(FREE) Card-not-present fraud costs US airlines over a billion
dollars each year, a problem 41st Parameter is tackling with a
unique solution – computer fingerprinting. The online security
firm’s chairman Ori Eisen provided Charles Davis with
insight into the thinking behind the highly successful approach.
In 2008, a single US industry sector –
airlines – lost some $1.4 billion, or 1.3 percent of its total
online revenue thanks to online fraud. And that’s just the tip of
Security specialist Symantec’s latest
Internet Security Threat Report, released this month,
found that online crime, in the form of malicious code activity,
continued to grow at a record pace throughout 2008, primarily
targeting confidential information of computer users.
The report noted that internet surfing
remained the primary source of new infections in 2008, and that
attackers are relying more and more on customised malicious code
toolkits to develop and distribute their threats. Furthermore, 90
percent of all threats detected during the study period attempt to
steal confidential information.
The airlines are getting serious about
fighting online fraud now, and one security firm, 41st Parameter,
is making real headway in the travel segment, where high numbers of
card-not-present transactions (CNP) are the norm. The firm recently
signed its second of the top five US airlines, as US Airways
selected FraudNet to detect and prevent CNP fraud across multiple
reservation channels including online, kiosk and phone. In
addition, US Airways will utilise FraudNet to protect its Dividend
Miles frequent flier members against account compromise and
fraudulent account access.
41st Parameter founder and chairman
Ori Eisen spoke with EPI about the security challenges
facing the payments business and how his company’s vision of having
computers “talk” to one another is making a huge difference in
fraud reduction rates.
At the core of the FraudNet solution is
PCPrint, 41st Parameter’s powerful and covert personal computer
fingerprinting technology, which essentially conducts a real-time
interview with a transaction-originating device to, as Eisen said,
“see if the person behind a device anywhere in the world is who
they say they are”.
Coupled with a risk engine specifically tuned
for the airline industry, US Airways is implementing best-in-class
fraud detection tools, easily accessible on a single dashboard.
FraudNet empowers the airline’s investigators to identify
interlinked activities with the included link analysis tools,
quickly report confirmed fraudulent cases to law enforcement bodies
while reducing the volume of transactions and reservations
requiring manual review.
“Link analysis means if I find a suspicious
transaction coming in to the airline, we can instantly look for any
other transactions from that device across time, and send that
information along quickly to the merchant,” Eisen said. “In many
cases the fraud is blatant and quite easy to detect, and so link
analysis says ‘OK, I have a bad apple here, so show me all other
transactions from this IP address, or from this e-mail
US Airways joins Continental Airlines as 41st
Parameter clients, and Eisen said other major airlines are set to
implement the technology in the coming months.
Eisen, who served as director of worldwide
payments security for American Express before leaving to found 41st
Parameter, said customers utilising FraudNet report an average
review rate a full 80 percent below the industry standard.
The ‘41st parameter’ name is derived from the
fact that, for years, online security was derived from looking at
40 set data points, mostly descriptive items about the user, rather
than about the user’s computer or handheld device.
“We are peering into more data points than
ever before,” Eisen said. “The crooks know all about the 40 data
points, but they can’t really do anything to stop us from analysing
dozens of others. So we realised one of the first things we can do
is to ask the computer how they are configured – simply look at the
time zone on the other end of the transaction, so if you are in the
centre of the United States and the PC talking to us is in Russia,
well, that ought to raise flags.”
Eisen said there are probably 300 data points
at the device level, but 100 or so are really worth the effort of
“We are adding data points as we go,” he said.
“Interestingly, the simple ones, like the language your device is
configured in, the time zone, and the device’s operating system
tell us as much as anything.”
The system is also a host of attractive
features such as dynamic queuing functionality, enabling fraud
investigators to prioritise reservations based on customer
departure times and other critical information, as well as suspect
travel pattern analysis, billing inconsistencies, high-risk ticket
details, and many other data elements not utilised by traditional
risk management solutions.
Wide variety of tools
Eisen said many other potential
applications are ideal for Fraudnet, including online banking,
mobile payments and other travel-related industries such as
“The beauty of Fraudnet is that we can use a
wide variety of tools in a variety of settings, from e-commerce to
airlines to bank credit card applications,” he said.
The firm’s subscription revenue increased by
more than 300 percent in 2008, and its customer base grew by more
than 40 percent.
With a never-ending array of high-profile
fraud cases, 41st Parameter has to say little to convince merchants
of the need for heightened security, Eisen said. Online banking,
for example, is typically authenticated by the use of two items – a
user name and a password.
“If someone obtains those two pieces of data,
then they can access your account from anywhere, and no flags are
raised,” Eisen said.
Fraudnet can covertly query the customer’s
computer or handheld device to provide a real-time risk assessment,
asking a randomly generated series of questions such as “where is
this device located?” and “is this the usual device used to access
this account?” and then rank the transaction’s risk profile against
pre-set benchmarks determined by the institution.
“This is a top-of-mind issue for everyone
these days,” Eisen said. “Not a day goes by without a reminder that
the bad guys are always out there, so the arms race between online
payments and crooks.”