BankThink

Crooks have learned to get around static biometrics and device ID

Most companies use device recognition technologies to try to identify customers through connection information, device IDs and device fingerprints, though bad actors are finding ways around that.

Tracing IP addresses, device IDs, internet service providers and how the device connects into an environment such as a model, operating system, and network connections are all ways that a device can be recognized.

However, with new data privacy laws, cookies used to recognize returning customers are now routinely erased after a short period of time. That means that traditional device ID technology no longer recognizes the device after a short period of time. This, together with a device fingerprint that is reset every time a user updates software, results in poor user experiences. For the customer, that means that they might have to go through additional steps to fully authenticate themselves again, despite using the same device. These step-ups in security cause frustration for users that lead to cart abandonment or loss of customers to a competitor.

Most crooks no longer use headless browsers, or command-style scripting to make a run at logins, because they know these techniques are quickly identified and thwarted. Instead, they want all the hallmarks of a real consumer device present in the interaction, and are looking for ways to make obfuscated devices as unique as possible to shield devices and hide thousands of transactions made from one server.

With this in mind, cybercriminals also alter the use of agent string data which, for sophisticated security solutions, is a clear sign of fraud. For example, a user string can show impossible combinations or have grammar mistakes such as showing Mozila instead of Mozilla.

Deep analysis of the user agent strings, looking at individual data points and how they compare against users’ history along with how the device links back to the user are all ways to make much better decisions about the user behind the device.

However, implementing passive biometrics to the stack to see how the human is actually interacting with the device represents as an additional layer of identification.

How fast a person types, how hard they hit the keys and hundreds of other interactive identifiers along with behavioral analytics together can identify the real user in case any single identifier is compromised. It is this layered approach that can identify an individual even if they use other devices or if there are device identification breaks. It can also determine when the user behind the device is human or a bot to break the fraud chain.

For reprint and licensing requests for this article, click here.
Payment fraud Retailers Biometrics Payment processing ISO and agent
MORE FROM AMERICAN BANKER