DID YOU KNOW
Proxy Detection Services detect the use of anonymous proxies, which is not a direct indicator of fraud by itself, but when combined with other data elements can indicate an order is high risk.
The fraudsters know that it is very easy to make their IP geolocation information look like it is coming from the region where their stolen credentials originated. This ability makes them look authentic, when in fact they are using a proxy to mask their true location.
Fraudsters engaged in account takeover activity, card testing, or other repetitive activities may use proxies to appear to be a different user and circumvent checks that prevent an offending IP address from continuing to attempt logins or orders.
Not all proxies are equal, some are very reputable, and to cut them off would be detrimental to your sales conversion. The goal is to use this technique to distinguish which proxies are derived from compromised computers, or from proxies that are known to be highly used by fraudsters. The generic ability to identify an anonymous proxy provides less value, but is still useful when a rules engine or model looks for consistent IP address and billing or shipping address information as a signal of reduced risk.
THE FRAUD PRACTICE
KEY NOTES
Alternative Solutions - You can also look at trying some of the Fraud-Scoring Services that offer the proxy detection check as part of the score.
Building this In-House - An organization could maintain their own list of IP addresses known to be associated with proxies or VPNs, but it will not be as robust or up-to-date as these lists maintained by vendors.
Estimated Cost - Could be charged as a subscription or per user fee.
Sample Vendors - MaxMind, Kount, Neustar
PROXY DETECTION SERVICES TECHNIQUE OVERVIEW
Proxy Detection web services allow instant detection of anonymous IP addresses. While the use of a proxy is not a direct indicator of fraudulent behavior, it can be a useful indicator when combined with other data elements to determine if an individual is attempting to hide their true identity. Some proxies may be identified as known bad proxies while others may be used by both fraudsters and legitimate consumers.
Key considerations when implementing or buying this functionality include:
Can the solution see through proxies and VPNs to determine where an order is coming from? This may be referred to as "Proxy Piercing."
Can the solution tell how reliable the information is when you get it? For example, how risky is the proxy?
How often is the data updated and verified by the vendor?
Does the service detect and map corporate proxies?
Does the vendor provide post event alerts to let you know if an IP has gone bad?
HOW DOES IT WORK?
These services rely on the IP address. Merchants can get the IP address from the HTTP header on the order that comes into their site. This IP address can be compared to known lists of good and bad IP addresses and good or bad proxies or Virtual Private Networks (VPN). These services use public information as well as in-house resources to map out and catalogue these proxies. They maintain data on proxy information, such as Anonymous Proxies, Cache Proxies, Corporate Proxies and proxies frequently used by legitimate customers, such as those provided by reputable VPN companies and anti-virus software.
The value of looking at the proxy information is that proxy servers can hide the actual location of a consumer. If a consumer is using a proxy server on the West Coast of the United States and they live on the East Coast, their IP address will make you think they are coming from the opposite coast from where they actually are.
This same ability to hide where they are coming from can also be used by potential fraudsters in Asia or Europe to make it look like they are coming from the United States. Anonymous Proxies were intended for privacy reasons so users could mask where they are coming from. Consumer anti-virus software comes with VPN/proxy features, so proxies can be legitimate users or fraudsters. When a proxy is used, you cannot trust the IP address on face value, therefore comparing the IP address location to a shipping location is no longer viable.
Some proxy detection services may be able to provide feedback related to a "ping" or "ping back" test. For example, if a user is coming from Vietnam but purporting to come from New York, the response time from the end user to the merchant website will be much longer than if the customer was really in New York.
Many vendors offer proxy detection as part of their geolocation services, but many have not created their own solutions and are actually using the technology of a handful of technology providers.
HOW DO YOU USE THE RESULTS?
If a VPN or proxy is in use it is important to consider information about that proxy, such as whether it is a known bad proxy, one that is typically used by legitimate consumers, or one with little information. Organizations can build rules or model logic to perform further fraud screening for orders in which anonymous proxies and cache proxies are being used.
Logic should also be in place to circumvent or avoid rules or modeling features where an IP location is compared to another location (billing address, etc.) as the use of a proxy can hide the user's true location. For example, the fact that an IP location is within the same state as a billing and shipping address may be considered a signal of decreased risk, but if a proxy is in use, this signal should be thrown out and not reduce the risk score for the given transaction.