How Cyber Thieves Hide Their Identity and How to Spot Them
Web Commerce Today, Issue 39, October 15, 2000
Cyber crooks can be very intelligent, or they can be stupid. You may be able to catch the stupid ones and report them to law enforcement. You may not be able to catch the smart crooks, but perhaps you can detect their activity quickly enough to keep your business from being bilked by checking "fingerprints."
Computer Fingerprints
Every time a visitor comes to your website, a traffic logfile records each of their steps. In order to get all the information and graphics transmitted from your website to your visitor's computer, each "hit" (request for an webpage or graphic) comes with the computer identification number of the visitor, called the IP number or IP address. IP addresses consist of four sets of numbers separated by dots. For example, the IP address of WilsonWeb.com is 192.41.8.139. You can reach my site by just using my IP address.
Every computer connection to the Internet has an IP address, including you, if you are online at this time. If you have dial-up modem access through an Internet Service Provider (ISP), you are automatically assigned an IP address from the pool of numbers owned by your ISP. You have this IP address as long as you are online. Once you disconnect from the Internet, your IP address goes back into the pool and a few seconds or minutes later can be assigned to someone else. DSL and ISDN connections often use a single IP address, and it gets pretty complex from there. However, the logfile for my site shows your IP address and the time of connection. If you were committing fraud against me, I could track down who you are through your IP address (which would trace you to your ISP), and your ISP's logfiles of who was online with that IP address at the time the crime took place. The IP address is a kind of fingerprint.
Fingerprinting Each Shopper
I believe it is prudent to capture the IP address of each shopper who makes a transaction. It's pretty easy to accomplish -- your programmer will know how to do it. Here's a line of Perl code that captures the IP address into a field called $ip_address
$ip_address = $ENV{'REMOTE_ADDR'};
If you are able, I encourage you to record the IP address in your database along with the order information. That way if you find out later this is a fraudulent order, you have recourse to investigate and prosecute.
However, just because each computer has its own IP address (even if only temporarily) that doesn't mean that the IP address you record will be the thief's IP address.
Hiding an IP Address
I hesitate to share how thieves hide an IP address, but you have a need to know. (I share this information only with paid subscribers who are merchants, developers, and consultants. This information is only available in password-protected areas on my site.)
We enter the arcane world of proxy servers. A "proxy" is "the agency, function, or office of a deputy who acts as a substitute for another." A proxy server can be used by companies as a firewall, usually restricted to users within the company. But there are many proxy servers that are open for anyone to use, sometimes by design, but often because the system administrator is unsophisticated about closing security holes.
It is possible for a thief to hide his IP address by going through such a proxy server. An well-known one is the advertising-supported Anonymizer. http://www.anonymizer.com It is a bit slow, since everything goes from the user's browser through Anonymizer and then to the target website, then back through Anonymizer and finally to the user's browser.
One complication, for thieves, however, is that automatic logs are made whenever a proxy server is used, and those logs display the thief's actual IP address, time of day, websites visited, etc. In other words, if the thief commits a crime using a proxy server, there is a trail leading to his identity. Thieves seek to cover their tracks in two ways:
(1) Proxy Server Chaining. A thief can configure it so that a web transaction goes through two or three different proxy servers, minimizing the chances that all of these logs would be obtainable, since the thief's identity could be determined only if each log back in the chain could be obtained. If a thief constantly changes one or two links in this proxy server chain, it would be extremely difficult to trace him. However, the more proxy servers in the chain, the slower everything is for the thief, and using a single proxy server is less complicated.
(2) Third World Proxy Servers. If the thief uses a proxy server on a computer in Southeast Asia or Eastern Europe, however, not only do language barriers stand in the way of obtaining proxy server logs, but also law enforcement agencies may not cooperate either. If a crook is stupid enough to use a proxy server where the administrator will cooperate with the merchant or the police, you may be able to identify him, and perhaps prosecute.
You can learn more than you ever wanted to know about all this from an article on a Russian website entitled "Hiding Your IP Address or Anonymous Internet Surfing HOWTO." http://mvlad.newmail.ru/howto.htm
Unscrambling an IP Address
Even though a thief may not use his own IP address to do his dirty work, you can often spot a thief with an inappropriate IP address. The first step is to convert the shopper's IP address to a domain name. A Perl environmental variable REMOTE_HOST is supposed to do this, but that doesn't always give you the user's domain name. I use a subroutine called addr_to_host.pl which is found on the CD in the CGI/Perl Cookbook (Wiley, 1997), pp. 472-474. http://www.amazon.com/exec/obidos/ASIN/0471168963/wilsoninternetse This method usually succeeds in giving a domain name. When it doesn't work, I can look up to see where geographically the IP address is coming from by using a program called TraceRoute. This can be accessed from Windows computers in this fashion:
- Open the MSDOS prompt using your "Start" menu.
- after the C:\WINDOWS> prompt, type TRACERT and the IP address and hit "enter."
Example:
C:\WINDOWS>tracert 192.41.8.139
The program then follows the path from your computer to the computer that has that IP address, allowing you to see each "hop," often identifying the geographical area of the IP address.
A third way to determine the location and owner of an IP address using a WHOIS search from one of the three geographic area IP address administrative organizations:
- Region: The Asia Pacific
Asia Pacific Network Information Centre (APNIC) http://www.apnic.net/search/ - Region: The Americas and Sub-Saharan Africa
American Registry for Internet Numbers (ARIN) http://www.arin.net/whois/ - Region: Europe, Northern Africa, and the Middle East
Réseaux IP Européeans Network Coordination Centre (RIPE NCC) http://www.ripe.net/cgi-bin/whois
Protecting Yourself from IP Spoofing
I print out the IP address and the deciphered domain name on the customer's e-mail acknowledgement of purchase, a copy of which is also sent to the merchant. Before fulfilling the order I always check the domain name derived from the purchaser's IP address. Here's what to look for:
- Does the domain name correspond to the purchaser's e-mail address? Then it's probably okay, unless the purchaser has given you a "free" e-mail address such as Yahoo.com. I don't accept "free" e-mail addresses, since it's too easy for fraudsters to hide their identity behind them. You can obtain a comprehensive list of these by subscribing to an annual service at TJ Walker's Anti-Fraud.com. http://www.antifraud.com/
- Does the domain name correspond to a common ISP (such as AOL, earthlink.com, compuserve.com, etc.) that wouldn't be used by a thief as a proxy server? Then there's probably no IP spoofing going on.
- Does the domain name indicate a different country than the purchaser's address? This is a big red flag. Occasionally it will be due to a company that has branch offices in your country, but be very careful here.
Now all this may seem like over-kill -- and it is if you aren't having serious fraud problems. But if fraud is beginning to bite you, detecting IP spoofing is a way to protect yourself from being swindled.
