Future of Device Fingerprinting

WHITE PAPER

Contents

Introduction 1

Limitations of Traditional Device Fingerprinting 2

Device Fingerprinting Evolution 3

How Simility’s Device Recon Works 4

Individual Use Cases 7

Today’s device fingerprinting technology has been made significantly more effective at fighting online fraud with advanced techniques such as fuzzy matching, clustering and predictive modeling.

Introduction to Device Fingerprinting

For over a decade, a crucial part of fraud detection in the virtual world has been assigning an identity to every laptop, tablet and mobile device that accesses a website or app. Such a fingerprint, often referred as a device fingerprint or device ID, is a representation of hundreds of different device-specific values taken from an end user’s device. Like in the real world, a device fingerprint aids in identification and tracking of bad actors.

As a first step to any fraud attempt, fraudsters try to hide their identity or pretend to be many different people when they are, in fact, just one person. For example, a person who owns a local barber shop may want to publish a lot of fake positive reviews about his business and negative reviews about the competitors’ businesses on a review app. Obviously, the person will use a fake name because his customers and competitors know about his business. Also, the business review site probably requires a different email address for each account, so he might enter fake email addresses when setting up multiple fake accounts. Perhaps the review app even requires each account to be from a different IP address and to register a new phone number. These hurdles can make it a little more difficult for a fraudster to set up fake accounts, but they can all be easily circumvented.

This is where device fingerprinting comes in. The one thing fraudsters cannot spoof is the fact that they are accessing the app from the same mobile device. It would be prohibitively expensive to get a basement full of different devices to look like a bunch of legitimate users leaving reviews. So if the app can somehow detect a fingerprint from every device that opens its app, it can assign unique identities to each of its users, even if fraudsters are trying to hide their true identity.

Luckily, when a computer, tablet or mobile device accesses a website or app, it passes hundreds of signals about itself in order to aid in customer experience. For example, the browser language tells the app in which language to display text, the horizontal or vertical orientation of the phone tells it how to display the user interface, and the timezone setting allows the app to cater to the local time of the user. Each device has a unique set of these signals in the pool of near-infinite possible permutations of signals, so to the app, a unique user is the unique set of signals from that particular device.

Limitations of Traditional Device Fingerprinting

Key limitations of the impressive device fingerprinting technology that ceased to make it effective several years ago are:

1. Good users inadvertently change their signals regularly. Generally a user might change settings on his phone multiple times per month when he updates his operating system or changes a setting on his browser, for example. With traditional technology, his device fingerprint will become completely unique every time he does this and in the eyes of the reviews app, he is a brand new unknown user each time. In fact, the typical half-life of a device fingerprint is shorter than one month for some technologies.

2. Fraudsters can actively change their signals to give themselves a new fingerprint. In fact, there’s an inexpensive, widely available program called FraudFox that does it for them. With FraudFox running on their laptop, they can emulate thousands of different device fingerprints on a single app in one day.

3. It’s completely reactive. Knowing the identity of a device is only useful to stop fraud if you know that device has committed fraud on your app in the past. So every fraudster can defraud an app at least once before it is blacklisted. You can share blacklisted data with a global repository of billions of blacklisted devices from other companies, but you have no idea why those devices were blacklisted. Just because someone sent an unwanted message on a dating app yesterday doesn’t mean they’re going to use a stolen credit card to buy a big screen TV on an e-commerce site tomorrow.

4. You are not privy to the rich information behind the device fingerprint. In their simplest forms, two device fingerprints either match or they are different. However, there is a lot of gray area and this binary paradigm does not allow you to see devices that are likely to be the same. Furthermore, a fingerprint does not provide visually rich information, such as a graphical view of the connections between devices, accounts, and orders.

Device Fingerprinting Evolution

Fuzzy Matching: Since the fingerprint of a good user’s device will change over time, to figure out which signal changes are OK to ignore. If two distinct fingerprints differ by only one signal that often changes on organic users, such as modified alarm settings, a good fraud model should assign these the same device ID. It’s easy to see where there will be a lot of gray area, so it will be up to smart fraud detection companies to build robust algorithms to correctly draw the line between device fingerprints.

Reverse Engineering Fraud Tools: FraudFox is just a deterministic program that spoofs the signals of its user according to rigid rules. Fraud detection data scientists should be able to detect patterns in how FraudFox alters signals. The good ones can effectively reverse engineer its algorithms to detect when a device’s signals have been artificially changed by a fraudster vs. when they have been organically changed by a good user. Ultimately this will turn into an arms race with FraudFox tuning its algorithms to mimic good users and fraud detection data scientists revising their detection models to differentiate between artificial and organic changes, but fraud detection software has greater resources on its side.

Predictive Modeling: a device ID doesn’t help stop the first time the device commits fraud because it has not been added to any blacklists yet. But a device ID empowered with machine learning can predict whether a device will be used to commit fraud even if it has never committed fraud before.

