Fighting Fraud With Unhackable Certainty
Originally published on PaymentsJournal.
Identity theft and online fraud have grown as an increasing number of firms find themselves conducting business virtually. The pandemic has hastened this growth and many firms find themselves under-prepared. Organizations spend billions of dollars annually to mitigate the risks, and this spend could likely increase.
To become more effective in handling this larger number of anonymous business interactions firms need to assess the principal degree of trust: whether the firm can be assured that the person on the other end of the connection is who they claim to be.
Businesses walk a fine line of balancing low-friction identity verification procedures while minimizing exposure to fraud and losses. Some service providers tout device reputation tracking, through fingerprinting, as the best method to fight fraud. This approach has merit, but a more robust and effective method is to layer additional device-based verification data, behavioral attributes and IP-based data points for a more accurate picture of who is on the other end. Known as device-based identity resolution, this solution cannot be hacked and can stop fraud in its tracks.
Device reputation tracking is a critical layer, but fraudsters are one step ahead
Currently, device reputation tracking or device fingerprinting is the predominant approach used to determine identity and mitigate account takeover fraud in online channels. The method uses a series of characteristics to capture and assemble a clear view of a device’s previous association with fraudulent activity.
While device fingerprinting is effective in detecting previous fraudulent behavior on a device, it relies on backwards-looking data to do so. As such, fraudsters are one step ahead and will often cycle through burner phones to avoid an organization’s fraud detection program. They will commit fraud on one device and by the time the program flags the device, the fraudster has trashed it and is on to the next one. They understand that as soon as the device captures historical behavioral data, it can be flagged as fraudulent. New devices present a big question mark to a device fingerprinting solution since it cannot indicate whether the new device can be trusted or not without past user data.
On the other side of the coin, knowing that a device ID is connected to safe behaviors is also not a failsafe solution. It only takes one time for a device to fall into the wrong hands to open the door to fraud. Identity resolution vendors solely centered on device behavior often rely on their customers to provide reporting and flag device IDs that have been involved in safe and not-so-safe transactions, which may unintentionally introduce greater risk.
Without full collaboration, vendors are faced with a lack of data, especially good data that is crucial to attributing risk to particular device IDs. Even with a high level of customer participation, vendors still cannot satisfactorily answer the question, “Who is the person behind this device?”
Linkage between device and physical ID is paramount
Businesses need to take advantage of robust device-based identity resolution, data corroborated across multiple sources, to indicate whether that trusted ID and device is most likely in the hands of the individual who owns it. By linking online and offline data with device-based data, this approach provides a powerful tool in fighting fraud.
In device-based identity resolution, device behavior is just one element of a multilayered fraud-prevention formula. The idea is to establish a myriad of links that connect a device to the person behind the device, from an email address and phone number to a physical location and an IP address. Hundreds of signals and combinations such as these can be used in connection with each other to provide the clear intelligence needed to either proceed with a transaction or flag it for additional verification, all without ever betraying the user’s private information and personal identifiers.
Advanced systems can also infer information about a device itself, such as if a phone is prepaid, has recently been SIM swapped or has undergone a change of carriers. Such characteristics could indicate a potential compromise. But the true power of these systems lies in the combining this information with data inherent to the device itself.
Take the example of a change in carriers or the use of a prepaid phone – those signals alone do not necessarily indicate that a device is being used to perpetrate fraud. However, when combined with data inherent to the device itself – like how recently this phone was activated, the reputation of the carrier being used and the geo-location of the device, an organization can put together a comprehensive snapshot of the device and whether it corresponds to the individual claiming it. Device-based data also cannot be manipulated, spoofed or hacked by a fraudster and provides valuable insights on whether or not the person on the other side of the device is truly who they claim to be, even if it has been linked to safe behaviors in the past.
Finally, real-time data collection and verification is an important layer and a significant advantage. By constantly adding new information to years of historical data, device-based identity resolution services can further refine an identity, ensuring it is unique and near impossible to impersonate. After all, normal behavior over many years, online and off, simply cannot be manufactured.
A dynamic solution for the way forward
Device reputation tracking and fingerprinting is the tip of the iceberg in identity resolution. For businesses seeking greater trust in their customer interactions, more comprehensive device-based identity resolution provides the dynamic and data-driven solution needed to stay a step ahead of fraudsters and reduce risks.