[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: use of routing information in anti-fraud mechanisms

On 11/29/05, Geoffrey Goodell <goodell@xxxxxxxxxxxxxxxx> wrote:
> On Tue, Nov 29, 2005 at 12:22:45PM +0000, Jimmy Wales wrote:
> > Geoffrey Goodell wrote:
> > > I do not have other cards, and my card works everywhere else.  A little
> > > online investigation suggests that Paypal outsources its card
> > > verification process to an overzealous company called CyberSource, and
> > > there are many false positives.
> >
> > Why do you call them overzealous?  If they are actually overzealous then
> > they will lose money for their customers (on average) and ultimately
> > lose business.  But I rather suspect that they are making money for
> > their customers (on average).
> >
> > My point, which ought not to be surprising given what I usually say, is
> > that we should not be too complacent that people who are blocking Tor
> > are just being overzealous or stupid or anti-privacy.  It can make
> > sense, and part of our job is to figure out how to help it not make sense.
> First, Tor is an experimental overlay network, and it has been (rightly)
> designed to be easy to flag and block.  While it is certainly possible
> that CyberSource is rejecting my card because I am connecting from an IP
> address that is known to host a Tor node, I do not believe this to be
> the case.  Having read the various articles and documents from my
> previous post, I am inclined to believe that CyberSource simply noticed
> that my card had a billing address in Cambridge, Massachusetts, USA,
> while my source IP address corresponded to an ISP that was located
> nowhere near Cambridge, Massachusetts, USA, and based upon these
> observations, CyberSource concluded that I am most likely a fraud.
Hmm, when I read this I assumed you were just connecting from some
high fraud country, though now that I think about it, it could be
both.  Maybe your billing address is in Cambridge, MA and you're
connecting from a completely different country which has an extremely
high fraud rate.

If so, I can see why they'd block you.  Sure, they might lose one
sale, but they'll probably save much more in stopped fraud.

If enough people really want to hide their location from their payment
service (and I'm not sure why you'd want to do this, since they
already *know* your location), then I'm sure there are other payment
services which will pop up to fill this market.  Credit cards are
notoriously very insecure payment methods.  Part of how they make up
for this is by producing so called "false positives" (one time I had
my credit card declined at a gas station because I was travelling 200
miles twice a week and it triggered their fraud detection; a simple
call to my credit card company telling them about this situation
resolved it).  Simply accepting that anyone who knows a 16 digit
number is who they say they are, even in the face of evidence pointing
strongly to the contrary, is not a very good business practice.

> Use of location information may indeed serve as a moderately effective
> technique in stopping the more irresolute cyberfrauds who do not bother
> using the very same geolocation techniques to choose a source IP address
> whose corresponding geographic location is close to the billing address
> of the card.  On the surface such an approach appears to be a rather
> obvious and harmless step for those of us interested in cracking down on
> fradulent activity.  Sure, this is an arms race, but sometimes
> participating in an arms race is the best option we have, right?  In
> this case I am not so sure.
> I call the use of location information "overzealous" because it tramples
> the end-to-end principles upon which the Internet was built.  There is a
> very real sense in which use of location information permanently tethers
> us to an infrastructure in which access to Internet resources is a
> function of how we are connected rather than how we have identified
> using end-to-end methods, and this poses a challenge to maintaining the
> global consistency of the Internet that we have come to expect.
> Suddenly "Internet access" means something radically different when
> offered in Russia rather than Germany or when offered in Brazil rather
> than the US.  Inevitably, this technical reality opens the door for
> hackish VPN-style solutions to make people appear to be somewhere else
> in order to get the Internet access they really want, and such solutions
> are expensive both in terms of setup cost and performance.  Do we really
> want to promote this future, especially when it hurts legitimate users
> more than it hurts true frauds in the long run?  I think that we do not,
> and I see the use of location information in infrastructure services as
> one of the greatest challenges to maintaining Internet consistency over
> the next decade.
> Geoff
> Version: GnuPG v1.2.5 (GNU/Linux)
> iD8DBQFDjF5cIExhFQ5gZpkRAmpVAKCFw2ER+9RteIjySV8hGdyCrR4GFwCgx9uE
> tBmjwLyzY3IymTDTXljXiT4=
> =tVy7