DID YOU KNOW
Device Identification is also known as Device ID, Device Authentication and Device Fingerprinting.
Device Identification is not fool-proof, and fraudsters can get around this technique, but the commercial solutions available today make the effort on the fraudsters part very time and resource intensive to do so.
Device Identification is an excellent subsequent visit authentication mechanism, to be able to say the user in a subsequent visit is using the same computer as the last time they came to the site. Additionally, it provides strong tools for linking mulitple accounts to the same device.
THE FRAUD PRACTICE
Alternative Solutions - Cookies, ActiveX tracking controls, tokens.
Building this In-House - While it is possible to build this in-house, the tricky part is modeling and building out the partial match capability. Any solution that relies solely on full matches will be short lived, and will provide very little uplift.
Estimated Cost - Solutions are available in a pay for each transaction and subscription fee basis.
Sample Vendors - Kount, ThreatMetrix, iovation
DEVICE IDENTIFICATION TECHNIQUE OVERVIEW
Device Identification is a technique used to establish a "fingerprint" of a user's computer or other web access device in order to track their activity and determine linkages between other devices. Key considerations when implementing or buying this functionality include:
How many different variables are being used to identify a device?
"Exact" matches are easy to track and manage, the art and science is in the ability to apply partial matches to an existing device.
Device Identification is better suited for catching repeat fraudsters, habitual friendly fraudsters and in some cases fraud rings.
Device Identitication is an excellent mechanism for account login authentications.
Does the vendor allow for sharing device information with other companies?
Device identification is a tool, and you will need to do other fraud checks, authentication and verification techniques to make a complete solution.
It is normal behavior for a consumer to have/use more than 1 device!
HOW DOES IT WORK?
Device Identification uses some to all of the "passive" data collected when a user interacts with your website. There are a number of discrete pieces of information that can be collected and used. In some cases these solutions will use a piece of code that a user must accept to tag the device, this is "active" device identification. Just remember, if the user knows they are adding a piece of code, and they are fraudster, than they also know they need to remove it.
HOW DO YOU USE THE RESULTS?
The primary use is to catalogue and maintain velocities on the number of devices associated with an account, and the number of accounts associated with a device. Additionally, you should use it to blacklist devices and prevent any device associated with fraud from doing future business.
Device Identification works well for digital products, where a fraudster doesn't have to alter any information they have stolen from a victim. In these cases the identity information you would receive looks good, and would pass all authentication methods. If you were using device identification, the next time the fraudster attempted to make a purchase with a different identity, you would be able to catch them.