use of routing information in anti-fraud mechanisms
Geoffrey Goodell
goodell at eecs.harvard.edu
Mon Nov 28 07:44:47 PST 2005
It seems that some anti-fraud mechanisms have evolved to use information
about how a user is connected to the Internet to determine whether they
are likely to be fradulent. Specifically, in my case it turns out that
Paypal does not accept my debit card:
"We were unable to verify this credit card through our card validation
process. To proceed with checkout, please verify the information you
entered is correct or try a different card."
I do not have other cards, and my card works everywhere else. A little
online investigation suggests that Paypal outsources its card
verification process to an overzealous company called CyberSource, and
there are many false positives.
I suspect that in my case, the false positive is related to my use of
Tor.
According to this article, geographic location (i.e. "where a buyer's
computer is") determined by IP address and ISP data, can cause a
transaction to be denied:
http://www.intelligentbanking.com/brm/news/ob/20000915.asp
These articles cite geolocation as a useful anti-fraud technique:
http://www.cybersource.com/news_and_events/international/view.xml?page_id=575
http://www.reliant.com/yhb/department/1,,CID457419,00.html?&cktst=true&REID=F
A544C80-A195-0762-7F7B-9DCB487135AD
http://www.slate.com/id/74654/
http://www.collectionsworld.com/cgi-bin/readstory2.pl?story=20031201CCRU387.x
ml
http://www.networkworld.com/news/2001/1022visa.html
It seems to me that the world has already begun walking down the
dangerous road of developing infrastructure that rely upon routing
information and ISP data to identify fraudulent activity. This will
present a major stumblingblock to the deployment of location-independent
services and overlay networks such as Tor that attempt to separate
location from identity.
Geoff
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
More information about the cypherpunks-legacy
mailing list