Re: [WEB SECURITY] Ways To Identify Returning Web Visitors

[Bil Corry <bil@xxxxxxxxx>]

Nathanael Hoyle wrote on 7/10/2008 9:22 PM: 
> Rather than trying to exclude certain computers, however, I would look 
> at user accounts.  If users are performing transactions, they reasonably 
> would need to identify themselves to the system.  Make the sign-up 
> process non-trivial enough and people may tire of it:

Another method would be to profile user behavior and see if you can find one or more metrics that help identify users more likely to be fraudsters.  For example, for all new users, if you look at total time spent on the site before the transaction is initiated, perhaps legitimate users spend at least 10 minutes and fraudulent users spend less time than that.  That way, if you suspect the transaction may be fraudulent, you can flag it and have someone call or perform some other double-check before fulfilling the order.  Or maybe you can whitelist any user that reviews your return policy page, as perhaps the fraudsters never look at it.

Get creative, keep careful metrics, and mark each transaction as legitimate or fraudulent as you find out.  That way, you can try any new profiling method on historical data to see the success rate.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA