August 19, 2016
ThreatMetrix: Fighting Fraud with Device Identification
By CardNotPresent.com Staff
The roots of Los Altos, Calif.-based fraud prevention company ThreatMetrix were planted nearly 7,500 miles across the Pacific Ocean from Silicon Valley. The company’s story began in 2005 not with e-commerce, but with a project for the Australian government to stop and prosecute email spammers.
"We were tracking botnets, so we built aggregated intelligence to essentially have a credit score for an IP address," says Alisdair Faulkner, chief products officer for ThreatMetrix.
When the ThreatMetrix team concluded its public service and was looking to translate its aggregated intelligence technology to the private sector, still the founders did not consider fraud prevention at the top of their list.
"We were exploring different markets and the original intention was to look at security and integrate that intelligence in firewalls and appliances," says Faulkner.
How Fighting Spam Informs Fraud Prevention
What Faulkner, who previously had founded a networking technology company that prioritized packets in applications over networks providing real time response, and co-founder David Jones, whose experience was in email filtering, realized was the current methods being used to screen for anything—new account origination, money transfer or online credit card transactions—were not taking basic security intelligence into account.
That presented ThreatMetrix with an opportunity to apply what Faulkner calls aggregated intelligence to an e-commerce transaction without requiring any personally identifiable information from consumers. He says anti-fraud technology providers could learn a lesson from the spam fighters.
"If we solved spam today the way most companies solve fraud, we’d have to have a dedicated person checking our emails to make sure we classified it correctly," he says. "The way that spam eventually got solved was by using aggregated intelligence from multiple sources combined in real time.
"There was a company called IronPort which was acquired by Cisco for about $800 million in 2007," he continues. "Everybody before that was trying to analyze spam based on keywords. Like the current fraud world, all the systems were focused on the content and that can only get you so far. The real power comes when you aggregate all the available intelligence and look at not only the content of the emails, but the source as well."
In spam, he says, if you see that certain computers send multiple millions of emails around, you don’t need to look at the content of that email message to know the message should not be allowed to reach its destination. Using aggregated intelligence, ThreatMetrix developed a way to head off fraud by identifying devices rather than people.
"From a transaction perspective, the same thing is also true," he says. "If you know a computer has been associated with fraud, you don’t even need to understand whether the person using it is who he says he is. The content is important but not essential."
The TreatMetrix platform gathers this intelligence by analyzing every transaction on a global basis and using the information to inform every subsequent decision in real time.
"If you know something about the packet intelligence and you combine that with browser intelligence and IP intelligence," Faulkner explains, "and correlate them with different transaction data and you do it on a global basis you have something very powerful."
Fighting E-Commerce Fraud in the Cloud
Earlier this year, ThreatMetrix introduced its cloud-based, cookieless device identification solution called SmartID. Faulkner says operating ThreatMetrix’s system in the cloud is vital to get the full scope of each transaction.
"Just profiling an IP address is not enough. Just profiling a browser is not enough. One part is getting a full picture of who you’re actually talking to at the other end of the line and combining that with transaction data," he says.
Putting its solution in the cloud also impacts the amount of time needed for integration. While other solutions can take weeks or months, Faulkner says a cloud-based approach enables clients to be online with the service in hours.
"We had one merchant who was being attacked in a very sophisticated way that needed immediate help. The attackers were changing their identities and IP addresses. The credit cards they were using were valid. Amazingly, not only were they able to mimic different machines and randomize it every time, they were actually using VPNs so it didn’t appear as proxies. The merchant came to us desperate on Thursday night and we were live in production at 8 am on Saturday. It can happen that quickly."
Maybe most importantly, Faulkner says, is the fact that operating in the cloud enables global shared intelligence in which tens of millions of transactions worldwide across all ThreatMetrix’s customers are used in each subsequent decision.
"Every single transaction that is done by a ThreatMetrix customer is informed by every previous transaction done across the global network in real time. A transaction completed at 8:01 is impacted by a transaction completed at 8:00."
Increasingly Integrating with Payment Gateways
ThreatMetrix works with about 350 clients, Faulkner estimates, with some of the largest e-commerce retailers in the world on board. But as it grows its client base, the company has identified payment gateways as an important channel.
"We integrate with CyberSource users in their decision manager programs," he says. "xtracash in Germany uses us. Moneris we announced. We really see payment gateways as being our main channel in the e-tailer space."