I’m getting an increasing number of client calls about how to augment device fingerprinting in the fraud detection stack for their web/browser-based channels. The corollary of this is that clients are thinking that perhaps device fingerprinting isn’t as reliable as it once was.
What is it?
What’s it for?
Device fingerprinting has a range of uses:
- It can be used as a passive authentication method – if you’re logging onto your bank account from the same device that you usually login in with, that’s a trust signal, and you’re allowed to enter with just your password. If it’s a different device, that’s a risk signal, and perhaps a trigger for some kind of active authentication (OTP via SMS, anyone?).
- It can also be used from a fraud detection perspective to look for risk signals in a presented digital identity – if you or the vendor saw that same device used earlier with a different name/email/card etc, perhaps something is amiss.
So what’s the problem?
Well, I think there are two issues at play here:
- The first, is the sheer proliferation of devices. Looking at my desk right now, I see my Gartner laptop, my Gartner phone, my personal laptop, my personal phone, and the family iPad is floating around the house somewhere. I could use any of those five devices to login to my bank account or make an ecommerce purchase, and it would be ‘good’, yet I could likely flag up as risky given the new device fingerprints that would be detected.
- The second, is the increasing difficulty that vendors face in obtaining reliable device fingerprints. The war against cookies, the rise of private browsing modes, the multiple browsers……all combine to make the process more difficult. Case in point, earlier this year I asked a range of vendors “If I came to a website running your tags ….first using Safari, then using Firefox, then using Chrome, and then using Chrome in Incognito mode, all on the same laptop……would you generate the same device fingerprint each time and recognise that the same device was being used across those sessions?”. I shan’t reveal names to protect the innocent, but only one vendor was able to demonstrate that they could generate a persistent device fingerprint across browsers on the same device.
- Third, the rise of malware-based attacks, such as the use of remote access trojans, means the fraudsters may well be running a session from your device, which means they’ll essentially be piggybacking on your device fingerprint.
I’ve also heard many times that fraudsters can imitate your device fingerprint. I have to say, I have yet to see a convincing demonstration of that, and I remain a little sceptical about how practical it is as a mainstream attack vector. I am always happy to be educated, though, so if anyone reading this can give me a good practical demonstration of how that’s done (not just a screenshot of a dark web listing that claims to help you do it, please…..) , I’m open to learning more.
So what should you do?
Well, first, don’t stop using device fingerprinting! It will continue to add value for years to come. Just have your eyes open to its limitations, as that value is slowly eroding. However, you should seriously consider augmenting your fraud detection stack by looking beyond the device at the user themselves. Many solutions are now available on the market that focus on the user’s behaviour – how are they navigating the page, how are they typing, swiping and moving the mouse. I’ll write more about those in a future blog post, but many are listed in the Market Guide for Online Fraud Detection.
Looking at user behaviour provides a very rich additional layer of risk and/or trust signals, and is a must-have in today’s environment to create a layered defence on top of your device fingerprinting solution.