Locking Down, Online

Fraud. This one word can generate sheer terror in promotion managers. When it comes to sweepstakes, contests and games that rely on the Internet or telecommunications technologies, the integrity of the promotion is paramount. True, an innovative contest or game occasionally achieves extraterrestrial results and is discussed in reverent tones years later. More commonly, clients are satisfied when the consumer has a positive experience and the promotion advances marketing objectives. But fraud is a gruesome train wreck with lasting and expensive outcomes.

Exactly how gruesome? First, consider the fact that somebody is likely to pay for being asleep at the switch, and while one person might have violated the rules, somebody else (perhaps somebody under your supervision) was careless. Second, fraud wreaks havoc on client relationships. After all, the client entrusted you with the integrity of the promotion, and if you can’t handle a 15-year-old prankster in Bangkok, you should have said so before accepting the responsibility. Third, the meter just turned on at the law firms selected to handle the internal investigation and pending lawsuits. Hours of depositions and detailed analysis can exceed the total cost of the promotion within weeks. Finally, various state and federal authorities will probably put the promotion under a microscope faster than you can say “but wait, there’s more.” If the prospect of an interview with state law enforcement doesn’t thrill you, keep reading.

There are three ways to protect digital promotions from fraud. First, preventative measures include technical steps that can be implemented within the system itself so that common fraud attempts are thwarted via structure or design. For example, a sweepstakes that permits Internet-based entries should be designed to accept only genuine Internet protocol transmissions and not unrecognized data. Second, proactive measures include observation tools such as pattern-recognition and data analysis programs, as well as human oversight, to monitor a contest while it is running. A contest might establish a pattern of 3,000 entries per week, for instance, and unusually high volume would be worthy of further investigation. Third, counter-measures can help defeat identifiable fraud attempts. To illustrate, a telephone signal trap might indicate that one person is dialing a promotion more frequently than the rules allow; an appropriate counter-measure might include blocking that phone number. In total, these measures not only help prevent digital fraud, but they also help safeguard the validity of your data and can ease your fulfillment costs and processes.

Prevention

When planning promotions, account for fraud in your development roadmap. Assume that some people are going to try to bend the rules, exploit your system or disrupt gameplay for everyone. Ask yourself: How many ways exist to get around the rules or disrupt the system? The answer begins with acknowledging the true nature of digital promotions systems.

At a fundamental level, a digital promotions system is primarily a data collection and analysis program. Therefore, the cardinal rule of software application programming applies: never trust your input data. Consumers often innocently mistype data on an entry form. Malicious users will intentionally try to exploit buffer overflows¹ or attempt SQL injection² attacks on poorly constructed applications. If possible, validate consumer inputs such as a unique code that appears on the product label against a list of valid entry data (e.g. a list of participating unique codes), or apply a verification code to the input data before doing anything else. Whether invalid inputs arise by mistake or fraud, don’t give the user too much information about the error because this could give away valuable information about the internal structure of the application. There is a major difference between an error message that states, “Sorry, we did not recognize the number you entered, please try again,” and “Microsoft SQL error 7890-212.”

Next, let your rules dictate your data structures and ask your database to do some of the heavy lifting for you. Unique constraints or check clauses in the database avoid the need for extra software code that could contain flaws, and furthermore, they are structural and cannot be circumvented. For example, rather than writing routines to check if someone has already entered an e-mail address for the day, add a unique constraint to the database that requires e-mail and the date. Database vendors such as Oracle and Microsoft have larger technology budgets than nearly any development team you will encounter, and you should use their hefty investments to your advantage.

