How Device Fingerprinting Can Help You Stop Fraud & Protect Your Revenue
Device fingerprinting is an increasingly common tool in the eCommerce space. Proponents see it as an asset for conducting market research and tracking customer preferences. But, did you know that it can also be a powerful fraud prevention tool?
Device fingerprinting gives you the ability to block devices associated with known bad actors. You can also pinpoint suspicious activity that could suggest fraud, and block those transactions. In turn, this generates valuable data that can help you build out your fraud prevention strategy going forward.
Many merchants, as well as financial institutions, are now using device fingerprinting to track down fraudsters. Let’s examine how this works, and also see how effective it is at stopping eCommerce fraud.
What is Device Fingerprinting?
- Device Fingerprinting
Device fingerprinting is a forensic technique used to identify a device. The methodology can gather unique information based on device configurations, as well as hardware and installed software. Each piece of data helps create a unique picture of the device in question, like the lines of a human fingerprint.
[noun]/* dɪ ● vaɪs ● fɪŋɡɚ ● prɪntɪŋ/
Anytime a user visits a site, that individual leaves behind clues about their activity. IP address, for instance, is a commonly-known example of this digital forensic data. However, there are hundreds of potential indicators you can use to identify individual devices. You can identify users and track their activities based on:
- Screen resolution
- Browser version
- Local time zone
- CPU architecture
- Plugins installed
- IP address
- HTTP request headers
- Operating system
- Installed fonts
- Touch support
- Flash plugin data
None of these in isolation could be reliable indicators to track down a user’s activity. When combined, however, these clues can help create a profile of the individual user based on the device used to access the site. And, these profiles can be surprisingly revealing about the user’s activity.
Most businesses already use device fingerprinting in some way. For example, many employ the technique to track users for marketing or analytics purposes. Tracking customers’ activities on your site can also help you identify opportunities for improvement, helping you provide a better overall customer experience.
Device fingerprinting is similar to browser cookies but more robust and detailed; it’s also longer-lasting, as users can easily delete cookies. In fact, in the wake of legislation like the General Data Protection Regulation (GDPR), it’s now easy for customers to stop individual sites from using cookies altogether.
Device fingerprinting doesn’t have this limitation. Unlike cookies, which store local data on a user’s machine, device fingerprinting focuses on data transmitted through the connection of different devices.
Device Fingerprinting & Fraud Prevention
Let’s assume that you’re using IP addresses to try and eliminate fraud. When you identify a transaction as fraudulent, you can isolate the IP address associated with the buyer and blacklist that individual. That sounds easy enough, right?
Unfortunately, it’s not always that simple. For instance, you could have numerous devices using the same IP address. Libraries and universities are good examples of this: in either case, you could have hundreds—or even thousands—of different devices all sharing the same IP address. Trying to ban one user based on the associated IP address could mean inadvertently banning thousands of legitimate customers.
Fraudsters may also use tools like VPNs or proxy servers to change their IP address at will. So, while IP address is a useful fraud management indicator, it can’t be your primary one. You need information on the individual device responsible for a transaction. This is where the device fingerprinting comes in.
Device fingerprinting lets you give each device a unique ID. By drilling-down to the device level, you get a much more detailed picture of your buyer. Employing device fingerprinting to intercept bad transactions and ban fraudsters can give you a much more in-depth picture than other fraud tools.
Device fingerprinting can be useful in preventing a range of different fraud tactics. Take click fraud, for example: if you’re engaged in affiliate marketing, device fingerprinting can help you spot bad traffic and ban those fraudsters from your network.
A Great Asset…but Not Foolproof
As with other fraud management tactics like automated fraud scoring, velocity checks, and geolocation, device fingerprinting requires specialized tools. There are a number of dedicated third-party vendors who offer device fingerprinting as a service.
Partnering with a technology vendor would give you the power to analyze users’ intents and behaviors based on established fraud warning signs. You can flag transactions that are likely to be malicious and prevent those purchases from going through.
Having said that, we also have to note that device fingerprinting is not a foolproof solution. There are a number of ways that fraudsters can subvert detection. For instance, the user’s fingerprint changes with any alteration to the device being fingerprinted. In other words, every software update, every plugin installation, and even something as simple as a time change can alter the record.
Also, device fingerprinting is generally a reactive solution. You’re only able to flag and blacklist dangerous devices based on past instances of successful fraud. Thus, you’re always going to be a step behind the criminals trying to take advantage of you.
Predictive modeling can help address these shortcomings, at least to some degree. Unfortunately, the technology is still nowhere near advanced enough to provide reliable, foolproof predictive conclusions. You’ll always risk rejecting legitimate buyers, while fraudsters slip by unnoticed.
One Part of Your Strategy
Here’s the bottom line: device fingerprinting is a useful and effective tool for reactive fraud management. But, while it can stop some bad actors, it won’t be able to intercept every scammer. This is because fraud is a dynamic and constantly-evolving problem. Fraudsters can use a variety of different tactics and approaches to steal from you and your customers.
Device fingerprinting should be one part of a more comprehensive strategy to identify and stop fraud. It’s designed to work alongside other tools and tactics, including (but not limited to):
- Address Verification Service (AVS)
- CVV Verification
- Velocity Checks
- Biometrics (if available)
- Affiliate fraud screening
Data from all these fraud management tools and tactics should be examined in context, by submitting each transaction to dynamic fraud scoring. This will produce a simple, data-driven figure determining the relative risk each transaction poses. You can then reject risky transactions either automatically, or on a case-by-case basis.
Finally, while device fingerprinting and other tools will help identify and prevent fraud before the sale, you need to be aware of the fraud that occurs after the sale, too.
Friendly fraud is projected to represent between 60-80% of all chargebacks by 2023. Device fingerprinting can’t address this problem, because the fraud is post-transactional in nature. For friendly fraud, your best bet is to engage in tactical chargeback representment.
Have additional questions about device fingerprinting as part of your fraud management plan? Want to learn more about how to build a comprehensive strategy to tackle fraud and abuse before and after each sale? Click below to speak with one of our experts.