Digital masks are the next big thing in online fraud. Watch out, because they're hard to protect against.

Online fraud detection mainly involves looking for discrepancies. Noticing things that don't fit the pattern. For example, maybe a user has always signed in from the same IP address between the hours of 6pm and 9pm. Then you see the user sign in from a new IP address at 3am. That's suspicious, and there's a good chance it's fraud. This is how fraud is usually identified, using machine learning algorithms.

But what if a fraudster was more sophisticated than that? What if a fraudster replicated the usual IP address and sign in time? It's possible for a fraudster to replicate every characteristic of a real user. It's also possible for all the characteristics of a real user to be packaged up into a file for fraudsters to load up as their own digital identity. Security researchers call that a "digital mask."

According to IEEE:

Digital masks are unique combinations of a user’s device fingerprint ... and their personal behavioral attributes... The unique complexity of each user plays a key role in cybersecurity today, with companies relying on machine learning–based algorithms to weed out fraudulent transactions.

These masks can be purchased online. They vary in how complete they are. A mask with only few details (IP address and typical sign in times) might sell for a few dollars. A mask with lots of details, including email account access and a credit card number, might sell for a hundred dollars. In many cases these masks are downloadable files. You can load one into your browser to instantly change your digital appearance to look like your target. This level of sophistication difficult to combat:

“We see a clear trend of carding fraud increasing around the world,” says Sergey Lozhkin, a senior security researcher with Kaspersky Lab’s Global Research & Analysis Team, “[but] while the industry invests heavily in anti-fraud measures, digital doppelgängers are hard to catch.”

So far GunTab is successfully protecting against digital masks. We wanted to share some tips on how we're doing it. Our strategy involves layering protections:

  1. Analyzing user behavior both manually and using a variety of third-party tools
  2. Engaging with users that exhibit abnormal behavior
  3. Holding funds in escrow until delivery is confirmed

In other words, GunTab is very proactive in protecting against fraud. We aren't shy about manual interventions like social media searches and phone calls. Yes, manual interventions are more expensive and difficult than automated flags. But machine learning algorithms can only go so far – and less far than usual, when pitted against digital masks.

GunTab also uses common fraud obstacles like bank account verifications and ID submissions. These are hurdles that are fairly easy for real users to jump, but fairly hard for fraudsters. For particularly suspicious transactions they can be enforced in series. However, while these hurdles are challenging and demoralizing for fraudsters, they can be the same for authentic users who accidentally raised our suspicion. (For example, maybe our user was up at 3am while taking care of a baby.) We try to be very careful not to interfere with all our legitimate buyers and sellers. We see fraudsters a bit like terrorists – they win if they stop honest folks from doing business, and we refuse to let them win.

We are happy to say that since our first transaction in 2015 we've managed to be 100% successful in protecting our users from fraud. We are really proud of that, and we're hugely thankful for all our great users who helped make that possible. But we think it is critical to stay proactive with security technology and processes. If there is one lesson to take from the advent of digital masks, it is that fraudsters are always innovating, so we must always be doing the same.

If you have found success combatting online fraud, especially of the sophisticated "digital mask" variety, please share your tips below. And if you are a consumer, please do everything you can to keep your identity secure. That's for your sake as well as ours!