Adaptive Device Identification

A comparison of online Device Recognition strategies for fraud protection.

Adaptive Device Identification is the ability to uniquely detect and identify a device online to prevent fraud. Not all Device Identification strategies used for fraud prevention are made equal, and this knol discusses common Device Identification strategies, their limitations in a fraud prevention context and the need for a more robust Device Identification method provided by Adaptive Device Identification.

Device Recognition, Device Fraud Protection, Device Reputation, Device Authentication, Device Risk

Benefits of Online Device Identification

As our use of the internet has increased beyond that of simply viewing web pages and moving files around, so has our need to accurately identifying a device beyond its IP Address. 

Most Recently Device Identification as a Fraud Protection method has gained increased attention due to the increase in organized crime targeting online credit card transactions and online payments.  In recent times, there has been a pronounced shift from opportunism and petty crime to technologically sophisticated and wide-scale fraud and identity theft.  Accurate Device Identification allows reputation to be assigned and tracked for a device based on transaction history.  Device Identification is also an effective tool for protecting companies against stolen identity and credit card data.

Adaptive Device Identification is a specific type of Device Identification technology that provides more accurate Device Recognition based on the following truths:
  • A Device's fingerprint, or its profile of attributes, will change over time. 
  • A subset of sufficiently motived people i.e. fraudsters, will attempt to thwart any Device Identification strategy.

Device Identification Strategy Trade-offs

The effectiveness of any Device Identification Strategy is a trade-off between
  • True Positives: The accurate recognition of a returning device. 
  • True Negatives: The accurate determination that the examined device is not a known device.  A True Negative results in a new device being added to the corpus. 
  • False Negatives: Not recognizing the examined device as a previously known device.  A False Negative results in a duplicate device being added to the corpus. 
  • False Positives: Incorrectly classifying the examined device as a previously known device.  A False Positive results in an incorrect identification. 

Using an online retailer as example; the cost of a False Negative i.e. not recognizing a return fraudster, has a very high tangible cost associated with it.  Similarly, the cost of a False Positive i.e. classifying a good customer as a fraudster, is also high as it has a direct impact to revenue due to potential order rejection. 

A Critical Examination of Common Device Identification Strategies

With respect to fraud prevention, an ideal Device Identification strategy will
  • Uniquely identify a device with high precision
  • Recognize a device over a period of time
  • Be resistant to subversion and manipulation
A fundamental concern with all Device Identification strategies is that the attributes of the devices being profiled will change over time, and that the amount of information available for collection will also change.  Further, in the context of using Device Identification for Fraud Prevention, fraudsters will deliberately try to manipulate device settings in order to disguise or manipulate their Device Fingerprint. 

The two most common identification strategies in use today are Device Tagging and Device Fingerprint Hashing.

Device Tagging as a Device Identification Strategy

Device Tagging is the process of installing software, file or cookie on a device in order to positively identify a returning device.   One example of Device Tagging is the use of browser cookies to target advertising based on the sites a device visits.  Another example of Device Tagging is the use of 1*1 transparent pixels embedded in a web page. 

Advantages of Device Tagging as a Device Identification Strategy

The key advantage of Device Tagging is that it is a deterministic, positive identification strategy.  Either a device is recognized based on detection of a known cookie or other device identifier placed on the device, or it is assumed to be unknown and a new device is either added to the device corpus or rejected based on the business requirement. Device Tagging is often used in online authentication because possession of the Device Tag is used as evidence that a device has been successfully authenticated. 

Disadvantages of Device Tagging as a Device Identification Strategy

There are two key criticisms of Device Tagging as a stand-alone Device Identification strategy.  

The first is that a compromised Device Tag can be used to exploit a trust relationship between the site and the client device.  One example of this form of attack is Cross Site Request Forgery (CSRF)[1] which was successfully used to compromise Gmail Accounts. 

