IP Analysis is one of the oldest and most common methods used to detect fraudsters. Let’s see how and why it works.
If you’re reading the words on this page, it’s thanks in part to an IP address. But unlike your home address, you probably have no reason to know it by heart.
And yet, this strange jumble of letters and numbers is, in fact, the key to automatic connection between any device and the Internet. This is true whether you visit a website, send or receive emails, use a chat room, and whether it’s from your phone, laptop or smart fridge.
And as we’ll see in this guide, these addresses can reveal a lot of thanks to IP analysis.
Let’s see how it can help businesses make an educated guess about who their users are, where in the world they are based, and more importantly, what their intentions are.
But first, some useful definitions:
Public and Private IP Addresses
A public IP address is assigned to any device connecting to the Internet by an ISP (Internet Service Provider). It can be a phone or laptop, but also a web server or email server. It is impossible for a device to access a WAN (wide area network) like the Internet without one.
A private IP address is assigned to a device on a local network (LAN). Multiple devices can communicate with each other, usually within the same building.
You’ll find many different analogies used to explain what an IP address is. Some compare it to an Internet passport. Others to a building’s physical address, which allows you to receive information through a postbox.
With that analogy, the public IP lets you receive mail at your place of business. But then, the mail still needs to be sent to the right people in the building, via Private IP addresses (like floor or desk number).
One point that often leads to confusion is that the term “private” in “private IP” doesn’t mean hidden. It simply refers to the fact that it links to a local network, and it’s possible for anyone to find it.
Understanding Public IP Addresses
For our purpose, which is to detect fraudsters, public IP addresses offer a lot more information than private ones. So let’s dive into more detail about how they are created exactly:
- Public IP addresses are generated automatically: they are assigned by your ISP (Internet Service Provider), and you cannot control them. However, you may have the option to use a static IP address (which always remains the same), versus a dynamic public address, which is randomly selected with every new connection. The most valuable ones for fraudsters are residential IP addresses, which can be sold or rented on specific marketplaces and brokerage services.
- Every public IP address must be unique: there can never be two exact same public addresses.
- Every device needs an IP address to connect to the Internet: that includes your phone, tablet, PC, laptop, watch or even smart fridge, if it’s part of the IoT (the Internet of Things).
The last two points are particularly interesting, because it means we could potentially run out of IP addresses. In fact, it’s happened once before when the explosive growth in mobile devices depleted the supply of IP addresses in the old IPv4 format.
This is why a new format had to be created, IPv6. In theory, IPv6 supports a maximum 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses, which should hopefully last us a long time.
IP Addresses and Geolocation
Many users first realize that their IP addresses contain useful information after their first encounters with the concept of geolocation. This usually happens because of:
- Targeted ads: digital marketers try to catch your attention by mentioning your local area in their adverts.
Blocked content: Most commonly found on media streaming platforms, where copyrights aren’t universal.
So this is the first key part of a user’s digital footprint that can be gleaned from IP addresses. They can, in theory, reveal where the user is based in the world.
But a few important caveats: first, IP geolocation is a complex process that is outsourced to specialists. The accuracy of the geolocation can vary depending on which database they use. IP2Country, as it’s often called, tends to yield a 95% accuracy. IP2Region (which can be as granular as city and area code), decreases to around 50 – 75% accuracy.
Secondly, you can’t always trust geolocation information. And this brings us to the most important part of IP analysis: understanding when the address has been manipulated.
How Users Hide Their IP Addresses
There are many reasons why someone would want to hide their IP address. Circling back to our examples above, it could simply be to watch a video from a foreign country. It could be to improve their security via added encryption. And of course, it could be for malicious purposes.
Regardless of the why, let’s see how IP addresses are hidden:
- VPNs: or Virtual Private Networks. Increasingly popular tools, which tunnel all traffic from a device towards a server in another location. Different VPNs offer different kinds of IP addresses, such as static, dynamic, or shared.
- TOR: a system designed to maintain user’s anonymity by masking IP addresses. Users download and run a free browser, which passes and encrypts traffic multiple times to hide the original IP address. However, an ISP or fraud detection tool will know if the user connected to TOR’s entry and exit nodes.
