How Fraudsters Find Quick Workarounds For Fraud Prevention Tools (And How to Stay Ahead)

The “cat and mouse game” is a popular way to describe the fraud prevention space today, and that’s for good reason. Fraud prevention professionals develop solutions and strategies to combat new fraud use cases, fraudsters find new ways to avoid detection and take advantage of platform policies, rinse and repeat. It’s often said that there’s no silver bullet solution to fraud, and that’s largely because of the fraudsters’ ability to find new holes to poke in their targets’ security.

How do they find these workarounds so quickly, and how do fraud prevention professionals stay ahead of the curve instead of behind the times? Below, we’ll explore device ID as an example of a powerful signal—but one that fraudsters can easily outfox if it isn’t implemented correctly.

Using Device ID as an example

Traditional device ID had a long day in the sun, but it’s not the same solution it used to be. Device ID alone isn’t enough to detect fraudsters anymore, because they’ve adapted to new ways of obfuscating their identities.

Device ID typically works by collecting information about a device such as operating system, model, software versions, apps downloaded, screen resolution, and so on to create a unique fingerprint that can be used to identify that device again later. Fraudsters understand tech as well as their adversaries, though, and over the years, they’ve learned which device signals give them away.

One way fraudsters have learned to evade device ID is by manipulating the parameters used to form that ID—updating the OS, changing the screen resolution, and so on. Another way is by fully resetting the device to factory settings, wiping all of the data that was previously used to identify the device as belonging to a unique user. This is a powerful tactic for a fraudster. With the click of a button, they can wipe the slate clean and rejoin a platform they’ve been abusing as a completely new person.

In a recent AboutFraud webinar titled, “The Real Full Stack: People, Processes, Technology, & Data,” Incognia CEO Andre Ferraz explained about device ID, “Fraudsters know that most companies use device fingerprinting, right? They all have a device ID. So the fraudsters have developed multiple ways to bypass that, including wiping their cookies, reconfiguring their devices, using emulators, virtualizers, tampering tools, instrumentation tools. So there are so many ways in which fraudsters can generate a new device ID all the way to, for example, resetting their device to factory settings and reinstalling your app, or logging in again to your web platform.”

That doesn’t mean that device fingerprinting is out to pasture as a fraud signal, though. Instead, it’s a great example of how fraudsters will find any ways they can to poke holes in an otherwise strong indicator against them. So, if device fingerprinting is still viable, how do you keep it ahead of the curve of fraudsters that want to dismantle it?

Bringing in additional signals for better reliability

Continuing to use device fingerprinting and device ID as our example, one of the best ways to keep a solution out of the hands of new obfuscation tactics is to never make a signal do all the identification work alone. Instead, a holistic approach to signals and data can be the difference between a fraud solution that gets picked apart in two weeks, and a fraud solution that stands the test of time.

According to Andre, some of the best solutions to pair together are device, network, and behavior, particularly location behavior. If your device intelligence solution is tamper-resistant, you can identify repeat offenders even after they factory reset their devices—that’s where the network and location behavior intelligence come in. Using these additional data points, you can create a more persistent fingerprint that stays with a fraudster even despite obfuscation techniques.

It works the other way around, as well. On the network and location behavior sides, fraudsters have no shortage of spoofing techniques, such as IP spoofing, using VPNs, using GPS spoofers, and so on. But a device integrity check can find these signs and raise the risk assessment of a given user accordingly. All of the signals work together to form a net of redundancy that has much smaller holes for fraudsters to try and poke through than one solution alone.

But tamper resistance is critical to the success of any signal, as Andre points out. “Make sure that you have tamper-proof technologies to ensure that the data you're analyzing is real data that you can trust. I think if you have these three [signals], you can do a pretty good job at almost any use case when it comes to fraud, because you'll be able to identify the same individual trying to create multiple accounts, for example.”

The fight against fraud is an ongoing battle that requires adaptability, innovative technology, and a comprehensive approach. By integrating multiple signals like device, network, and behavior intelligence, fraud prevention professionals can create a resilient barrier against fraudulent activities. When you use multiple fraud prevention signals together, you create stronger armor, and that makes it hard for fraudsters to get through to your platform and users.