[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

use of routing information in anti-fraud mechanisms



It seems that some anti-fraud mechanisms have evolved to use information
about how a user is connected to the Internet to determine whether they
are likely to be fradulent.  Specifically, in my case it turns out that
Paypal does not accept my debit card:

"We were unable to verify this credit card through our card validation
process. To proceed with checkout, please verify the information you
entered is correct or try a different card."

I do not have other cards, and my card works everywhere else.  A little
online investigation suggests that Paypal outsources its card
verification process to an overzealous company called CyberSource, and
there are many false positives.

I suspect that in my case, the false positive is related to my use of
Tor.

According to this article, geographic location (i.e. "where a buyer's
computer is") determined by IP address and ISP data, can cause a
transaction to be denied:

http://www.intelligentbanking.com/brm/news/ob/20000915.asp

These articles cite geolocation as a useful anti-fraud technique:

http://www.cybersource.com/news_and_events/international/view.xml?page_id=575

http://www.reliant.com/yhb/department/1,,CID457419,00.html?&cktst=true&REID=FA544C80-A195-0762-7F7B-9DCB487135AD

http://www.slate.com/id/74654/

http://www.collectionsworld.com/cgi-bin/readstory2.pl?story=20031201CCRU387.xml

http://www.networkworld.com/news/2001/1022visa.html

It seems to me that the world has already begun walking down the
dangerous road of developing infrastructure that rely upon routing
information and ISP data to identify fraudulent activity.  This will
present a major stumblingblock to the deployment of location-independent
services and overlay networks such as Tor that attempt to separate
location from identity.

Geoff

Attachment: signature.asc
Description: Digital signature