Fraud Prevention - IP Geolocation (Part 1/2 in a Series)
This is the first blog post in a series about the different kinds of fraud prevention techniques and the pros and cons of each. Today we are talking about IP Geolocation.
What is transactional fraud prevention?
Transactional fraud prevention is the common method of looking at the attributes of a single online transaction in order to determine whether it is likely to be fraudulent or not. Most techniques used for web fraud detection are transactional. These include such techniques as IP geolocation, browser fingerprinting, behavioral modeling, and account history. Don't worry if you don't know what those terms mean - we will be covering them all in this series.
The attraction of transactional fraud prevention is that it is done without the customer's involvement, knowledge, or inconvenience. The basic idea is that the characteristics of a transaction are passed to an algorithm or 3rd-party service and then a risk score is obtained, allowing the merchant to reject the transaction, pass it through, or take some other additional action. Transactional techniques were very effective in the early days on online commerce, but as we will see their effectiveness is rapidly becoming more limited. They may even be losing you good customers.
Every computer on the Internet has an Internet Protocol (IP) address. You have probably seen these before if you have ever set up a home network - for example your machine might have the address 192.168.1.23. However, addresses that start with 192.168.X.X (and 10,10,X,X) are internal addresses - they aren't visible on the Internet, just on your local network. On a home or office network, there is usually a router somewhere that has a public internet address. You can see what your public IP address is by going to a service like https://www.iplocation.net/. When I go here from my home office, this is what I see:
You can see it shows my router's public IP address (188.8.131.52), which is assigned by my Internet Service Provider (ISP), in this case AT&T. When I go to a web page from one of the many computers in my house, the returned information (page text, graphics, etc) return to that IP address. Then my router determines how to get it to one of my local computers. The Internet at large only knows about that external address; they don't know how many computers I have on my internal network, or anything about them.
You can also see that this service makes a determination about where I am, which in this case is 100% correct. The way it does this is to look up in various registries to determine who the IP address belongs to. In my case it belongs to my ISP who provides Internet all over the place, but they have segmented their space such that this is useful.
However, there are a number of important things to understand about how this all works, and its limitations:
- IP Geolocation determines the location of the ISP, not the individual user. In many cases that can be 100's of miles away from the actual user.
- IP Geolocation is effectively useless for mobile, because the ISP is the cell carrier.
- IP Geolocation relies on self-reported databases that may or may not be up-to-date, or in some cases maliciously distorted
Furthermore, IP Geolocation can have a high false-positive rate. It can report two people as coming from the scam location when they actually are far away. This can result in your automatically rejecting good users because their IP Geolocation coincides with one used by scammers.
However, the most important thing to understand is that IP Geolocation only works when the user is cooperative; in other words, they aren't trying to mask their location. I find it pretty handy when I browse the internet - BestBuy tells me the location of the nearest stores for example, and I don't have to give up my actual location. But I am not trying to scam someone.
It is utterly trivial for someone with malicious intent to change their reported location to whatever they want to be. We'll look at how that is done in the next section. But IP Geolocation as a scam prevention tool presents a false sense of security that usually does more harm than good.