The second criticism of Device Tagging strategies is that if the device tag is removed or deleted, then a new device identifier will be generated, leading to False Negatives. 

These two issues are not a problem for Device Identification used in marketing and advertising, but do present a problem for fraud prevention as fraudsters are motivated to either delete or subvert the Device Identification process.   

Device Fingerprint Hashing as a Device Identification Strategy

Device Fingerprinting is the use of profiled device biometrics in order to identify a device. Device Fingerprint Hashing is a specific matching strategy that relies on creating and comparing hashes of the examined device's attributes and precomputed hashes contained in the device attribute corpus. 
  • Obtain Device Attributes
  • Create Hash of Device Attributes
  • Compare Hash against existing Device Attributes

Advantages of Device Fingerprint Hashing for Device Identification. 

A Device Fingerprinting approach does not have the draw-backs associated with Device Tagging in that they do not rely on a file or cookie in order to identify a returning device.  

In addition, matching on a hash of collected device attributes rather than individual attributes is more efficient which suits high transaction environments.  

Disadvantages of Device Fingerprint Hashing for Device Identification

The uniqueness of the hash is only as unique as the underlying attributes used to generate the hash.  Therefore, the accuracy of the device fingerprint is directly related to the quality of the underlying attributes used to generate the hash. 

Another criticism of Device Fingerprint Hashing as a matching strategy is that device characteristics change relatively frequently over time and can be non linear in nature e.g. a change in a web browser version is reasonably incremental while a change in the browser used altogether represents a more abrupt discontinuity.  Linear changes can be somewhat ameliorated by Fuzzy Hashing techniques, such as those used in spam detection[2] and malware classification [3], but non-linear changes are much harder to compensate for. 

Fraudsters will therefore deliberately attempt to randomize device attributes in order to generate False Negatives i.e. not correctly recognizing the same returning device.  In addition, False Negatives can also be caused based on the attribute measurement and collection process itself e.g. non arrival or non-measurement of an attribute based browser limitations.  

Introducing Adaptive Device Identification

The fundamental issue with both Device Tagging and Device Fingerprint Hashing matching strategies is that the Device Identifier is tied to the underlying attribute values.  In the case of Device Tagging, if the tag is removed, changed or copied then by definition the Device Identity will change or be removed with it.  Similarly, with Device Fingerprint Hashing, if one of the constituent attributes is changed, a new hash and Device Identifier is generated.  
 
What is needed is an Adaptive Device Identification approach that is specifically designed to consistently and accurately identify a device in the face of the real-world reality of variations in quality and quantity of matching attribute data.

Towards A Robust Device Identification Strategy

A robust Device Identification approach using Adaptive Device Identification is as follows
  • Fingerprint the examined device and connection, including but not limited to
    • Device Attributes
    • Geolocation Attributes
    • Connection Attributions
    • Timing and time zone Attributes
    • Network Routing Attributes
    • Application Attributes
    • Operating System Attributes
    • Transaction behavior Attributes
    • TCP Protocol attributes
    • Reputation Attributes
  • Determine whether the quality of attribute data is sufficient to make a match, quality relating both to uniqueness and persistence of attributes collected as well as detection of anomalies as part of a Device Risk Profiling process, including but not limited to
    • Detection of Man In the Middle attacks
    • Detection of credential replay attacks
    • Detection of hidden proxy usage
    • Detection of intrusion and injection attacks
    • Detection of malware infection.
    • Detection of cloaking attempts
    • Detection of fuzzing attempts
    • Detection of negative Device Reputation history.
  • Determine an appropriate Device Identification Matching Strategy taking into account
    • Availability of attribute data (timing, sufficiency, completeness) 
    • Quality of attribute data obtained (uniqueness, persistence, tolerance)
    • Detected anomalies
    • Corpus of existing device attribute data (volume, recency, relevance)
    • Matching Rule Performance (accuracy, cost and speed)
    • Throughput and response time requirements
    • Device Activity History
    • Thresholds and error tolerances
    • Feedback (truth data) and statistical and behavioral analysis
  • If a match is made, merge the examined and collected device profile results based on a suitable merging strategy. 