Finally, attempt to assign a unique identifier to each entrant. The system will recognize “Joe Smith” as a unique individual entering the promotion, no matter how many others also enter the name “Joe Smith.” Unique identifiers not only help prevent fraud, but they are also useful for general Web usage reporting. Most commercial Web site reporting packages (WebTrends and NetTracker are two popular choices) or application servers (such as WebLogic, WebSphere or ASP.NET) offer a tag that can help you give unique identifiers to visitors. This tag, often stored in a cookie, can help identify users that are entering multiple e-mail addresses, different phone numbers and so forth. Bear in mind three concerns when relying on cookies. First, balance performance concerns against data tracking. In other words, cookie generation for unique identifiers adds extra processing demands that may cause the application to slow down. Thousands of consumers, each receiving a cookie, could cripple a promotion for a period of time. These and other performance risks should be analyzed during test phase. Second, keep in mind that any data such as cookies that are sent to an entrant can be analyzed, examined and ultimately, altered. Because a cookie resides on the consumer’s computer, a sophisticated cheater can gain valuable insights to the promotion in order to seek an unfair advantage. Third, make sure that the promotion sponsor permits the use of cookies and has publicized this in its privacy policy. The use of cookies in violation of a stated privacy policy can cause numerous problems.

Proactivity

Do you know who is entering your contest? Frequent usage reports will help inform the sponsor about usage patterns, and can also help identify suspicious activity. Pre-promotion testing can identify gaps in your monitoring capabilities; running full lifecycle simulations of your promotion systems is a sound business practice that will help pinpoint capacity limits, volume benchmarks and targets.

Second, be prepared to answer the inevitable claims from entrants who all seem to have won the grand prize (e.g. “I saw the winning message on my computer screen, just moments before a lightning bolt killed my Internet connection!”). The importance of precise entry logs cannot be overstated. Entry logs capture every piece of data coming into, and flowing out of, the system. Most Web server log files, however, will not offer enough data “out of the box” to help you audit your application. The ability to accurately recreate entry data at any given date and time, and for any given entrant, can help reduce fraudulent prize claims and help reassure sponsors that over-redemption will be minimized or eliminated from the promotion.

Third, incorporating even simple pattern recognition capabilities in the monitoring software can help alert you to fraudulent activity before any claims are made for prizes. If a list of suspicious activity is built during the promotion, the fulfillment team has an excellent tool at their disposal for ensuring that valid winners are segregated from cheaters and “false winners” (people who fraudulently claim to have won a prize).

Counter-Measures

Some attempts at defrauding or disrupting a promotion might not come from entrants at all. Computer crackers might test their skills against the promotion administrator for bragging rights (or simply because the IP address of your server was the next in the list), and disgruntled former employees or market competitors might delight in seeing a promotion lead to bad publicity or angry consumers. The first line of defense against these unsavory types is flexible system administration. If you rely on an outside vendor or collocation facility for hosting, be sure it knows your usage expectations; determine monitoring responsibilities beforehand. If traffic takes a dramatic upturn, whether from legitimate or illegitimate causes, it must be quickly recognized and met with a pre-planned response. Consumer claims will be difficult to investigate and verify if the server has crashed in the wake of a “denial of service” attack (a DoS attack is a malicious attempt to bombard a system or network with so much traffic that all services slow to a crawl or are stopped altogether). How will you respond, and what should be communicated to the public?

More common fraud attempts include a person who is entering a promotion more frequently than permitted by the rules, using different or false data to the system for each entry. Hopefully, according to your rules, such action removes this player from the eligible pool of entrants, but how do you prevent this player from fraudulently claiming prizes that should be awarded to legitimate players? Again, detailed logs of your input and output data should be produced to defend against low-tech fraud attempts.

Can your system block known cheaters? If the promotion is phone based, can you terminate calls from a known offender before they even hear the entry prompts? Internet fraud gives rise to additional complexities because of the inherent difficulty in identifying each unique visitor. Proactive auditing and tracking techniques mentioned above can help block abusive Web users.

Fraud is an ongoing concern for online and offline promotions, but thoughtful planning, treating all input data with a healthy dose of skepticism, careful monitoring and aggressive counter-measures can help you avoid disasters.

Jason Gessner is a managing partner of Ascent Marketing Partners in Chicago, specialists in the execution of digital promotions for national and regional clients. He can be contacted at [email protected] or at 312-224-2744.

1. A buffer overflow attack attempts to send the program more data than it can handle in the hope that it will simply execute the code that is cleverly hidden in the data flooding the system. Most so-called worms on the Internet are buffer overflow attacks.

2. Similar to a buffer overflow, a SQL injection attack attempts to trick the database from finishing what it started (execute legitimate software code) and execute unauthorized code — say, to delete all tables in the database or expose the inner structure of the database to an unwelcome audience.