Analyzing IP Addresses
It would be nice if burglars left calling cards at their victim’s homes—it would make it very convenient for the police to find them afterward. Internet fraudsters, on the other hand, are required to leave a sort of calling card whenever they visit a website: their IP address, which can specify exactly where and how they were accessing the internet.
Needless to say, fraudsters go to great lengths to conceal their real IP addresses, but merchants can still learn a lot about their true intentions by examining this data closely. How can analyzing IP addresses help merchants detect and prevent fraud?
In order to communicate, devices on the internet need to be able to locate each other, which is why every internet-connected host device carries a unique Internet Protocol address.
The IP address effectively pinpoints the host’s network location, making it possible to route data directly to them. IP addresses can hold users accountable for their actions on the internet because internet service providers will know which IP addresses were assigned to their customers at any given time—and that’s why fraudsters know that concealing their real IP address is the first and most important step to not getting caught.
While IP addresses can sometimes be used to trace the real-life identity of cybercriminals, the point of analyzing IP addresses for merchants isn’t to send Interpol kicking down somebody’s door to catch them committing account takeover fraud red-handed. Rather, merchants can use IP address data as a factor in risk scoring to help them identify fraud more accurately and make smarter decisions about when to reject risky transactions.
How Do Fraudsters Use IP Addresses for Cover?
Internet privacy has become a major concern in recent years, as users have witnessed—and often recoiled from—the unnerving fruits of tracking software, big data, and hyper-personalization. This has led to a big increase in public proxy servers and virtual private network services, which basically serve as middlemen between the user and the rest of the internet.
The websites the user visits only see the IP address of the service provider, not the actual address belonging to the user’s device. This makes it harder for trackers to identify them across different websites.
Naturally, proxies and VPNs are also the most common ways for fraudsters to shield their IP addresses. There are, however, other methods. One simple way is to use public WiFi at a coffee shop or library. They can also use The Onion Router, commonly known as Tor, which is a relay network designed to anonymize the user’s internet activity.
Less often, fraudsters may use hosting services or hijacked routers as a platform to launch attacks or engage in schemes with other fraudsters where they create their own ad hoc VPNs by swapping their own residential IP addresses.
How Can IP Addresses Reveal Signs of Fraud?
IP addresses can easily be traced back to the companies that own and provide them. It’s not difficult to look up an IP address and quickly determine whether or not it is associated with any VPN services, proxy servers, or public networks. For example, a typical customer’s IP address might resolve to a well-known residential internet service provider.
IP address analysis starts with looking up the address, identifying the owner, and researching them to uncover additional relevant information like their geolocation, what type of network they are, and whether or not you have had previous fraud issues with their users.
Where Does IP Address Analysis Fit Into an Overall Fraud Prevention Strategy?
Most merchants who have taken serious steps toward getting their fraud and chargeback problems under control will be using an anti-fraud solution that relies on risk scoring to decide whether to accept transactions, reject them, or hold them for manual review.
Because the IP address can rarely tell you the whole story, the best way to leverage your IP address analysis is to factor it into an overall risk score for the transaction. You can review your historical fraud data to see which anonymizing services carry the highest risk of fraud for you and assign point values accordingly. Other factors may include user behavior, device information, and transaction velocity.
Non-anonymized IP addresses can also be useful for risk scoring because they can generally tell you the geolocation of the user. As merchants will often experience different fraud rates by region, this can be incorporated into your scoring model.
Note that blocking suspicious IP addresses outright can backfire. ISPs often assign IP addresses dynamically, which means that different residential customers will end up using the same IP address on different days. Blacklists should make use of velocity rules so that residential IP blocks expire after enough time has elapsed for the threat to pass. You can take a different approach with VPNs and other professional anonymizers that send you only fraud and never real customers.
You can tell a lot about a user from their IP address, but you usually can’t tell everything you need to know to say conclusively whether or not they’re fraudsters. The insights you can glean from IP address analysis, while significant, should always be considered in light of other factors in order to paint the clearest possible picture about the origins and intentions of a customer who has shown some potential red flags for fraud.
When you’re working out the details of an overall fraud and chargeback prevention strategy—either on your own or with the guidance of professional experts—you will want not only to analyze IP address data, but also record and track it over time to see if any recognizable patterns begin to develop about where your fraud and disputes originate. When you know what the root causes of your chargebacks are, you can come up with a specific plan of action to correct them.