Off-the-shelf device ID could be sabotaging your fraud prevention efforts

Our experiences online today are often much more personalized than they would’ve been twenty or thirty years ago, and that’s because platforms today put effort into recognizing return users. Identifying users is good for personalizing content and targeting ads, but perhaps most importantly, it’s vital for preventing fraud and stopping ban evasion. So, how does a platform pick one or more devices out of a sea of millions and identify that as a unique user? The answer lies in device ID.

Device identifiers, or simply device IDs, play a vital role in re-identifying users returning to a platform. This facilitates a seamless experience for returning users and helps stop bad actors from launching systematic attacks on websites or apps. From preventing account takeovers and coupon abuse to tackling synthetic ID accounts, the use cases for device ID are as diverse as they are critical.

How do you test the effectiveness of a device ID?

Creating a reliable device identifier is no simple task, however, and not all device IDs are created equally. The apparent simplicity of device fingerprinting tools offered by an operating system (OS) can mislead developers into assuming they provide a one-size-fits-all solution for effective device identification in fraud prevention. While these tools may appear straightforward to integrate, there are potential limitations and risks of relying solely on OS-provided device fingerprinting. Initially designed for purposes like advertising, user base management, or analytics, these tools may not inherently cater to the nuanced demands of fraud prevention, or anticipate the fact that fraudsters will be trying to outfox them.

An effective device ID involves reading and analyzing various hardware, configuration, and connectivity properties to ensure unique identification, which can be combined with the operating system data. While re-identifying good users requires less effort, fraudsters are constantly looking for newer and better ways to hide themselves. Hiding their true identities is also becoming easier due to new and tighter privacy controls created by operating systems and browsers which can take the power out of some legacy device ID solutions.

So how do you know where your device ID solution stands? Determining the effectiveness of a device ID involves careful evaluation since there’s often a lack of good ways to verify just how accurate they are—put differently, if device IDs are the tool you rely on to identify discrete devices and users, it can be hard to find other data sources to corroborate what the device ID is telling you.

This evaluation will involve assessing sessions grouped by device ID to see if they align logically and if the data from these sessions coherently match. The consistency of device models, account access patterns, and proximity of locations are all essential factors of this evaluation.

Why OS-provided device IDs aren’t enough for fraud prevention

As developers strive to enhance fraud prevention, they might turn to readily available device fingerprinting tools provided by operating systems. These tools, looking straightforward on the surface, might seem like a standardized and foolproof solution for identifying fraudulent activities—one that doesn’t have to be developed in-house or bought from a third party.

But it's important to recognize that these OS-provided device fingerprinting methods are purpose-built for use cases like advertising, user base management, and analytics. Fraud prevention is a specific use case for a device ID and it requires a solution that meets a higher standard than the other use cases. Some of the same features that make OS device IDs better at ad tracking make them worse at fraud prevention.

As an example, the Advertising ID, available on Android and iOS, is specifically designed for advertising and user profiling purposes. It allows app developers and advertisers to track users' interests and behavior so that they can deliver targeted advertisements. The Advertising ID is also user-resettable, meaning users can reset or change this identifier. This gives the user greater control over ad tracking, but it also makes this ID unreliable for fraud prevention.

This reset feature is intended to protect user privacy and give users the ability to manage their ad preferences, but when this ID is used for fraud prevention, this feature gives fraudsters an easy way to avoid being re-identified by fraud detection systems.

There’s also iOS’s Identifier for Vendor (IDFV) and the Android ID, which uniquely identify a device for a specific vendor or app developer on iOS and Android, respectively. IDFV is primarily used for user base management and analytics within one particular app and isn’t universally unique across unrelated apps. That means if a user uninstalls and reinstalls an app, the IDFV may change, making it non-persistent across installations and apps.

Users can reset their Android ID, which disrupts efforts to create a comprehensive user profile across multiple apps. This makes it unsuitable for cross-app tracking or the creation of a comprehensive user profile across various apps, both critical elements of a strong device ID for fraud prevention.

These tools, seemingly simple to use and implement, may create the illusion of a standardized and foolproof approach to device identification for fraud prevention. However, developers have to know about the potential pitfalls and limitations associated with relying solely on OS-provided device fingerprinting.

