use of routing information in anti-fraud mechanisms

Tue Nov 29 13:57:48 UTC 2005

On Tue, Nov 29, 2005 at 12:22:45PM +0000, Jimmy Wales wrote:
> Geoffrey Goodell wrote:
> > I do not have other cards, and my card works everywhere else.  A little
> > online investigation suggests that Paypal outsources its card
> > verification process to an overzealous company called CyberSource, and
> > there are many false positives.
> 
> Why do you call them overzealous?  If they are actually overzealous then
> they will lose money for their customers (on average) and ultimately
> lose business.  But I rather suspect that they are making money for
> their customers (on average).
> 
> My point, which ought not to be surprising given what I usually say, is
> that we should not be too complacent that people who are blocking Tor
> are just being overzealous or stupid or anti-privacy.  It can make
> sense, and part of our job is to figure out how to help it not make sense.

First, Tor is an experimental overlay network, and it has been (rightly)
designed to be easy to flag and block.  While it is certainly possible
that CyberSource is rejecting my card because I am connecting from an IP
address that is known to host a Tor node, I do not believe this to be
the case.  Having read the various articles and documents from my
previous post, I am inclined to believe that CyberSource simply noticed
that my card had a billing address in Cambridge, Massachusetts, USA,
while my source IP address corresponded to an ISP that was located
nowhere near Cambridge, Massachusetts, USA, and based upon these
observations, CyberSource concluded that I am most likely a fraud.

Use of location information may indeed serve as a moderately effective
technique in stopping the more irresolute cyberfrauds who do not bother
using the very same geolocation techniques to choose a source IP address
whose corresponding geographic location is close to the billing address
of the card.  On the surface such an approach appears to be a rather
obvious and harmless step for those of us interested in cracking down on
fradulent activity.  Sure, this is an arms race, but sometimes
participating in an arms race is the best option we have, right?  In
this case I am not so sure.

I call the use of location information "overzealous" because it tramples
the end-to-end principles upon which the Internet was built.  There is a
very real sense in which use of location information permanently tethers
us to an infrastructure in which access to Internet resources is a
function of how we are connected rather than how we have identified
using end-to-end methods, and this poses a challenge to maintaining the
global consistency of the Internet that we have come to expect.
Suddenly "Internet access" means something radically different when
offered in Russia rather than Germany or when offered in Brazil rather
than the US.  Inevitably, this technical reality opens the door for
hackish VPN-style solutions to make people appear to be somewhere else
in order to get the Internet access they really want, and such solutions
are expensive both in terms of setup cost and performance.  Do we really
want to promote this future, especially when it hurts legitimate users
more than it hurts true frauds in the long run?  I think that we do not,
and I see the use of location information in infrastructure services as
one of the greatest challenges to maintaining Internet consistency over
the next decade.

Geoff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20051129/4df8a9d3/attachment.pgp>