Device Fingerprinting

Device Identification for online Fraud Protection

Device Fingerprinting is a technology for differentiating between a customer and a fraudster online. In this Knol learn why Device Fingerprinting has become necessary in online fraud prevention and things you need to consider when implementing a Device Fingerprinting solution for your business.

Overview

Today, the prevalence of identity theft and hackers has meant that it is much harder to verify that the person you are doing business with is who they say they are. That new customer could be a compromised computer transacting on behalf of a sophisticated eastern European crime gang or an opportunistic thief that has lifted personal details from Facebook. It’s clear that online identity verification is a significant challenge and concern to all business owners. In this Knol, Learn what Device Fingerprinting is; Why it valuable for online credit card and account login fraud protection; Limitations; Fraud detection techniques using Device Fingerprinting; Methods for Device Fingerprint collection and generation, and things to consider during implementation .

What is Device Fingerprinting?

Device Fingerprinting is the measurement of anonymous browser, operating system and connection attributes in order to generate a risk profile of a device in real-time. Device Fingerprinting (sometimes called PC Fingerprinting) is part of a broader class of technologies called Device Identification and Analytics used to determine whether the computer you are doing business with should be trusted. 

Why is Device Fingerprinting Valuable?

With personal identity information such as credit cards and login passwords now a commodity on the black market, companies need to look to alternative methods for verifying identities and transactions online. This problem is compounded by the fact that fraudsters now routinely evade IP Address Blacklisting and IP Address Geolocation tools using proxies. Proxies can be special purpose servers used to masquerade a fraudsters real IP Address, but are now increasingly likely to be one of the millions of compromised computers, also called botnets , that are under the control of criminal gangs. Device Fingerprinting is a powerful tool for recognizing a returning fraudster even if they change their name, IP Address or cookies.

Device Fingerprinting and Fraud Prevention

A Device Fingerprint is a valuable tool because it enables a fraudster’s device to be recognized even when they change their identity through the use of proxies and stolen credit card or account password information. Depending on the business, typically four main strategies are used to leverage a Device Fingerprint to combat fraud.

1.   Device Velocity – when fraudsters find a hole in your defenses they will try to extract the maximum value as fast as they can.  Creating velocity filters based on a Device Fingerprint will enable you to minimize fraud costs even when names, credit card details and IP Addresses are changed.

2.   Transaction linking – a Device Fingerprint is a powerful tool for finding related transactions either as an identifier in itself or as a means of finding transactions with related characteristics e.g. finding related transactions performed from the same ISP and location. 

3.   Account linking - a Device Fingerprint is a valuable for detecting accounts or subscriptions that are being accessed or shared illegally.   
 
4.   Device Reputation – if a device has been involved with fraud, adding that device to a a blacklist will enable you to protect customers that share the same device reputation network.
 

Device Fingerprinting Trade-offs 

The tradeoffs that need to be considered are the uniqueness, persistence, resistance, friction and fit of the Device Fingerprinting approach.

1.   Uniqueness is the measure of how accurately and confidently you can identify a return computer and differentiate it from other computers on the internet. It depends on the amount of entropy, or information, that is contained in the fingerprint.  For example, screen-resolution by itself is does not represent a unique fingerprint while the MAC address of a computer is generally considered unique.

2.   Persistence is the measure of how long you can expect to uniquely identify a device based on the fingerprint technique used.  For example, the operating system would be a persistent fingerprint attribute, while javascript version used by the browser would change more frequently.

3.   Resistance is a measure of how well the Device Fingerprinting technique stands up to tampering by a hacker or fraudster.  For example, a browser cookie may be unique, but it is easy to delete or copy. 

4.   Friction: is a measure of the disruption to the customer's experience.  For example, requiring a user to have a hardware token or to download software in order to uniquely identify them is inconvenience and not practical for most online businesses.  Ideally the Device Fingerprinting method should be transparent to the end user 

5.   Fit is the measure of how seamlessly the Device Fingerprinting technology integrates with your business and technology requirements.  Is there server technology that needs to be installed? Is the technology scalable?  How easily does it integrate with your organization's existing decision systems? What is the increased overhead placed on your infrastructure?  Is there any latency or delay introduced

Device Fingerprinting methods 

The two major types of Device Fingerprinting methods are client-based and server-based Remote Device Profiling solutions.

