Unlocking the Potential of Device ID
October 15th, 2008 by Scott OlsonClient Device Identification (CDI) can go by many different names, including device fingerprinting, device ID, or device tagging. Whatever you may call it, there is a growing recognition that in order for online businesses to effectively combat online fraud and abuse, they must move beyond relying almost solely on the identity and credit information supplied by the fraudsters and augment it with information about the device being used to defraud them.
While device ID is important, much like a real-world fingerprint recognition technology, how you use that information to identify the device makes a big difference. For example, if fingerprint databases had never evolved beyond localized systems into centrally managed systems like the Integrated Automated Fingerprint Identification System (IAFIS), maintained by the FBI, its effectiveness at identifying repeat criminals would be extremely limited. It wasn’t until the sharing of information and records of criminals across the country that the government was able to evolve a proactive system that could catch criminals rather than simply confirm suspects. In much the same way, now that we have a good method of identifying PCs and other Internet devices, we must evolve a system that utilizes that information most effectively.
We now know that online criminals no longer limit themselves to one target. In fact, many cross industries, companies, and share information with their peers and members of more organized fraud rings. So should we. Device fingerprints must go beyond simply recognizing the device that has visited a single site to being incorporated in a broader system that establishes the historical behavior of that device online across multiple vendors and industries.
A recent incident across multiple iovation customers highlights the value of a centralized device reputation system. From July 10 to September 1, we saw a device with confirmed fraud across three different customers in different industries. The device first appeared at one of our customer’s online gaming Web site on July 10 before moving onto one of our integrated payment provider customers on July 13. We finally saw the same device again at an online credit provider on September 1. In this case, all three of our customers sharing device ID benefited from each others’ experiences with the device, not to mention dramatically expanded their fraud management capabilities by gaining their peers’ invaluable insight, tools and fraud expertise to stop the fraudster.
Adding device ID to your fraud management process can make a big difference in stopping fraud, creating significant value and uplift in your fight against fraud and abuse. Shared, centralized device reputations go a long way to unlocking the power of device ID and preventing more fraud and abuse from occurring within your network.
October 16th, 2008 at 9:19 am
Good blog. Biggest challenge with doing this though is the limited shelf life of a device ID. If device ID’s were static you really could shoot for the electronic version of the FBI’s print database. Until then its constant scouring of data to find new IDs.
October 30th, 2008 at 5:00 pm
Hi Scott
Is there a way I can have this device number in order to check it on our system.
Thanks
Carlos Piedra
October 30th, 2008 at 6:22 pm
Thanks for the reply, Coby. You are absolutely correct in pointing to the limited shelf life of many device IDs. There really are two approaches toward device ID. One uses PC and other device data to assemble a profile and uses that profile to assess risk. In this approach, you aren’t uniquely identifying a device but rather looking at things like IP Geolocation, browser type, operating system, and a number of other attributes and assessing how closely it matches other devices that have been identified with fraud, for example.
A second approach is to create an ID that is unique and can actually positively identify a PC. This gives you the ability to build a reputation tied to that device. This type of approach can take many different forms ranging from something as strong as a device ID download to something tailored to have minimal user impact such as a cookie.
Both of these approaches have merit, but really different functions. The first, a risk based approach, is best used in the context of a risk scoring system and can be used to refine the review queue for things like online purchases. However, to your point, this type of approach is not ideal for creating meaningful device reputations or a shared infrastructure for fighting fraud: not only does it have limited shelf life, but it generates a large number of false positives.
A system that utilizes unique IDs also gets stronger when you couple the device ID with its account relationships. The reason for this is that an understanding starts to evolve about the connection between many accounts at potentially different sites that are connected to one or more PCs, for example. We call this a web of associations. In this scenario, device reputations have a longer use even if a brand new computer is purchased. When they re-connect to one of their previous accounts, we can see the relationship that exists between the new device and their previously established reputations and associations.