Situation #1:

Detect Card Not Present Fraud

As an organization that does business online, you have to deal with the realities of the risks of card not present (CNP) transactions. Usually, that means that the liability associated with chargebacks rests with you, the merchant. There are things merchants can do to limit that liability, like participating in the Verified by Visa and MasterCard SecureCode services, but not all customers participate and the added validation can increase drop-offs. There are other options, like purchasing chargeback insurance, and many merchant payment processors offer anti-fraud services.

Solution:

To use IP geolocation data to detect card-not-present fraud Quova recommends you check the distance between the actual and expected user location by reviewing the Country, State, Zip Code, Latitude and Longitude data fields. It’s a general rule of thumb that shoppers will be logging onto the Internet within close proximity to their billing or shipping addresses. This information can be cross-checked, not only against the order information provided by the shopper, such as their billing and shipping address, but also against that users’ previous sessions or registration information, to come up with a distance between the actual and expected location of the person placing that online order. Many Quova customers report that orders coming from 500 miles or more away from the expected location have a higher probability of being fraudulent. You can then elect to decline, or flag for review, orders falling X miles or more away from the shipping or billing address.

You also can use the Top-Level Domain and Second-Level Domain fields to assess risk. The Top-Level Domain is the last part of the domain name (e.g. com, net, edu, mil, uk, jp, etc.) and can be used to determine if the IP address is associated with education networks (.edu), the US Department of Defense (.mil), or a specific country like Japan (.jp). The Second-Level Domain is the part of the domain name that precedes the top-level domain. For example, in www.quova.com, “quova” is the second-level domain because it comes before the “.com.” An order placed on a work computer and passed through the company’s server will be tagged with the company’s Web site address, such as IBM.com, and will probably not arouse suspicion of fraud.

You also can use Time-Zone information to track the transaction “velocity.” If a user is connecting to a Web site in relatively short periods of time and the log-ins are more than 1,000 miles away from each other, this is a major red flag.

Another data field you might find associated with card-not-present fraud is Connection Type. Users can connect to the Internet in several different ways. Quova categorizes connections into the following types: Dial-up, Cable, DSL, Fixed Wireless, Mobile Wireless, Satellite, ISDN, Frame Relay, OCX (Optical Connections, i.e., fiber optics), and TX (leased lines, i.e., T1, T2, T3 and T4). This data can help you determine how close the user is to the public IP address. For example, a person accessing your site via a consumer satellite, dial-up modem, or mobile wireless connection might cause suspicion because the user’s location is not confined to the location of the infrastructure.

You should also review the IP Routing Type, which specifies how the connection is routed through the Internet and can also be used to determine how close the user is to the public IP address. For example, a user connecting through a “fixed” connection is likely very close to the connection. A user connecting through a “regional proxy” is likely in the same country as the connection, whereas a user connecting through a “satellite” connection may be anywhere.

You should also check for the use of anonymous proxy servers and other location-masking systems. While not all proxy servers are bad, the use of an anonymous proxy that hides or masks your unique IP address can be a fraud indicator. Quova provides several status designations for anonymized Internet connections: Private, Active, Suspect, Inactive, and Unknown. This data can help to determine if the user is attempting to hide their actual IP address, which can be a strong indication of fraud.

Another piece of data that can add a layer of protection are Quova’s Confidence Factors. Quova assigns a Confidence Factor for the basic geographic elements of country, state and city. The higher the number, the more evidence is available to accurately determine the location of the user. Quova’s confidence factors highlight the uncertainties that can impact vital business decisions.

Depending on the traffic volumes expected, Quova’s data can be accessed locally using API calls to the highly efficient Quova GeoDirectory Server which runs in your data center. Alternatively, for lower traffic volumes, Quova data can be accessed using SOAP calls to the Quova On-Demand Web service. In either case, the data retrieval is as easy as making a single API or SOAP call.

Situation #2:


Detect Account Takeover after Phishing Attacks

Online services like banking, trading, shopping, gaming, and others are ripe targets for criminals. Phishing and pharming attacks sustain a well established market for user credentials. Criminals leverage that market and use other techniques to break into user accounts to transfer money, manipulate stocks and games, make purchases, and more. Service providers have an obligation to protect their users. There are even regulations like the FFIEC guidance in the United States that require organizations to provide user protection better than simple user name and password.

Solution:

Banks are prime targets for fraudsters. To use IP geolocation data to detect new account registration fraud using stolen identities or existing account takeover fraud using phishing, Quova recommends you check the distance between the actual and expected user location by reviewing the Country, State, Zip Code, Latitude and Longitude data fields. It’s a general rule of thumb that shoppers will be logging on the Internet within close proximity to their billing or shipping addresses. This information can be cross-checked against that user’s previous sessions or registration information to come up with a distance between the actual and expected location of the account holder.

You also can use the Top-Level Domain and Second-Level Domain fields to assess risk. The Top-Level Domain is the last part of the domain name (e.g. com, net, edu, mil, uk, jp, etc.) and can be used to determine if the IP address is associated with education networks (.edu), the US Department of Defense (.mil), or a specific country like Japan (.jp). The Second-Level Domain is the part of the domain name that precedes the top-level domain. For example, in www.quova.com, “quova” is the second-level domain because it comes before the “.com.” An order placed on a work computer and passed through the company’s server will be tagged with the company’s Web site address, such as IBM.com, and will probably not arouse suspicion of fraud.

