On 08.12.13 09:33, Tomas L. Byrnes wrote:
anyone with half a brain blocks proxies from their e-commerce site. can you know at a reasonable confidence level that it's a proxy? Give me an IP address (privately, of course). I can tell you if it is, with consult from other colleagues in the security community. That's almost a no-brainer.
Oh, but can you tell if an IP address is a compromised workstation or host of a VPN application that only allows the proxy access to the intruder? Not all proxies are plainly visible. Geography of an IP address can be a useful heuristic to assist detection, when most transactions attempted from certain regions are bad; esp. when combined with other factors This is a strategy well-known to be probalistic, and thus imperfect (not every fraud attempt will be noticed by a detector, and there will be false positives, but probably very few in relation to the total transaction throughput of say a large online retailer). E-mail spam filters use imperfect methods like this all the time; there is no magic check to prove a message spam or not spam. Instead, _many_ randomized spam checks are strung in sequence for the same message. And if any one or two checks fail, filters drop the message. A successful message (or E-commerce transaction) is one that clears substantially all spam/ fraud checks. An in-depth strategy with hundreds or thousands of factors examined results in a smaller (but still present) possibility of the filter/detector being fooled. IP-based methods can be combined with the other stronger analysis of transaction details and other info that can be gathered about a submitter for detection of attempted abuse. -- -J