Advantages of Adaptive Device Identification   

The key advantage of Adaptive Device Identification is the ability to more accurately identify returning devices in real-world scenarios where devices and collected attribute data will change.  In an online fraud prevention context, this translates to stopping more fraudulent transactions while reducing the number of rejected transactions caused by less precise approaches.   
 
At its core, adaptive Device Intelligence provides the means to better identify return devices and also more accurately adapt to variations caused by environmental, situational and causal factors including those brought about by variances in: 
  • Profiling Time - the time available for device risk profiling 
  • Matching Time - the time available for performing a Device Identification match.
  • Browser Type and Capability - the variance in browser capabilities over time
  • Browser Plug-ins - the variance in the attribute data available based on plugins that are installed and enabled/disabled. 
  • Operating System and Patch Levels - the variance in attribute information available based on differences between operating systems and patch levels 
  • Device Drivers - the variance in attribute information exposed based on vendor-specific implementations of networking protocol device drivers 
  • Network Characteristics - bandwidth, round-trip time, path, number of hops, fragmentation and packet loss
  • Proximity - related to variances introduce and information available depending on the proximity of the device
  • Intermediary Devices - Configuration, Type and Number of Networking Devices between the client and profiling server potentially masking or manipulating collected attributes.  
  • Tamper applications - variations introduced by installed software used to mask or manipulate collected attributes. 
  • Implementation - depending on the web-site, implementation differences may impact the types of data that can be measured.
The flexibility and accuracy brought about by Adaptive Device Identification technology results in being able to  
  • Uniquely Identify a Device
  • Persistently recognize the same device over time
  • Have a high degree of tolerance to subversion and manipulation.   

Disadvantages of Adaptive Device Identification

By nature of its implementation, an Adaptive Device Identification technology represents a significant challenge to implement at scale.  The process of matching, merging and maintaining state across hundreds of millions of device profiles against multiple matching strategies at internet-scale transaction volumes do not lend well to existing relational database technologies.  Even at Enterprise-scale transaction volumes, real-time Matching of Device Identity attributes is a challenge to perform in real-time.  Just as Google needed to implement a customized framework to solve web indexing accuracy in a cost effective manner,  implementing an Adaptive Device Identification matching strategy for anything other than small volumes will require a specialized Device Matching Platform.  Therefore Adaptive Device Identification is most profitably used in fraud prevention contexts where there is a premium placed on accurate and subversion resistant Device Identification.   

Conclusion

As online transactions continue to increase, so will the need for tools the enable accurate Device Identification of otherwise anonymous computers.  Depending on the business context, different Device Identification Strategies may be effectively deployed.  Both Device Tagging and Device Fingerprint Hashing represent a good step forward beyond relying on just an IP Address to identify computers in a transaction.  However, for more persistent and subversion resistant requirements such as online credit card payments and transfers the more substantive approach of Adaptive Device Identification will yield a higher return on investment.   

References

  1. http://en.wikipedia.org/wiki/Cross-site_request_forgery
  2. http://spdp.dti.unimi.it/papers/pdcs04.pdf
  3. http://digitalninjitsu.com/downloads/Fuzzy_Clarity_rev1.pdf

Comments

Alisdair Faulkner
Alisdair Faulkner
VP Products
Bay Area
Article rating:
Your rating:
Moderated collaboration
All signed in users can suggest edits to the knol, but these need approval from an author before being published
Version: 55
Versions
Last edited: Mar 29, 2009 12:05 PM.

Reviews

    Similar Content on the Web

    Alisdair Faulkner also wrote

    Knol translations

    Activity for this knol

    This week:

    452pageviews

    Totals:

    1668pageviews
    ©2009 Google