Fraudsters’ devices often share patterns in their set of signals. With the help of machine learning, device signal datasets render a fraud score. This score tells a story about the device and the user behind it. For example, fraudsters are 5X more likely to have flushed their browser referrer history or have null values in browser settings [source: simility.com/device-recon-results]. As fraudsters change their tactics, the most advanced device fingerprinting technologies will recognize the pattern shift, detect any fraudulent activity and automatically adjust the fraud model.

Customized for Each App.: Fraud used to be confined to using a stolen credit card to purchase something from a store or website. Now fraud can be defined as any undesirable behavior, so companies can police their users to make sure none of them are providing a bad experience to others, in order to make a safe environment for everyone. As a result, a bad user on one app might not deserve being banned from every other app too. Similarly a device fingerprinting model for one app might not work as well for another app. A good device ID should allow fraud analysts to write rules on individual signals of their device ID model to determine their relative importance in detecting fraudsters’ devices. In this way, each device ID will be customized for its application.

For example, there are some websites that allow you to post a project and have other people review it. In the interest of giving their own project an initial boost, many posters will create a few fake reviewer accounts and positively review their own projects. Some websites might not explicitly outlaw this as long as it is done in moderation. Also many people know how to use an IP proxy service as a rudimentary way to hide their device identity, so these posters may create these accounts through IP proxies. In this scenario, these websites may want to customize their device ID model to refrain from penalizing devices that are using IP proxies to create a handful of reviewer accounts because it is merely a little harmless self promotion.

How Simility’s Device Recon Works

If a fraudster returns to your site or application and makes minor changes to device characteristics and behaviors, traditional fingerprinting technology will not detect it’s the same device, and the fraudster will slip through your blacklist defense. Simility’s Device Recon technology analyzes hundreds of mobile and desktop device characteristics and behaviors—including browser, language, location, operating system, even mobile emulation and battery level—to fingerprint devices. Fraudsters can mask identifying properties like their username, email, and IP address, but with Device Recon you can determine if a device is associated with fraud. Similar to the notion of matching a criminal’s fingerprint, Simility’s Device Recon matches past device behaviors and comes up with an assessment of the device’s fraud score. Techniques like fuzzy matching are employed to account for the slight changes in device parameters that normally happen over time. Also, through machine learning models it incorporates risk scoring and clustering to see through the fraudsters’ techniques, giving you triple protection against their attacks.

Fuzzy Matching and Device Clusters A device fingerprint captures the state of a device at a given point in time. But device characteristics–even those of legitimate users–naturally change over time, such as when a plugin is installed or operating system is upgraded.

As a result, Simility deploys a second machine learning model that uses statistical clustering to distinguish between major and minor device changes, which enables it to determine whether two device fingerprints actually belong to the same device.

Email: [email protected] Device ID: 93hc192f Username: Table12Lamp Device ID: 93hc192f

Email: [email protected] Username: PaperPlate11 Device ID: 93hc192f

Email: [email protected] Username: FoodFan93 YOUR WEBSITE OR Device ID: 93hc192f MOBILE APP

Email: [email protected] Username: Crystalline Javascript, iOS, Android Browser: Internet Explorer 8 Device ID: 93hc192f and Windows Integration Plugins: Evernote, AdBlock Email: [email protected] Flash Version: 11.2 Username: BlueWhale Browser Language: Chinese Device ID: 93hc192f Location: Jelgava, Latvia OS: Windows XP

ID MATCH Machine Learning Manual Rules Same Fraudulent User

Intuitive Graph Visualization In addition to fingerprinting, one of the tools that Simility provides is the Node Graph view tool, which gives easy visibility into fraud patterns. For example, the image at left shows the same device fingerprint associated with a number of different orders, which themselves were associated with different email addresses. This information alone can help quickly determine that someone has either done Bulk Signups or is trying to use logins after an Account Takeover. The colored red dots indicate that some of these transactions were previously deemed as fraud, which aids in identifying devices that were associated with Previous Bad Behavior.

Browser: Firefox 42 Browser: Internet Explorer 8 Browser Language: Russian Browser Language: Russian Devices are the same, Location: Minsk, Russia Location: Minsk, Russia OS: Windows XP except for browser. OS: Windows XP Clustered together. DEVICE 1 DEVICE 2

CLUSTERING

Browser: Chrome 37.0 Browser:Chrome 37.0 Browser Language: Greek Devices are the same, Browser Language:Greek Location: Athens, Greece except for OS. Location: Athens, Greece OS: OS X 10.5 Leopard Separate clusters OS: OS X 10.7 Lion DEVICE 4 DEVICE 3

With text visibility, the fraud analyst is empowered to make easy decisions and enter those in the decision box available right next to this graph (see figure below).

EASY SETUP

 None of Below Notes

 Disable Account

 Not Fraud

 Quick Test

 Fraud

Submit Submit & Next Escalate & Next

The setup for collecting device fingerprints is streamlined. Customers have different options when it comes to deploying device fingerprinting for their website. These include:

1. JavaScript The JavaScript option is very straightforward and only requires that the customer copy and paste Simility’s pre-defined JavaScript in the pages on which you want to enable device fingerprinting. These steps are very clearly documented in Simility’s online documentation.

