E-commerce directors and their IT security and loss prevention counterparts play an endless cat-and-mouse game with cyberthieves. The trick to getting ahead of fraud is anticipating which customers are the most likely thieves, typically through some form of pattern or attribute recognition. The problem is that smart bad guys can change their patterns and attributes as quickly as the good guys learn to recognize them.
The people over at security vendor Simility have looked at the latest patterns and noticed some interesting things (while acknowledging that the patterns won't necessarily persist for long).
Here is how Simility described its methodology: "We aggregated more than 100 different signals across 500,000 real world browser-based devices throughout January 2016. We looked for patterns in the 10,000 (or 2 percent) of those devices that were in the hands of fraudsters and contrasted those with the other 98 percent of devices in the hands of good or 'organic' users."
Here are some of their most interesting patterns:
- 32-bit OS running on 64-bit processors.
Bad guys like older Windows devices, which they can reprogram to be short-lived fraud tools that have been tweaked to leave as few fingerprints as possible.
- A shortage or absence of old cookies.
Bad guys hate cookies, or anything else that leaves a trail, so they continually clear them. "Fraudsters clear their cookies 90% of the time whereas organic users clear cookies only 10% of the time,"Simility said.
In other words, cyberthieves can certainly delete their cookies, but that behavior differentiates them from typical shoppers. Search for cookies older than one week. If you don't find any, it's wise to keep a close watch on that visitor. Also look out for users with no recent referrer history.
- Machines that have opted to come up with their own settings.
Remember how the bad guys will usually use customized machines? Here's one telltale sign. Many browsers offer Do Not Track options, with typical preprogrammed options being Yes, No, Unspecified or No. Over the full population, "no" is the choice about 70% of the time, Simility said. But fraudsters' customized browsers will opt for Null. "This happens when fraudsters explicitly try and change some parameters through non-standard means e.g. writing a code, or using a cracked version of a product etc.," Simility said.
- A lack of plug-ins and extensions
The customized machines that professional cyberthieves use are acting as single-purpose devices. They are not used for personal activities nor for non-criminal business needs. If anything goes wrong, the fraudsters want authorities to find a disposable computer with as few hints as possible as to its owner's identity. That means that there is no reason for these units to have a lot of plug-ins, extensions or leisure apps. A machine that is that barren merits close watching.
- Fraudsters don't go incognito
This is perhaps my favorite, because it is at first glance so non-intuitive. Think of an experienced professional hitman who might deliberately burn all his fingerprints so that he leaves no trackable prints. Having done that painful chore, there's no reason for him to bother wearing gloves, given that he has no fingerprints to leave. (Then again, the nature of the image his burned fingers leaves behind might be the ultimate identifier.)
If these thieves have done their job properly, their machine will leave few if any clues. Therefore, there's no reason to go incognito. Some thieves would think that going incognito makes them look more suspicious. But you, dear readers, now know better.
This article is published as part of the IDG Contributor Network. Want to Join?