- Proxy servers: act as a middle man between a device and a visited website. TOR and VPNs are also considered proxies, even if they redirect all traffic coming from all software and device systems.
Proxy Servers and Socks5
Let’s dive deeper into the world of proxy servers. There are three main types:
- HTTP (which only reroute browser traffic);
- Socks proxies (which can be setup for other applications like games or streaming apps)
- Transparent proxies (usually setup by employers, parents or public companies that want to restrict and monitor traffic.
Proxy servers are easy, cheap and fast to set up, which is why fraudsters rely on them to quickly change IP addresses during multiple attacks. This is called IP spoofing, and anyone can do it in seconds with free services like xroxy.com.
Note that fraudsters favour Socks5 proxies, which are more complex to use, but can improve their chances of passing off as innocent residential users.
Finally, it also helps to be familiar with the concept of proxy ports. These are numbers that refer to specific virtual locations on the connected device. As we’ll see below, it can be useful to understand which ports are available in the context of fraud prevention.
The Key Features of IP Analysis
Now that we understand how IPs work and how people hide their addresses, let’s see what we can gather by analyzing them.
- Geolocation: as we’ve previously seen, a legitimate IP address should reveal where the user is based in the world. It is a basic IP analysis feature, but still useful to see if it matches the card country or if the customer is travelling too fast.
- Internet Service Provider: finding out who the ISP is can help us know if the IP is residential, from a normal residential connection, public library or web server/datacenter. The latter is particularly useful to know as they are often used by bots, VPN providers and TOR exit nodes.
- Open port scan: all proxies tend to have at least one open port, and so do computers functioning as servers. By performing a scan, we can measure how risky the situation appears to be. For instance, some proxy providers resell hacked SSH connections, where port 22 is usually open.
- Spam checklist scan: there are two useful lists called DNSBL (Domain Name System Blackhole List) and RBL (Real-time Blackhole list), which catalog IP addresses used for email spamming. If these IP addresses appear in the analysis, we can suspect the user is fraudulent.
So with these few features we can already tell a lot about a user based on their IP address. Where they are based, what kind of network setup they use to connect online, and whether they appear suspicious or not.
Velocity Rules for IP Usage
So what should you do if you find a suspicious user’s IP address connecting to your system? You could simply block it straight away, but adding that address to a blacklist doesn’t make sense. This is because IP addresses are mostly dynamic, and multiple users could eventually end up sharing them, so you’d end up blocking valid customers.
This is why you can’t just look at the IP address itself, but also their usage via velocity rules. These algorithms look at the patterns and changes of IP address usage over time. For instance, if too many users connected with the same IP address in a short period of time, it will make them more likely to be suspicious.
A Lightweight, Frictionless Tool
One of the key benefits of IP analysis is that it’s extremely lightweight. The online user will have no idea it’s happening in real-time, and their journey will not be slowed down at all.
It’s also low cost, and easy to integrate into a risk assessment workflow, whether it’s done manually or automatically via API.
And at SEON, we even developed an innovative IP analysis tool that works in a couple of clicks directly from your browser.
Enhancing IP Checks With Other Fraud Fighting Tools
As we’ve seen, IP analysis is fast, affordable, and easy to perform. But it’s in no way flawless. While it can indicate suspicious behaviour, it cannot point to fraud with 100% certainty.
This is, in fact, one of the shortcomings of IP analysis: it’s only useful when part of a complete fraud detection solution. When calculating risk, you need as much data as possible. And here, you’ll need:
Always Useful, But Not Always Enough
In conclusion, we can see how IP analysis provides a great baseline for fraud prevention. It’s easy to implement, frictionless and delivers results in real-time.
This is why when you use our full end-to-end fraud detection tool, we recommend you use it at every stage of the user journey, from login to checkout.
It can help you catch suspicious connection changes, highlight the use of spoofing devices, and detect potential bot attacks. But there simply isn’t data available with IP addresses to create precise risk scores or a full digital footprint analysis.