It finds that most of the anonymous Tor visitors have fraudulent intentions.
Paul Demery , Managing Editor, B2B E-commerce
Originally developed for the U.S. Navy as a way to protect its Internet communications, Tor software is now available for free to anyone who wants to keep their identity private as they use the Internet. But it can also be used by criminals who want to defraud e-commerce sites.
One international online dating site, for example, routinely blocks the virtually masked criminals from causing trouble among the legitimate site users who are simply trying to find a good match. “Anything that allows people to anonymously browse the Internet can also be used in fraudulent activity,” says the fraud prevention manager at the dating site, which asked to remain anonymous so as not to publicize the fraudulent activity on its site. “The people hiding their IP address are more likely than others to be doing something dodgy.”
Tor (which is an acronym for “the onion routing” network, or a series of networked proxy servers) uses technology that routes an Internet transmission through proxy Internet servers to mask the Internet user’s home IP address. It’s available for free download from TorProject.org. The software can provide for security of Internet visits made by government and military users, for instance, or provide a level of privacy to consumers who don’t want their IP address used by geolocation-based marketing applications.
But it can also be used by criminals who want to hide the fact they’re coming from IP addresses in countries known for a high rate of online fraud, or from an IP address known to have been involved in fraud.
The international dating site recently deployed a new Tor-detection service built into the ReputationManager 360 online fraud management application from iovation Inc. The Tor-detection service, which iovation released last month, is designed to identify the final web server, or end node, that a web site visitor uses before entering a destination web site, according to Scott Waddell, iovation’s chief technology officer. By constantly monitoring and compiling traffic data arriving on web sites from more than a billion Internet-access devices worldwide, he adds, iovation is able to alert a web site operator when a visitor is arriving from a web server known to be used as a proxy server by Tor software.
Acting on a hunch that some of its web site visitors could be using Tor software, the international dating site activated the Tor-detection service in its ReputationManager 360 system just over one week ago. It has already learned that 1% of its traffic comes via Tor software, and that 90% of that traffic is fraudulent, the fraud prevention manager says. Once it receives an alert that a site visitor is using Tor, the dating site takes several steps to further identify the visitor to verify if he or she is a legitimate site user, such as by checking their credit card account numbers or e-mail addresses against databases listing stolen account numbers or e-mail addresses tied to fraudulent activity.
In some cases, the manager says, criminals might visit the dating site in an attempt to acquire the names, e-mail addresses and other personal information of participants on the site, then use that information to persuade those individuals to send them money prior to meeting in person; a criminal might also use such information to send fraudulent e-mail in attempts to trick consumers into revealing their credit card accounts.
Criminals using Tor to hide their home IP address might also attempt to pay the dating site’s $30 monthly subscription fee using a stolen credit card account, the manager adds. Paying the monthly fee enables the uses of the dating site to exchange a wider range of personal information with other site participants, potentially providing a criminal with additional information that could be used in fraudulent campaigns.
The fraud prevention manager says the Tor-detection service has been one of the most useful risk management tools the dating site has deployed. “It’s been a small percentage of transactions so far,” the manager says, “but the rate of fraud among those transactions is so high that it makes this significant for us.”
The cost to deploy ReputationManager 360 ranges from a fraction of a cent per transaction to a few cents per transaction, Waddell says. There is no additional charge to use the Tor-detection service.