Guest Post by our partners at Paladin Fraud Group
In the ongoing game of cat and mouse between fraudsters and organizations with an online presence, two forces are paramount: preventing fraud while also minimizing friction for the user. Add too many steps in the user’s authentication process, they’ll drop off. Which is why fraud prevention experts continue creating fresh ways to confirm a person is who they say they are—without even interrupting their browsing or buying experience.
Hence the magic of device identification and reputation intelligence: there’s no need to disrupt the user directly in the event the device is linked to positive reputation. On the other hand, transactions can be auto rejected when attempted on a device associated with risky or fraudulent activity.
Device identification (usually shortened to “device ID”) prevents fraud by analyzing devices and associated identities—and it can translate across digital channels, on desktop, on mobile browsers, and in native mobile applications too. This helps organizations verify identity, assess and mitigate risk in real-time, and optimize the customer experience.
Numerous types of data can be collected from a device. Hundreds of different attributes allow organizations to uniquely recognize the device interacting with their systems by constructing a “device fingerprint.” By looking at these attributes, organizations can identify risks—such as, for example, if the device has been compromised from jailbreaking or rooting, or if certain attributes aren’t consistent with the device type. This makes it much easier to assess the likelihood that a device is providing an accurate OR spoofed IP address. Additional device characteristics that are collected include:
- Screen resolution
- Browser version
- User agent
- Local time zone
- CPU architecture
- List of plugins
- Browser Language
Fraud prevention providers who offer device ID and reputation services often go above and beyond standard factors most commonly used to assess risk by building associations and connections between related sets of devices and accounts. This allows organizations to not only recognize the same device in the future, but also able to do so as the device moves between different businesses and industries.
Device ID solutions can further differentiate by allowing users to provide input or evidence related to specific devices as a way to share information about devices involved with fraud and abuse.
For example: a fraud ring uses a set of devices to commit fraud. Eventually, they are caught and the devices they used get blocked and flagged, and the set of users are added to a negative reputation report. If the fraud ring switches to different devices, the device reputation history of the blocked devices will continue to be associated with their new devices, and thus their malicious efforts will continue to be mitigated.
Device ID and reputation offer organizations a great way to avoid collection of personal information, an increasingly important notion considering the number of data protection regulations popping up around the globe. These types of solutions do not require sensitive personal information (such as names or physical addresses) in order to identify a device.
The browser integration traditionally includes JavaScript collectors that can be incorporated into any relevant web page to access detailed browser session information. Hundreds of attributes can be collected and analyzed to produce a persistent device identifier and identify potentially fraudulent behavior. ID collection can also be tied to specific actions, such as a form submission, based on technical and business requirements. Examples of pages where data collection is typically enabled include the account open page, login page, account change/update page, and checkout/payment page.
In the mobile environment, a Software Development Kit (SDK) can be incorporated into mobile applications to access detailed mobile device information. More than a hundred device attributes and operating system attributes can be collected and analyzed to produce a persistent device identifier.
In our 2020 edition of the Paladin Vendor Report, we featured a number of solution providers offering Device ID & Reputation solutions through either proprietary offerings or through a series of partnership options, including:
- Accertify, powered by InAuth
- ACI
- Arvato Financial Solutions
- CyberSource Decision Manager
- Kount
- NS8
- NuData Device Recognition
- Sift
- Transunion
The 2020 Paladin Vendor Report not only covers device ID and reputation technologies—it spans the full spectrum of current technology and solutions in the fraud prevention landscape today. Download the full Paladin Vendor Report here: http://paladinfraud.com/mrc-trends-2020/ And stay tuned for upcoming posts highlighting even more fraud-fighting technologies that organizations are turning to today.