Is your device as unique as you are? Spoiler: Almost.
With 97% of attacks coming from an anomalous device or network, devices have the power to uncover most of today’s threats – if used right.
If you missed our device intelligence webinar (Are Devices as Unique as You Are?) read on for the key points or watch the replay here.
What are the common limitations of device intel?
If there was an absolute device identifier that lasted for as long as a device, we wouldn’t be talking about this today. Most device intelligence has limitations that we’ve broken down into two kinds.
Limitation 1: the restrictions of the data extracted
Standardization: Before, device manufacturers used to build devices with small flaws, like a skew accelerometer or clock. These minor deficiencies helped identify subsets of devices to improve device recognition. Today, with higher standardization, device manufacturers are building machines with fewer defects, or, if they have flaws, they are harder to find. Considering that by 2022 there will be 12 billion devices connected to the internet, it’s only going to get harder to find the uniqueness of a device among a sea of clones.
Privacy: Cookies, aside from being a delicious treat, are a key component of device recognition. Browsers gather information about the sites we visit, the searches we run, and other activities in the form of tracking cookies. Not long ago, browsers were allowed to keep this information permanently. Today, to protect consumer’s privacy, browsers and other third-party companies gathering cookies are required to delete them after a set period of time, which ranges around the 30-day mark. This means that device intelligence technologies that depend on cookies to track returning devices won’t recognize a returning device after a month, as if the security tool had the memory of a goldfish.
Limitation 2: The resilience of common device intelligence (or the lack of thereof)
Despite standardization and privacy regulations, there are still ways to build device identifiers that aid device recognition – but not without flaws. The two that are used by most companies are the device identification (device ID) and the device fingerprint (device FP).
Device ID: is a unique identifier built with the browser cookies from the user session. The identifier is globally unique but, as mentioned earlier, browsers are required to delete cookies after a month. Once the cookies are deleted, the next time the device logs in it can’t be recognized and creates a new device ID.
Device Fingerprint: is a non-unique identifier based on the attributes of the device and browser. For example, it detects whether the browser has an ad blocker, a grammar checker or a new version. Although this identifier doesn’t depend on cookies, it’s not globally unique and it has a 40% chance of finding another device with the same fingerprint.
Why even care about device intelligence?
Bad actors use networks of devices to execute mass-scale attacks. With a single server, they remotely control the other machines to, for example, create fake accounts or take over accounts en-masse.
The remotely-controlled devices are often not so obvious as bad actors hide or spoof basic information like IP or location. By controlling devices remotely, fraudsters can also take over a session while the legitimate user is in it (account hijacking) and make illegitimate purchases or transaction that bypass login.
Device intelligence helps companies identify suspicious devices and bock them before they access any user or company assets and generate losses.
About a globally unique identifier
NuData has developed Mastercard Trusted Device, a device recognition solution that solves the greatest limitations companies have encountered. Trusted Device builds a globally unique identifier from each device with an average lifespan of 140 days – three to six times longer than the device ID or device fingerprint – making it highly accurate and reliable. It’s also globally unique and resilient across major device changes like deleting cookies or updating the operating system; where device ID and device FP fail.
Results with a unique device identifier
After deploying this product on a major U.S. bank, the most interesting finding was that 65% of users have more than one device. This underscores the importance of having a reliable device intelligence tool that can not only recognize returning devices but also link several to the authorized user. Also, many users log in several times a week, which, as they use different devices, can raise flags or trigger unnecessary step-ups.
More specifically, here is an example of how a unique identifier helped this client stop attacks and reduce friction on good users across device recognition challenges:
Recognizing a device across major changes
Trusted Device assigned a unique identifier that was linked to a Samsung mobile device that accessed an account on 178 separate occasions across four months. This user deleted the device’s cookies on 14 different occasions, which lead to creating 14 distinct tracking cookies.
Deleting the cookies on a device, in the context of device recognition, is considered a device break. During this time the device had software updates that lead to four different fingerprints. This also considered a device break, which, together with the device ID break, it’s called a double break. A double break makes it impossible for most device-based tools to recognize the returning device.
However, by examining underlying device attributes, Trusted Device was able to assign the new device ID and device FP to the existing unique identifier that this device originally created. By doing this, Trusted Device maintained recognition of this device across a series of tracking cookie deletions, device updates, and attribute changes.
The common denominator: you
Even though the device is a critical piece to recognize a user, the most important common denominator is still the user. Yes, that’s you.
Considering that the average user changes devices every 18 months, recognizing the user across different devices is the best chance a company has to provide a customized experience and protect their environment from fraud.
Passive biometrics is a technology that evaluates users based on the inherent patterns that they carry across devices (whether you are a two-finger typer, a keyboard shortcut person, or someone who holds the device at a 70-degree angle, for instance).
Recognizing the device is the first step, but preserving the most important part – the human behavior – as the key component for authentication is helping many major companies globally recognize their users and block fraudulent attacks even if they have the right credentials or devices.
Listen to our full webinar about device intelligence and how we’ve helped our clients here.
Related to this post Behavioral Biometrics: A Brain that Keeps on Growing