The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.”

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.”

You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Based on data iovation has collected from performing over two billion device identification requests, we’ve developed techniques to more accurately assess the relevance of an IP address in identifying and re-recognizing a device. This allows us to use IP address as a factor, when appropriate, and ignore it when not.

One of the keys to successfully utilizing IP addresses in device fingerprinting is to understand how different service providers manage their IP addresses. Some service providers go to great lengths to assign the same IP address to the same user over time, even when DHCP (Dynamic Host Configuration Protocol) is used for obtaining an IP address. Other providers make use of a smaller pool of IP addresses, requiring them to reissue the same IP addresses to different users over time. Mobile service providers present the most extreme example of this type.

To better understand the issue, I decided to take a closer look at some of our data. Over a recent 30-day window, I collected data from device identification requests in which we could definitively say that the correct device was identified via its fingerprint. (By limiting the study to these requests, the correlation of IP addresses to devices can be done with confidence because the device identifier is a statistical truth value.)

Analysis of this data (presented below) shows which IP addresses are associated with multiple end-user devices, ultimately allowing for a better understanding of different service providers’ policies with respect to reusing IP addresses. This information, in turn, allows us to determine how effective different IP addresses will be for unique device identification.

Metrics Computed
For each service provider, the following metrics were computed:

• Number of IP addresses (IPA)
• Number of IP address and device combinations (IPD)
• The ratio of IPD to IPA

Many service providers have an IPD to IPA ratio very close to 1, suggesting a policy that attempts to assign a user with the same IP address over time. On the other hand, some service providers have an IPD to IPA ratio over 100, suggesting a policy that liberally reuses IP addresses among users. Of course, there are service providers everywhere in-between.

Examples

1. On the low end of the scale (where a single IP address tends to correlate directly to a single device) is H3G Italy. During the study period, 20,509 IP addresses managed by this service provider were encountered, with 22,545 device and IP address combinations, giving them an IPD to IPA ratio of 1.09.
2. On the high end of the scale (where a single IP address tends to be associated with multiple devices) is danger.com. From this service provider we encountered 54 unique IP addresses covering 4,967 device and IP address combinations, resulting in an IPD to IPA ratio of 91.9.

Results
On aggregate, I grouped the values of IPD to IPA ratios into ranges and each range was analyzed using frequency distributions. Based on a device fingerprinting system’s optimal performance goals and tolerance for false positives, the service provider’s IPD to IPA ratio can be used to determine the role of the IP address in device identification.