As device fingerprinting becomes more challenging new risk signals emerge

BetaNews covered this byline on April 20th, 2023. 

At Incognia, we speak with experts in the fields of risk, trust & safety, security, and data science every day, and in almost every one of these conversations, one or all of these recurring themes are mentioned:

1) Fraudsters and scammers are innovating at an accelerated pace, 2) Fraud detection technologies that were once extremely reliable have become less effective, specifically device fingerprinting, 3) Evaluating new risk signals is critical in an effort to continuously stay ahead of the fraudsters and scammers.

Bad actors are innovating

As businesses continue to digitize their offerings to satisfy consumer demand for one-click banking, shopping, buying, selling, and dating, the opportunity for fraudsters and scammers continues to grow. To pursue this perpetually growing total addressable market, bad actors are modernizing their operations, leveraging more automation to carry out credential stuffing attacks, account takeovers, social engineering scams, and anything new worth exploiting (remember PPP loans?). Suffice it to say, there is no debate about point #1. In the constant game of cat-and-mouse, some days the cat wins, and other days the mouse wins.

Traditional signals are less reliable

One challenge that mobile-first companies regularly share is the declining effectiveness of once reliable technologies, specifically citing device fingerprinting. In the fraud detection space, device fingerprinting is used to create a unique, probabilistic identifier for an individual device for the purpose of recognizing known good or bad devices. They are automatically generated by analyzing a variety of attributes including the device model, operating system it is running, and many other attributes like the number of installed apps, the screen’s resolution and size, language settings, mobile carrier, installed plugins, and more.

The utility of device fingerprinting for fraud prevention has significantly degraded over the last decade due to several reasons. The first being the sheer number of devices the average person uses today. Research conducted by Parks Associates in 2022 shows that US households now own an average of 16 connected devices each. Another contributing factor is the emergence of new device models and operating systems, as well as the increased use of privacy-preserving tools like VPNs, incognito browsing, and others.

Another major challenge to device fingerprinting are Apple and Google’s commitments to restricting app developers ability to collect these attributes from a device in the name of user privacy. While primarily aimed at advertisers, Apple’s App Tracking Transparency (ATT) framework states that fingerprinting is prohibited. While they have not yet made it technically impossible to fingerprint devices or enforced the prohibition policy, iOS developers are holding their breath. Google has said they will introduce similar privacy changes in the next couple of years.

Critical to leverage new signals

Given the increasing sophistication of digital attacks and scams, businesses are constantly evaluating new and innovative technologies to help them stay ahead in the game of cat-and-mouse.

Most companies I speak with are not looking to rip-and-replace existing technology stacks, but instead are searching for new "signals" that will increase the efficacy of their fraud detection models. A major customer stated that they would implement a new technology that could demonstrate a 0.5% reduction in fraud.

With the degradation of technologies like device fingerprinting, emergent technologies that leverage behavioral signals are being evaluated to plug the gap. Examples include the use of behavioral biometrics to understand if the person on the other end of a sensitive transaction is in fact human, or exhibits the behavior of the known account owner. Companies like BioCatch, NeuroID and others analyze how customers interact online using different devices e.g., typing cadence and pressure, swiping style, how a mobile device is held, etc. My company, Incognia, is another example of a company bringing new behavioral signals to the market, leveraging anonymized, spoof-proof location behaviors to differentiate between fraudsters and trusted customers. Location behaviors are highly predictive of trust and risk.

Given the potential of lucrative payouts and positive ROIs, I expect bad actors to continue to refine their techniques, applying readily available automation to execute sophisticated attacks. At the same time, as aging, once-dependable risk signals become less effective, digital business will continue to explore new, emerging technologies to stay ahead in the ongoing fight against fraud.