How to Use Device Fingerprinting for Fraud Prevention
When a crime scene is being investigated, fingerprints are what the police will look for first, as they can reveal the criminal’s identity. When it comes to digital crimes, there is something similar named device fingerprinting – identifying a device (as a hardware-and-software complex) by a body of traces it leaves, like IP address, hardware IDs, OS and browser version, plug-in settings, and so on.
Implementing device fingerprinting can protect an online business from chargebacks, triangulation fraud schemes, and save your money and credibility in other ways.
What Is Device Fingerprinting?
Human fingerprinting utilizes only one element of the entire human body. Device fingerprinting (or DFP) is rather built upon the entire body of its attributes. That’s why it has more in common with profiling than with actual fingerprinting, yet it allows to recognize devices just as surely. You must acknowledge, though, that “just as surely” does not mean a 100% guarantee in either case. Still, detecting unique characteristics of the device contacting your store is useful for fraud prevention.
Unlike cookies that work as identifiers on a certain device, fingerprinting is rather probability-based. That’s why it relies so heavily on big data and machine learning: the more data it can access and the more reasonable matches it can find, the more precise the fraud detection will be.
Changing device fingerprint is hard – at least, harder than deleting cookies. Even if a fraudster is competent enough to install another version of the OS, change the language settings, use a VPN, and maybe even use a number of devices. But most of these operations are only good for single actions, not for a fraud treadmill. That’s what makes the idea of DCP, or DoubleClick for Publishers, useful: this way you get to choose who sees which amount of information about your website.
How DFP Fraud Protection Works
It’s all about big data. To make any use of device fingerprinting, you need a lot of information to compare your current piece to. While the device fingerprint is being checked, its parameters (hardware, OS version, browser, plugins installed, language settings, IP address), card details (number, issuer, use frequency), and user details (location, preferred shopping time, favorite shops, and so on) are compared to the history.
It is also compared to other matching devices. For example, if multiple purchases are made from the same device around the same time and at the same location, using multiple cards but all the other requisites are identical, it’s probably fraudsters making purchases with stolen card numbers and CVVs.
Sudden location changes (the card is used to pay for a cup of coffee in New York, and in an hour, to buy a diamond ring in Abu Dhabi) are also suspicious, to say the least. Using a VPN can also be telltale: if someone who usually dwells in Arizona suddenly appears from Alaska (according to their IP) and orders delivery to somewhere in Florida, it’s at least suspicious.
If the pattern qualifies as fraudulent (unusual time and number of purchases with the same device, unusual location for the supposed owner, mismatch of the card and the device in transaction history, and so on), you will receive a notification, and the transaction might be automatically declined.
How to Implement Device Fingerprinting-Based Protection
As device fingerprints are stored on servers (unlike cookies that are kept on users’ devices), they require large databases and strong performance to work. It makes no sense even for rather big businesses to solve this on their own unless they specialize in DFP-based protection and offer it as a service to others. This sort of outsourcing is the best solution for businesses that have to pay for it in order to avoid much greater losses.
To make some use of device fingerprinting, you (as the owner or the administrator of an online business) need to contact the third party that offers DFP security services. What you will receive is a string of code to insert into your payment page. When it’s there, it will collect data on users making purchases and send it to its processing center.
Along with access to cloud-based protection, online businesses get complete instructions on how to apply device fingerprinting mechanisms on their sites. Support teams do their best to make the system work properly.
FAQ
Here are several questions and answers to them you might have about device fingerprinting. Read them thoroughly to clarify all the details on the topic.
- * What if a fraudster reflashes the device, uses mock locations, and other software to make the next order?
It will make device fingerprinting harder, of course. The truth is that this MO is good for single crimes, but not for the industry. Where one small fish can get through a cell, a shark will be detected and caught.
- * Does device fingerprinting work with desktop browsers only or with mobile ones as well?
It works with all types of devices that can go online. Each of them has an OS, an IP address, a software set, and a hardware configuration, plus location and stuff. In addition, this data can be compared with purchase data to add layers to the picture.
- * What about the new policy of Apple and Google that makes it harder for apps to collect data from mobile devices? Will it cause trouble for device fingerprinting?
Not as much as one might think. A device will still have to share much data to make purchases on online stores (which is the sort of fraud in question). And it’s not only iOS and Android declaring war on fingerprinting. So do Opera, Mozilla, Microsoft, and other browser makers. But the community is forming ways of protecting privacy while still making use of statistics to make device fingerprinting work.
- * I have heard the system is not perfect, so it can decline decent transactions because they just resemble fraudulent ones. Is it so?
The more it learns, the smarter it gets. Now device fingerprinting has increased its efficiency, raising the chances it does everything right. Even in the new privacy-concerned reality.
Preventive!
Despite the name, there is still a major difference between real and virtual fingerprints. The former helps investigate the crime after it happens. Device fingerprints can turn out to be more useful as they prevent crimes from happening. That’s why your business needs this sort of shield.
If you like this article, share it on Facebook or Twitter to discuss it with your friends. Or leave your own thoughts and experience below, in the comments, and we’ll appreciate this.