methods. First, when a user first registers and opens an account on a Web site that employs Iovation's service, the site inserts a bit of code on the new customer's machine.
The company subsequently monitors patterns of behavior from data forwarded by the site. Most users have two or three accounts on a network. Someone trying to commit fraud typically signs up for several more.
"Normal people don't have 1,000 accounts (on a single Web site) issued to two computers," he said. "It looks odd."
If and when fraudulent activity occurs, the code loaded onto the machine during the registration process becomes a permanent black mark. Individuals can re-enter the network by getting a new PC, but being forced to buy (or steal) new hardware slows them down.
Web sites that buy the service do worry about the implications about putting a bit of code onto someone's computer, Pierson admitted.
Still, he speculated that the service could be marketed as a positive. When opening an account, a new user could specify the exact computers and exact credit cards he or she will use on that site. If a different PC tries to complete a transaction with one of the specified credit cards, the Web site can send questions to the prospective buyer that will help authenticate her.
Talkback
Am I missing something here? Surely fraudsters will find a way to identify the code that has been put on their machine and remove it, and hence the 'black mark'. At worst, they could reformat their hard disk and reinstall everything; this approach certainly won't force anyone -- except the unusually stupid -- to obtain a new PC.
Another easy way to circumvent this would be to use a virtual machine (e.g. VMWare). To the outside world, deleting a virtual machine and creating a new one is the same as getting a new PC. In addition, by installing a number of virtual machines on the same real PC, fraudsters could make all their accounts appear to be on different PCs.
Someone please tell me they've thought of this.
This sounds like over marketed hype that allegedly solves a huge problem, but in reality is only a minor obstacle to get around.
A person could delete the black mark, reformat their computer, or use Virtual OSes.
More importantly, by incorporating such a sceme, a website is excluding all of their customers that can not run the additinal proprietary software. Is it Windows Only? Or do they have a linux version? Is it ActiveX?
Or is this so simple to get around that merely clearing the browser cache, cookies, etc will fix it? Details were clearly excluded, probably to protect the guilty, or maybe they just didn't know.