A Multi-Pronged Approach to Fighting Fraud with Fingerprinting and Cross-Device

Written by

Having the power to block devices is of paramount importance when combating organized e-commerce fraud. Quickly identifying and blocking a device being used by a fraudster restricts the possibility that a single device will generate numerous accounts with different payment information on a merchant's platform.

One of the most prevalent and effective online fraud prevention tools used today is device fingerprinting. However, device fingerprinting alone is not sufficient to thwart fraudsters as they move across multiple devices. Let’s take a look at a method that attacks online fraud from two distinct angles that, combined, are incredibly effective.   

Combating Fraud with Device Fingerprinting 
Much like the various pieces of evidence that investigators collect to identify a suspect, fingerprinting for devices works by collecting bits of information to form a unique identifier. Every device is personalized to meet a person’s individual preferences and requirements, and these configurations create a recognizable device fingerprint.

Calculating a device fingerprint starts when a user visits a website (e.g., an e-commerce merchant, in the case of most anti-fraud scenarios). The device tracker then collects the relevant information -- including browser version, user agent header, language header, a list of plugins, and more -- to form a unique identifier.

Fraudsters nowadays are well aware of the possibility of their devices being identified. The moment their attempts at generating accounts fail, fraudsters usually try to continue by randomizing their data points (such as browser, IP, geolocation, etc). Luckily, most modern device fingerprints render these attempts unsuccessful. At that point, the fraudster usually switches devices altogether. 

Enter Cross-Device Tracking
Unfortunately, because fraudsters are aware of the power of device fingerprinting, they regularly distribute their fraudulent activity over several devices. Therefore, significant losses can be incurred before each subsequent device is identified and blocked.

Cross-device tracking, when employed to combat fraud, is aimed at crossing the boundaries between a fraudster's individual devices and browsers.

Picture this scenario: A sophisticated fraudster has noticed that his revenue has been diminishing due to device fingerprinting and blocking. As his device’s unique signatures become more readily recognized and blacklisted, his only option is to employ a new device with new unique characteristics in order to avoid the barriers being erected between him and his revenue source.

With his new device and its new digital fingerprints at his disposal, he goes back to skimming money from unsuspecting victims. Security software will eventually catch up with him, but not before he has already made off with substantial ill-gotten revenue. The best way to prevent this is cross-device tracking.

Cross-device tracking establishes a person-centric view of the fraudster across devices by combining various data sources into a comprehensive user profile. By its very nature, cross-device identification provides a more complete picture of a person than siloed tracking via HTTP cookies or other traditional and more limited tracking mechanisms.

Having the means to track fraudulent behavior across multiple devices stops fraudsters cold when they try to migrate their activities to another device. Merchants can block transactions from devices linked to ones with malicious history even before any of the other bells and whistles in their fraud-prevention system indicate a potential danger.

Users today are accessing the internet from an increasing number of devices. As online behavior evolves from being browser- and device-centric to person-centric, so must our tracking mechanisms. This means that cross-device identification must play an integral role not only in advertising but in online security as well.

What’s hot on Infosecurity Magazine?