The privacy controls that have been put in place by the most prominent operating systems are actually making it harder to fingerprint devices and easier to hide fraudulent activity. Standard identifiers provided by the OS, like the Android ID or the iOS Vendor ID, now function more like an installation identifier instead of a device identifier that can effectively recognize devices.

Strategies for countering device ID reset and fraud

In the fraud prevention landscape, device identifiers are invaluable tools for re-identifying users, ensuring seamless experiences, and thwarting systematic attacks. With that in mind, it’s also important to acknowledge that the device ID that comes standard with most OSs isn’t persistent enough for fraud prevention. Understanding the nuances of different device ID solutions offered by operating systems and how they may fall short regarding robust fraud prevention—how easy it is to reset these fingerprints, for example—is a valuable first step towards an actually reliable device ID solution.

Tools like emulators, rooting, jailbreaking, FRIDA, app tampering, VPNs, and GPS spoofing can all be used to reset devices. A recent study at Incognia revealed that 1% of the user base on the courier app side of food delivery services employs some type of app tampering techniques to bypass fraud prevention strategies.

These tools enable tampering with the data collected from the OS to form a device fingerprint. With different data, the fingerprints will also differ. Just like changing the whorls and patterns of your physical fingerprint would make it impossible to get a match on your identity, these tampering tools help fraudsters hide who they really are.

To address this, Incognia’s Location Fingerprint includes comprehensive fallback strategies to detect the use of those tools and flag compromised devices, identifying them as a higher fraud risk before they get a chance to wreak havoc on the platform.

The most reliable and advanced fraud prevention systems leverage multiple data points and behavioral patterns to detect and prevent fraud, and Incognia’s solution is no exception.

Build vs. buy: the advantage of using existing solutions

With so many criteria to consider, opting to integrate an existing fraud prevention solution with a robust device fingerprint capability can provide substantial efficiency gains. Established solutions have undergone years of refinement, offering battle-tested efficacy and performance. Solutions built in-house, however, might not have the same collaborative benefits as existing ones.

For example, adopting proven solutions often grants access to a more extensive user base network, enabling the detection of various user behaviors and data-driven insights from across the network that enhance fraud detection capabilities. Collective intelligence can significantly improve the reliability and accuracy of a solution by giving developers much more data to work with.

For a better idea of what that looks like in the real world, think about this build vs buy example. Leveraging location as a proxy for identity and a crucial layer in detecting systematic behavior can be a powerful alternative to traditional device fingerprinting. Incognia's highly precise and spoof-resistant location-based device fingerprint enables efficient identification of potential problems with minimal false positives. Our solution has been in development for twelve years, meaning we’ve had plenty of opportunities to refine it and respond to developing fraudster tactics as well as customer feedback.

On the other hand, building a custom fraud prevention solution in-house offers the allure of tailored functionality and seamless integration with existing systems. Companies can fine-tune the technology to meet specific requirements and retain full control over its development.

The major drawback of this path, though, is that it demands significant investment in time, skilled expertise, resources, ongoing maintenance, and in iterating through learning. Moreover, it may pull people away from core business goals and delay time-to-market. At the end of the day, stakeholders have to ask themselves whether a fully customizable solution is worth diverting that much blood from the beating heart of their business.

The hybrid approach to device ID and fraud prevention solutions

As with most “either-or” debates, the ideal approach often lies in a well-balanced compromise between building and buying. Companies can leverage existing solutions as a robust foundation while developing in-house tools and rules on top that cater to specific requirements. This hybrid strategy provides the advantages of efficiency and expertise combined with the flexibility of customization.

With all this in mind, it’s also important to acknowledge whether you decide to build in-house, implement proven solutions, or adopt a hybrid approach, the path to empowering fraud prevention begins with informed decision-making. Organizations can make informed choices tailored to their unique needs by understanding the limitations of standard OS device IDs and their intended purposes and weighing the benefits of in-house development against the efficiency and expertise offered by existing solutions.

Not all device IDs are created equal. In the ever-evolving realm of fraud, striking the right balance between convenience and effectiveness is key to a successful fraud prevention strategy.