Fraud continues to become more pervasive and costly for financial services companies and institutions, making it a principal concern for executives. Instances of account takeover, for example, were up 90% in 2021 from the previous year, representing an estimated $11.4 billion—or roughly one-quarter of all identity fraud losses that year.
62% of financial institutions reported an increase in the volume and cost of fraudulent transactions in 2022.
40% of financial executives are concerned that integration between old and new systems may limit their efforts to fight fraud.
58% of financial executives are concerned that no solution can match the fast-improving sophistication of fraud attacks.
Source: SC Media
This means executives are constantly on the lookout for ways to better mitigate their risk, though they remain acutely aware that greater security can pose a hurdle to the convenient access consumers have come to expect from all things digital.
As part of our ongoing look at types of fraud and ways to mitigate them, this article will examine device fingerprinting—an advanced fraud-fighting tool that avoids creating additional friction in the user experience.
What is a device fingerprint?
A device fingerprint is the ensemble of information regarding the software and hardware of a remote computing device, allowing it to be identified. This includes things like the IP address, geolocation, browser and operating system settings, cookies, and more. As such, the act of collecting this information is known as device fingerprinting.
By analyzing users’ configurations of software and hardware, device fingerprinting creates a unique ID—known as a device hash—for each configuration. The aim is to recognize potential connections between users and/or make assumptions about the veracity of intentions coming from a given device, thus highlighting suspicious activity.
Subtypes of device fingerprinting include mobile device fingerprinting, browser fingerprinting, and cross-device fingerprinting. The latter refers to the tracking of users and their activity across different devices, based on certain identifiers that go unchanged when switching between a smartphone, computer, or tablet, for instance.
Why use device fingerprinting?
Device fingerprinting can help detect fraudsters and other bad actors. This improves overall cybersecurity with respect to things like account takeovers, digital onboarding fraud, payment fraud, and more.
For example, fraudsters often gain access to lists of compromised login details requiring trial-and-error methods to see if they work on other platforms. The repetitive nature of this process makes it nearly impossible to change devices with each attempt. Bad actors, therefore, try to go undetected by:
Clearing their cache
Using incognito mode
Using virtual machines
Using device spoofing or anti-fingerprinting tools
Using emulators to spoof mobile devices
Device fingerprinting can help catch these red flags, particularly highly advanced spoofing attempts that can indicate well-organized fraud rings.
Guide to calculating the value of identity verification
Prevent fraud, win users, and protect your bottom line
How do device fingerprinting solutions work?
To understand how device fingerprinting works, one must first understand how a user accesses a platform. There are two components: the device initiating the session and an internet connection that retrieves an IP address. The resulting two data sources—present throughout a given browsing experience or digital session—provide all of the needed data points to fingerprint the device in question.
Plaid Identity Verification (IDV), for example, begins a "fingerprinting" session by looking at hundreds of different data points extracted from the above sources, including:
Browser plugins used
Browser and OS settings
User agent details
With this information, Plaid IDV is able to identify returning users with 99.5% accuracy. It's also able to see how many IDV sessions the user has initiated, both on a customer’s platform specifically and across the breadth of Plaid IDV’s network.
In addition to using the IP Address for fingerprinting, Plaid IDV carries out a number of IP fraud checks. For example, it looks to see if the IP address is associated with a data center, which could signify fraudulent activity. It also checks if there’s a time zone mismatch—meaning a device that says it's in one time zone but it is registering an IP address that’s located in another.
Using multiple data points is crucial to ensuring the accuracy of online identity verification.
Device fingerprinting alone is not enough
The growth of device fingerprinting methods has led to the development of anti-fingerprint browsers, which intercept the requests used to build a browser fingerprint and return spoofed responses.
These browsers can be used for legitimate purposes, such as by privacy advocates aiming to prevent tracking through the return of a standing fingerprint. However, they can also be employed by bad actors to return a fraudulent fingerprint in order to impersonate a different browser or device. Indeed, existing technology can dynamically create fingerprints to meet the specific requirements desired to impersonate a given user.
Moreover, fingerprints can also be stolen from real user devices via malware, then imported into the anti-fingerprinting browsers to attempt to spoof the user in question. That’s why device fingerprinting solutions alone are not enough, and should be paired with additional data point checks, as well as tools like biometric identity verification.
A powerful tool in your fraud-prevention arsenal
With fraud becoming increasingly frequent (one-third of Americans have already been the victim of identity fraud) and ever-more advanced, it’s essential that companies take every necessary step to combat it. At the same time, they must maintain a delicate balance of user-friendly ease.
Because device fingerprinting requires no action from the user, it’s a friction-free first line of defense against potential bad actors. When paired with additional fraud-fighting tools and technology, it can help weed out fraudsters in the initial stages of a potential attack—keeping users safe and protecting your company’s bottom line.
Learn more about Plaid Identity Verification.