Why is device fingerprinting useless when fintech apps need it most?
Device fingerprinting will not recognize the login of a new device, which means apps have to rely on friction-charged MFA
It's well known that fraud is on the rise in the fintech and crypto industries. A significant portion of fraud losses results from successful account takeover (ATO) attacks. The most common technique used to perform these attacks is social engineering, which represented more than $43 billion in financial losses in 2020, and was responsible for 80% of the fraud losses in the US.
To make it even harder, fintech and crypto fraud prevention professionals face another challenge which is managing the balancing act between security and user experience. The immediate answer to increasing security is multi-factor authentication (MFA), but most of these systems introduce significant friction to the user experience.
At Incognia we recently covered fintech and crypto app authentication and device authorization processes in a series of mobile app friction reports to understand how companies are addressing this challenging balancing act. First, let's try to understand the landscape and the problem.
How are fintech and crypto apps balancing security and friction?
Most mobile apps already use some form of device fingerprinting technology. However, some argue that fingerprinting mobile devices is relatively more challenging than desktops because of the lack of cookies and a development environment more controlled by the operating system providers.
Some device fingerprinting technologies are easier to crack than others, but the issue is not really any specific technical flaw. The reality is that even though mobile device fingerprinting solutions work pretty well when the user is using the app from their regular device, they don't function when a new device is trying to access that account. The difficulty with new devices it that fingerprinting solutions cannot recognize whether the device is trustworthy or not. This forces mobile applications to apply multi-factor authentication (MFA) technology to secure the authorization of a new device. Most apps just ask the user for a password plus a second factor (2FA).
In our recent app friction studies, we identified that most apps rely mostly on passwords as the primary factor (90%) and SMS-based 2FA using one-time passcodes (OTPs) as the secondary factor (70%).
So when users are authorizing a new device, which is when the device fingerprinting solutions are useless, the apps are relying on passwords + SMS-based OTPs. These passcodes can be shared or stolen, leaving the app open to one of the most common security vulnerabilities: social engineering.
In most cases, fraudsters pretend to be a representative of the fintech or crypto app company and simply ask consumers to share their passwords and one-time passcodes. That's usually how account takoevers (ATOs) happen. Sometimes, these attacks are even automated or semi-automated using social media channels to communicate with consumers via malicious chatbots. Another way to bypass the SMS-based OTP security is by taking over the user's phone number using SIM swapping attacks, which is a social engineering attack targeted at telecom operators.
How to protect your mobile app from social engineering without adding friction?
To protect mobile users from social engineering, additional identity affirmation signals are vital. Still, the issue is that the most common affirmation signals for mobile applications are the phone number and verification of the device. When a fraudster is taking over an account, by definition, they will do it from a new device that has never before accessed that account. So the device verification is usually ineffective given the user has to authorize a new device and fraudsters tend to use new devices, or know how to bypass most device fingerprinting solutions.
This is where location behavior comes in as an important identity affirmation signal. From Incognia’s network data from over 150 million devices, 90% of the device authorizations occur at one of the user's trusted locations, places highly frequented by the user, such as their home and office. So leveraging location behavior as an identity affirmation signal can clearly help the app distinguish between legitimate device changes and fraud attempts.
According to Gartner, identity affirmation is the process of providing supporting risk or trust signals to an identity claim to confirm if the identity exists, but does not validate the presence of the valid identity owner. In general, identity affirmation signals create less friction for users and are recommended to authenticate transactions from already enrolled users.
Based on our experience deploying identity affirmation processes using location and device intelligence, I want to share a few recommendations on implementing a solid identity proofing and affirmation process for mobile apps that are secure but user-friendly.
How to use spoofing-resistant location data to protect your app from ATOs?
Step 1: Check device integrity first
As the initial step in implementing an ID proofing and affirmation process, it is always good practice to verify the device's integrity by detecting anomalies such as the use of emulators, VPNs/proxies, location spoofing.
Step 2: Use spoofing resistant location data for identity affirmation
Location can be used for identity affirmation, including verifying that the user is not located at a place with a history of fraudulent activity. Most importantly, spoofing resistant location data can identify if the user is authorizing the new device from a trusted location (a place that is highly frequented by the user), which is true for 90% of the legitimate device authorizations.
In addition, location behavior data can bind the device to the address associated with the real-world identity. In addition, this form of digital proof of address can run continuously, preventing fraud over the long term.
Gartner recommends in the 2022 Market Guide for Identity Proofing and Affirmation the use of "Spoof-resistant location intelligence — using a combination of GPS, cellular, Wi-Fi and IP address data — can be correlated with the presented identity, specifically the address, to check for consistency and to affirm the identity claim. Risk signals based on user behavior offer clear benefits as a fraud detection capability within the identity proofing process."
Finally, device intelligence can also verify if the same real-world identity was associated with that device on a different mobile application. For example, the user may already have a finance or mobile commerce app on the same device.
The bottom line is that using location as an identity affirmation signal can effectively stop mobile ATO while enabling frictionless device authorization. With a network of 200M mobile devices in 15 countries and a 0% ATO fraud rate for location-enabled mobile sessions, Incognia is proof that spoofing-resistant location data is one of the key trust signals for mobile authentication. The effectiveness of the combination of strong device intelligence and location behavior analytics led some Apps to make it a mandatory signal to protect users at high-risk events such as new device authorization.
If you want to read more about how to prevent ATOs on mobile, I recommend downloading this case study about a mobile-only neobank with more than 3M active customers.