Fraud Prevention

Balancing Privacy And Effective Fraud Detection

December, 16, 20217 min Read

The increasing complexity of fraud attacks requires constant innovation in detection methods. Beyond that, the overall digital ecosystem has also become more and more complex, making the task of defending websites a greater challenge than ever before. One of the emerging challenges is the evolution of privacy laws, standards and features developed by browser vendors or independent focus groups that could ultimately impact the accuracy of fraud detection products. In this article, we’ll discuss how the situation has evolved over time, the emerging challenge privacy poses to accurate detection and Arkose Labs’ approach. 

The need for privacy

For years, online advertisers, marketers, social media and large tech companies have collected massive amounts of data about their users to understand what system they run, where they are and what they like. With all that data you could pretty much figure out who they are. This data is used for a multitude of purposes, from recommending content to users, enticing them to buy a product and in the worst case scenario, influence their opinion. Web security vendors use a data set somewhat similar to marketers and online advertisers but for the purpose of protecting Internet users against fraud and abuses. Because of the lack of guidance or regulation on how the data should be handled, some companies took the liberty to use the data as they see fit, going as far as selling it to 3rd parties and eventually causing an outcry among consumers demanding more privacy.

Preserving privacy

Governments around the world took the problem seriously and started developing and enforcing new regulations such as GDPR in Europe and CCPA in California. Standardization bodies such as the W3C went further by developing new standards and guidelines for fingerprinting that are to be implemented by browser vendors and web site owners to further limit data collection or reduce data granularity. Some privacy focus groups like “easy privacy” or companies like disconnect.me also chip in by developing software to further restrict data collection from domains or URL associated with online advertising, marketing or simply because it looks like a lot of data is transferred through a URL. Lastly, browser vendors top it off with developing new privacy preserving features such as Safari’s Intelligent Tracking Prevention (ITP), Firefox’s Enhanced Tracking Prevention (ETP) or Chrome’s plan to develop the privacy budget.  Don’t get me wrong, I like my privacy like every other internet user, I don’t quite like my personal data being misused or sold without my consent, nor do I appreciate an ad following me around the Internet for days after I’ve visited an eCommerce site. But I also like web sites that I regularly visit to efficiently protect me against fraud and abuses.

The challenge for web security

Here’s what’s really troubling me: web security companies collect, process and store data responsibly and work hard to comply with regulations like GDPR and CCPA. But that’s just the beginning; we also need to handle the stricter privacy approach enforced by other privacy-focused groups and vendors who don’t always look at the reason why the data is collected and how it’s used. They do acknowledge that these privacy features may cause compatibility issues with sites protected with fraud or bot detection products (the site may not work properly). But at the end, most of the time they leave it up to the user to assess the risk associated with adding an exception to the tools’ privacy policy. Unfortunately, most Internet users don't have enough understanding of the ecosystem, threats and web security in general to make an informed decision. They will most likely choose to trust the tool by default and move on to a different site if it is not responding properly because of it. This could have a significant impact on the revenue of an eCommerce site and at the end, they are left with having to choose between enabling the best privacy experience for the user and preventing their user’s account from being taken over.

The privacy pass approach

Industry groups do make an effort to write proposals on how to make the web private and secure. Take the “privacy pass” proposal for example, that attempts to reduce the data collected from clients by reducing the number of times the user has to resolve a captcha: the idea of giving the client “blinded tokens” after they resolve a captcha so that they can continue browsing the site without being disturbed is great. The proposal looked promising until I read the part that specifies that there is no way to verify that the token received actually belongs to the sender. This means that if implemented, the privacy pass could actually amplify the effect (and benefit) when attackers use captcha solver services like “2captcha” or “death by captcha”. Not only would the captcha farm resolve the challenge but they would also help harvest the blinded tokens to be reused later for an attack. 

This vulnerability in the privacy pass design could be partly mitigated by adding in the token some general characteristics about the client that could help verify it is still talking to the same system. For example the country, the operating system, the browser brand, browser version and token creation time. The first three data points form a basic and broad system identifier and the timestamp would allow us to easily revoke tokens as needed. In my case, these characteristics would be [US, MacOS X, Chrome 86, 1604102971]. This identifies a broad group of users in the US (probably millions). I don’t believe this significantly affects their privacy, especially since these data points are available from the User Agent or the client hints header in all requests. Without these sorts of compromises, the privacy pass concept is not viable to web security vendors.

The current status quo

To compensate for the effect of privacy policies, web security vendors can either relax their detection policies and make the site more vulnerable to attacks. Or, keep the same standard of detection but challenge more, thus degrading the user experience. In more extreme cases when the communication between the client and the security vendor is blocked, the site may not work properly (the user may not be able to log into his account, for example). So, more privacy could in theory potentially lead to a degraded user experience or a less accessible and secure web site. I raised the issue before in a privacy focus forum but did not receive the collaboration I was looking for. I believe the solution is for privacy and web security experts to join forces to find a common ground and design a solution that is workable on both sides.

Arkose Labs approach

At Arkose labs, we take user privacy seriously, we comply with all local regulations, the data we collect is encrypted both in transit and at rest. We use the data responsibly only for the purpose of providing a security service, researching newer attack vectors and developing new detection methods. We dispose of older data regularly and never share it with 3rd parties. We are fortunate enough to offer alternative ways of detection (transparent and interactive). Click here if you’d like to learn more about how we can help your business navigate this evolving landscape.