Client-based Device Fingerprinting

Client-based methods require installing a software executable on an end computer.  The advantage of client-based methods is that they have access to otherwise hidden operating system information such as the hard drive serial number and MAC address of the network card.  This information is highly unique, persistent and harder to tamper with. The major disadvantage of this method that excludes it from practical use in most ecommerce transactions is that the process requires some action or permission on behalf of the user.  This may be ok if you are a bank, but  not if you are an ecommerce website, media or retail financial services business.  The other issue is of course that most corporate computers won’t allow anything to be installed from an external website.

Remote Device Profiling

Remote Device Profiling is a new Device Fingerprint method that relies on information that can be measured remotely via a profiling server.  Preferably this data is streamed in real-time. This information is based on anonymous attributes that can be measured or derived about the user’s browser, operating system and connection.  Because this method has zero impact to the user’s customer experience and their privacy and does not require registration, this is often the only practical method available to ecommerce, online media and retail financial businesses.  The trade-off with transparent profiling is that protected device attributes such as MAC address or hard-drive serial number are not available.   However, recent advances in TCP/IP protocol and Operating System fingerprinting[1] now enable a device to be profiled beyond more obvious browser characteristics such as browser type and version.  One method in particular that attracted some academic attention was the use of the clock skew associated with a PC's CPU.
 

Device Fingerprinting Requirements

There are a number of factors you will need to consider when implementing a Device Fingerprinting technology including impact, flexibility, matching technique, measurement diversity and Device Fingerprint depth.
 

Low Customer and Infrastructure Impact

Ideally your Device Fingerprinting solution should have zero impact on both your customer’s experience as well as your IT infrastructure. Requiring a user to download software or use a hardware token will lead to dissatisfaction and abandonment, while requiring your operational staff, who are often rewarded based on up-time and availability metrics, to install additional software on your web servers will also be met with some pushback.
 

Installation flexibility

Preferably your device fingerprinting technology is able to be implemented as a web service to reduce installation and maintenance costs.  A set of well defined web-API will enable easy and cost effective integration of Device Intelligence into your existing business rules engines, fraud systems or risk-based access control systems.
 

Real-time Adaptive Device Identification

One approach to generating a Device Fingerprinting is to perform a simple hash of measured attributes.  The advantage of this approach is that it is quick and easy for most computer systems to implement.  The limitation of such an approach is that it takes only one parameter to change, for example swapping the browser used from Internet Explorer to Firefox, and an entirely new Device Fingerprint is generated.  Look for a Device Fingerprinting solution that uses a real-time Adaptive Device Identification technique to provide a more accurate and persistent Device Fingerprint   Adaptive Device Identification is the ability to reconstruct a Device Fingerprint even when its constituent attributes change.  Look for a Device Fingerprinting technology that is capable of performing a fuzzy match in real-time rather than minutes, hours or days.
 

Measurement Diversity

Today’s browsers support technologies such as Flash and JavaScript that are capable of gathering extensive Device Fingerprinting information.  However, such technologies are also able to be readily disabled by fraudsters and privacy conscious web surfers alike.  To be able to differentiate between a fraudster and a valuable customer, look for a Device Fingerprinting technology that does not rely exclusively on either JavaScript or flash and can uniquely identify a device even when these technologies are disabled. 
 

Device Fingerprint Depth

Just like an iceberg, what you can’t see could sink you.  All web servers and web analytics companies provide basic browser technographics such as browser type, browser language and the types of multimedia and languages that are supported.  However, this information also very easy to manipulate by a knowledgeable fraudster and is also blind to warning signals that lie beneath what the browser is telling you.  Look for a Device Fingerprinting approach that looks beyond the browser and is able to perform Operating System, Protocol and Connection Fingerprinting in real-time.  The benefit of these technologies is that they are able to recognize a fraudster even when the browser attributes change or when cookies are deleted, and can more accurately alert to when a high risk proxy is being used.
 

Conclusion

As ecommerce revenues grow, fraud inevitably follows.  The absence of a physical customer at the time of transaction or login, combined with a new era of technology-driven identity theft means that there is a need for a new alternative to online identity verification.  Device Fingerprinting , or PC Fingerprint, is a valuable tool capable of detecting and stopping fraud that currently operates under the radar of modern fraud detection methods.   Understanding the different approaches, and choosing a Device Fingerprinting solution that fits within your business and technology requirements will yield the best results.

 

References

  1. http://en.wikipedia.org/w/index.php?title=TCP/IP_stack_fingerprinting

Comments

Alisdair Faulkner
Alisdair Faulkner
Vice President at ThreatMetrix
Bay Area
Article rating:
Your rating:

Categories

Based on community consensus.

Activity for this knol

This week:

38pageviews

Totals:

10286pageviews
©2009 Google