Fraud Prevention - Problems with IP Geolocation (Part 2/2 in a Series)
This is part 2 in a series about web fraud detection methods. Last time we talked about Internet Protocol (IP) addresses and how they are used with geolocation as an anti-fraud technique to blacklist people or countries known to be hotbeds of fraudulent activity. For example, many online dating sites will blacklist anyone coming from Nigeria, simply because of the amount of online dating fraud that originates there. This is an attractive proposition because it seems to match to our real-world society. As a store owner I can ban someone from my store, or maybe they will even go to jail and be unable to bother me in the future. If you are old enough, you probably remember something like this:
This is from a Seinfeld episode, but stores used to publicly post bad checks to shame people. Now we have Experian and other methods to privately shame people, but the core concept remains - we can ban someone if we don't want them to come back.
The problem with solutions such as IP geolocation that are based upon IP addresses is that they treat an IP address as an identity. In the early days of the Internet it kind of was an identity - every machine on the 'net had a unique address. But those days are now long gone. Due to the magic of something called a proxy, your machine can be anyone it wants to be.
Here's one way to think of a proxy:
Let's say you are underage and want to buy some beer. You have a problem because your "IP address" (age) has been banned from the liquor store. However, you know what age (< 21) is allowed into the liquor store, so you enlist the aid of a nearby adult. You ask them to buy liquor for you. They do, and bring it back to you. To be more explicit: kid-[money]-adult-[money]-clerk-[beer]-adult-[beer]-kid. From the kid's perspective, he pays money and gets beer. From the clerk's perspective, her gets money from a legit source and gives out beer. Everyone is happy.
Problem solved, time to party!
In this case, the adult is acting as a proxy for your illicit activities. If you want to commit a scam from Nigeria, simply route your packets (data) through a proxy computer in Idaho and viola - your IP address looks like a legitimate customer from Idaho.
Companies will claim that they can detect proxies, and sometimes they can. If Mr. Green Jeans comes into your liquor store 400 times a day, you may suspect something is up and you may end up banning him. But proxies, like adults, are cheap and plentiful. If one proxy gets detected, you can just make another one and another one. Or you can use 2 in a row, or 20 in a row.
There is another problem with proxy detection, and it is related to the idea that IP addresses are not identities - they are traded, moved around and reused. Let's say Mr. Green Jeans the persistent kid alcohol buyer is actually named "Michael Jones" so you ban Michael Jones. Well, you probably have many legitimate customers named Michael Jones and you have banned them all. They want to give you money and they are honest, but you boot them out the door. If you ban an IP or IP range, you don't know how those will get reused for other things in the future. This kind of false positive happens often with transactional fraud prevention techniques.
Proxy detection relies on a fundamental assumption that an IP address is an identity, and that is just not true, thus it is doomed to fail in all but the most simplistic scenarios. Online identity is a very complex concept, and an IP address is way too ephemeral to ever be an identity.
So, in order to keep attempting to do transactional fraud prevention, we try to make the browser unique in some way, so that we can avoid relying on IP addresses. That leads us to browser fingerprinting. Tune in next time to see how that particular technique fails.