2. Mobile SDK (Android and iOS) The Mobile SDK allows customers to collect data for fraud detection from their iOS and/or Android applications. Once this API is invoked, it will collect data and send to Simility’s server asynchronously in a background thread without affecting any user interface operations. Simility provides a variety of resources including code snippets, how to videos, and online documentation.

Individual Use Cases

Account Origination Fraud The following are the fraudulent behaviors that device fingerprinting technology can help uncover at the time the account is being created:

Bulk Sign Ups Bulk sign ups are a common way for fraudsters to create a large number of accounts which can be used to further a variety of malicious goals. Often these goals include creating bad transactions, excessive voting, and selling fake products. One of the most common scenarios is when there are incentives to open a new account (e.g. $10 off your first transaction) or a referral bonus (e.g. $5 if your referral signs up).

Although there are a large number of signups, fraudsters typically end up using the same machine to create these accounts. Simility’s Device Recon can then determine a device fingerprint associated with all these new user IDs.

Prior Bad Behavior Prior bad behavior is a good indicator of the future behavior. In scenarios where a fraudster has already tried to commit fraud, the Simility platform helps in identifying their devices and can help prevent further harm. Examples of this could be:

1. Same device ID was seen in the past using stolen credit cards 2. Same device ID was seen with a large number of chargebacks One challenge is that the device fingerprint may change over time. This is because over time the fraudster may have, for example, changed browser versions or installed some new plugins, aspects which make up the fingerprint. While most device fingerprint techniques fail in detecting these changes, Simility’s technology using fuzzy matching is able to correlate these seemingly different fingerprints and associate them to the same bad device.

Account Login Fraud There are a lot of scenarios where it makes sense to detect and stop fraud by not letting a certain account holder log in to the system.

Account Takeovers An account takeover is a scenario where the user’s credentials have been compromised. Usually there are bad actors who buy these account credentials with the aim of committing some sort of malicious activity. They hope to benefit not only from their identity but also other stored details like credit card information and prior transaction history.

Device fingerprinting technology is very useful in such scenarios. For example, the device fingerprint has information about IP addresses and geolocations, which can be used to determine the distance between the actual user login and the malicious user login, so certain accounts and transactions can be flagged as potential fraud using this information.

In a different scenario the device fingerprint can also help by uncovering that the same device is being used to login a large number of user IDs.

Policy Violations Similar to the fraud prevention mechanism outlined in the Prior Bad Behavior section, the past history of violations associated with a device fingerprint can be brought to bear in stopping actors from logging in.

Transaction Level Fraud Many companies focus their effort on transaction fraud because it directly impacts their bottom line.

Checkouts with Stolen Credit Cards This is one of the most widely seen scenarios on any site that sells goods online. Although traditional fingerprinting technology automatically picks up a lot of device specific information, the Simility technology also allows our customers to add additional parameters to enrich the fingerprint data. For example, customers can send a hash of the credit card information and the credit card holder’s name and billing address as part of the enhanced fingerprint

Using this information, the Simility Device Recon technology can aid in catching advanced scenarios like:

• High number of credit cards being used by the same device • High number of billing address changes by the same device

Malicious Pledges on Crowdfunding Sites A transaction in a crowdfunding site is quite different from that of an e-commerce website. The goal of the fraudster on such sites is to increase the popularity of a certain project by repeatedly pledging to it. This results in higher visibility on the site’s pages and can help get real funding faster than other more legitimate projects.

The device fingerprint in such scenarios can be an excellent way of stopping malicious behavior. If the system detects that the same device is being used repeatedly to pledge to the same project then action can be taken to stop such behavior.

Fraud Related to Ad Hoc Events Fraudsters put fraudulent messages on victims’ websites with a specific malicious goal in mind. These messages can take various forms, such as comment or job postings.

• Marketplace: Different user IDs to sell counterfeit products. The fraudster uses a number of different self-created or hijacked user IDs to sell counterfeit products. In such a scenario the device fingerprint can easily help match a high number of posts from the same device ID.

• Classifieds: Better page visibility based on recency of posting. The target website ranks the most recent posts in prominent positions so they are highly visible. As a result the fraudster runs a script to use numerous accounts to push the same post repeatedly, and in the process, get better visibility. The device fingerprint can match such behavior to the same device and prevent this scheme.

• Job Sites: Fraudulent applications to increase count for head hunters. The headhunter applies for the same job posting with different resumes. The headhunter is incentivized to increase the number of job applications that come from her account. The device fingerprint is an easy way to catch such unwanted behavior.

About us: Simility transforms fraud prevention with a versatile CONTACT US FOR A FREE TRIAL platform that combines the best of human analysis and machine Email: [email protected] learning. To learn more, please visit Simility.com Phone: +1 (877) 542-1049

430 Sherman Ave, Suite 212 Palo Alto, CA 94306 USA Simility.com