Breaking Fraud Prevention technique

[dgstpierre]

We provide fraud detection/prevention for our clients as a third party. We rely heavily on having full accessibility to the originating IP address to evaluate the risk of a respondent. We perform many checks that include determining time zone (many countries support many time zones), postal code proximity, residential proxy use, fast fluxing, etc., etc. How will you support not breaking that business model?

[kostajh]

It all depends on what the proposal means by "eligible third-party traffic", and this section:

focus on third parties identified as potentially using IP addresses for web-wide cross-site tracking. We’ll explore leveraging methods similar to other browsers and existing lists that identify these third parties

It sounds like your company would fall into the category of "using IP addresses for web-wide cross-site tracking" so it would be impacted by this proposal. But presumably the target of this proposal are advertisers and not those who are using IP addresses in the context of fraud and abuse detection and prevention, so maybe you wouldn't be impacted?

[liamengland1]

Fraud prevention utilizes device fingerprinting and other techniques which are by nature invasive. The document states "One way to limit fingerprinting is by limiting sources of identifiable information such as IP addresses." In my opinion, the negative effect on fraud prevention scripts by such an in-device proxy is inevitable and even necessary for it to protect user privacy.

[dgstpierre]

Privacy is important, but fraud prevention is equally so. We do not use the IP Address to fingerprint, we use it to prevent fraud on many levels. There needs to be a way to pass this to third parties that are using it for fraud prevention.

[iam-py-test]

We rely heavily on having full accessibility to the originating IP address to evaluate the risk of a respondent.

How do you deal with Tor and VPNs, then? Thanks

[dgstpierre]

We rely heavily on having full accessibility to the originating IP address to evaluate the risk of a respondent.

How do you deal with Tor and VPNs, then? Thanks

That is one of the many reasons we need the IP address, we check it for TOR, VPN, etc. when evaluating risk

[dfnjy]

I agree here, the iCloud relay, being a paid service, is making some automated abuse cases hard to resolve already. A very strong user verification and IP alternative tracking will be needed here, if this is to be a free service

[iam-py-test]

This only applies to certain 3rd party requests, so should have no impact on your abuse protection. However, in my opinion, blocking IP addresses is already futile, as attackers have VPNs, Tor, proxies, botnets and other ways to hide and rapidly change their IP. Thanks

[JonathonMontgomery]

This only applies to certain 3rd party requests, so should have no impact on your abuse protection. However, in my opinion, blocking IP addresses is already futile, as attackers have VPNs, Tor, proxies, botnets and other ways to hide and rapidly change their IP. Thanks

True, so we block VPN's, TOR, proxies. Knowing the IP addresses of these tools makes it possible to more effectively block them. The problem here is that making ALL traffic effectively anonymous will increase the fraud footprint and enable more attack vectors.

[iam-py-test]

True, so we block VPN's, TOR, proxies.

With all due respect, that is a poor security strategy (it does little to stop attacks and can be circumvented by buying access to proxy botnets) and you are blocking many legitimate users. Thank you

[JonathonMontgomery]

True, so we block VPN's, TOR, proxies.

With all due respect, that is a poor security strategy (it does little to stop attacks and can be circumvented by buying access to proxy botnets) and you are blocking many legitimate users. Thank you

The fact remains that you are suggesting that because "blocking IP addresses is already futile" that we should pay little attention to the remainder of the issue here. Often the bigger threat comes from those that are not using VPN's, Tor, proxies, etc. Even more important, depending on the site involved, the integrity of what would be a typical engagement can often rely on the presence of other metadata like the IP address.

For the sites I am primarily concerned about in my work at the moment, there would be no problem if I were to start applying reputation rules to the addresses blocked. Heck we block by geo (which I understand would still be possible) and the vast majority of the time we get away with it. Keep in mind that we are not catering to the general public.

As for security strategy we use a variety of tools to minimize the risk.

My problem with what is being proposed is not that it takes a tool off my plate for blocking some threat actor, my problem is that there are many legitimate uses for having this sort of information. Privacy is important, but is it more important than my need to know who is visiting my site? (Mind you I am not monetizing traffic, or worse). Sorry I can not give specifics but we legitimately use IP addresses now.