You also can use Time-Zone information to track the transaction “velocity.” If a user is connecting to a Web site in relatively short periods of time and the log-ins are more than 1,000 miles away from each other, this is a major red flag.

Another data field you might find associated with acount-takeover is Connection Type. Users can connect to the Internet in several different ways. Quova categorizes connections into the following types: Dial-up, Cable, DSL, Fixed Wireless, Mobile Wireless, Satellite, ISDN, Frame Relay, OCX (Optical Connections, i.e., fiber optics), and TX (leased lines, i.e., T1, T2, T3 and T4). This data can help you determine how close the user is to the public IP address. For example, a person accessing your site via a consumer satellite, dial-up modem, or mobile wireless connection might cause suspicion because the user’s location is not confined to the location of the infrastructure.

You should also review the IP Routing Type, which specifies how the connection is routed through the Internet and can also be used to determine how close the user is to the public IP address. For example, a user connecting through a “fixed” connection is likely very close to the connection. A user connecting through a “regional proxy” is likely in the same country as the connection, whereas a user connecting through a “satellite” connection may be anywhere.

You should also check for the use of anonymous proxy servers and other location-masking systems. While not all proxy servers are bad, the use of an anonymous proxy that hides or masks your unique IP address can be a fraud indicator. Quova provides several status designations for anonymized Internet connections: Private, Active, Suspect, Inactive, and Unknown. This data can help to determine if the user is attempting to hide their actual IP address, which can be a strong indication of fraud.

Another piece of data that can add a layer of protection are Quova’s Confidence Factors. Quova assigns a Confidence Factor for the basic geographic elements of country, state and city. The higher the number, the more evidence is available to accurately determine the location of the user. Quova’s confidence factors highlight the uncertainties that can impact vital business decisions.

Depending on the traffic volumes expected, Quova’s data can be accessed locally using API calls to the highly efficient Quova GeoDirectory Server which runs in your data center. Alternatively, for lower traffic volumes, Quova data can be accessed using SOAP calls to the Quova On-Demand Web service. In either case, the data retrieval is as easy as making a single API or SOAP call.

Situation #3:


Detect Click Fraud

It’s easy to lie on an online application to open a new account or get a loan or credit card. Fraudsters use stolen or fake information to get the account or card and then use the new account to purchase goods or launder money. While perpetrating this kind of fraud can be easy for the fraudsters, it can be extremely difficult to track these criminals and difficult for anyone who’s identity has been used in these applications to clear their credit.

Solution:

To detect potential fraud from a credit card application you could query IP geolocation data during the application process. Quova recommends reviewing the Country and State values to see if the IP address location is consistent with the applicant’s credit card billing address. You can create a rule to apply a higher risk score to the application based on a specified distance.

Another risk review would be to create a list of high fraud countries that you wish to block applications from and compare the Country value against the list. You should also check for multiple applications coming from the same IP address, which can be an indication of identity theft.

Another data field you might find associated with fraud is Connection Type. Users can connect to the Internet in several different ways. Quova categorizes connections into the following types: Dial-up, Cable, DSL, Fixed Wireless, Mobile Wireless, Satellite, ISDN, Frame Relay, OCX (Optical Connections, i.e., fiber optics), and TX (leased lines, i.e., T1, T2, T3 and T4). This data can help you determine how close the user is to the public IP address. For example, a person accessing your site via a consumer satellite, dial-up modem or mobile wireless connection might cause suspicion because the user’s location is not confined to the location of the infrastructure.

You should also review the IP Routing Type, which specifies how the connection is routed through the Internet and can also be used to determine how close the user is to the public IP address. For example, a user connecting through a “fixed” connection is likely very close to the connection. A user connecting through a “regional proxy” is likely in the same country as the connection, whereas a user connecting through a “satellite” connection may be anywhere.

Comparing Quova data with expected values can also be useful. You could additionally use the Latitude and Longitude data to calculate the visitor’s distance from the application address and then analyze distances.

Quova also provides several status designations for anonymized Internet connections: Private, Active, Suspect, Inactive, and Unknown. This data can help to determine if the user is attempting to hide their actual IP address, which can be a strong indication of fraud.

Another piece of data that can add a layer of protection are Quova’s Confidence Factors. Quova assigns a Confidence Factor for the basic geographic elements of country, state and city. The higher the number, the more evidence is available to accurately determine the location of the user. Quova’s confidence factors highlight the uncertainties that can impact vital business decisions.

Depending on the traffic volumes expected, Quova’s data can be accessed locally using API calls to the highly efficient Quova GeoDirectory Server which runs in your data center. Alternatively, for lower traffic volumes, Quova data can be accessed using SOAP calls to the Quova On-Demand Web service. In either case, the data retrieval is as easy as making a single API or SOAP call.



Featured Customers

Quova Helps to Fight Online Crime at The Devon And Cornwall Constabulary

Continental Airlines Sees 200 Percent Uplift in Conversions After Implementing IP Geolocation

We would love to hear your story.

Quova has compiled dozens of real-world business scenarios to help you find and understand how location can improve your Web applications.

Already using IP geolocation in your business?

Send us the details of how your company is using IP geolocation and we’ll contact you.

SUBMIT A CASE STUDY