“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.”

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.”

You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

IP Addresses have long been used in device fingerprinting solutions, but their utility has been hit-and-miss due to differences in how groups of IP addresses are managed. As a result, solutions relying on the IP address for device identification generally experience high false positive rates; this is especially true in cases where the same IP address has been issued to different end users over time.

Based on data iovation has collected from performing over two billion device identification requests, we’ve developed techniques to more accurately assess the relevance of an IP address in identifying and re-recognizing a device. This allows us to use IP address as a factor, when appropriate, and ignore it when not. (more…)