Podcast: Play in new window | Download
The concept of fraud risk is nothing new, but the amount of fraud happening in an increasingly digital world certainly is. In recent years, and especially since the new normal that emerged in the wake of the global pandemic and the subsequent increase in on-demand technology, nearly every consumer has developed a digital footprint. While life online has made many lives simpler and everyday tasks more convenient, it has also opened up avenues for bad actors to carry out cyberattacks.
To further discuss the pros and cons of device intelligence and how companies can most effectively mitigate fraud risk, PaymentsJournal sat down with Jonathan McGrandle, Director of Market Delivery, and Luis Pontes, Director of Market Development Management, both of NuData Security, a Mastercard company, and Tim Sloane the VP, of Payments Inn
Can device intelligence get rid of most risk?
According to NuData, 97% of all fraud comes from an anomalous device or network. Historically, device intelligence has been a key component to fraud strategies and handled a large portion of the fraud. However, fraudsters have picked up on this strategy and are subsequently going to great lengths to try to spoof or mask their devices.
Today, there is a lot of spoofing as well as attribute-modification and other strategies being used in an attempt to avoid device identification altogether. Attempts to avoid device identification take place in both one-off fraud instances and automated mass scale attacks. For example, a fraudster may figure out the credentials for a user’s account before actually going in and trying to exploit that account. This fraudster will go to extensive lengths to mask their device, perhaps through an emulator. They will do some research, learning basic information like the victim’s geo location. They will then try to find a similar IP address and set the device to the same time zone as the real account holder.
“Within the NuData network, 45% of the attacks that we see these days are going to extensive lengths to cycle through IP addresses,” explained McGrandle. “And what I mean by that is, they’ll only use an IP address one or two times within their attack, and then they’ll discard it completely.” The fraudster won’t use the IP address again because they know it is something companies look at as part of their fraud strategy, and they are going a step further by making sure these IPs are stemming from legitimate companies like Comcast and AT&T.
Device intelligence tools aren’t always enough
Fraudsters try to make their devices look as similar as possible to those of real users. They use techniques, such as wiping cookies from the device and changing the settings, to make the device appear legitimate. Additionally, focusing only on the device may lead to false positives.
Another technique used by bad actors relates to malware. “When you remotely access a user’s account, it’s still that same user’s device that’s being used,” elaborated Pontes. “If you’re only focusing on the device, you see the real device that a user is expected to use, while being handled by the fraudster who is doing all the actions in the background, so they try as much as possible to emulate the real device.” This is where device intelligence comes in short.
By capitalizing on new online services bad actors are also using the extreme digitization that has occurred during COVID-19 to their advantage. Focusing solely on the device might not work to protect against social engineering attacks – that are prone to collecting critical information by abusing legitimate services. Additionally, human farming, or the opening of as many accounts as possible in one environment, is another attack in which fraudsters are spreading across multiple devices to bypass those security tools. Because there are so many different devices being used, device intelligence tools have a hard time picking up on it.
What is device intelligence good for?
Device intelligence can be used to recognize legitimate consumers. Even with a swiftly evolving privacy landscape, consumers are not intentionally working to mask or spoof their devices; they might be withholding some device information, but not changing device attributes or engaging in other sophisticated tactics used by fraudsters.
When a device is recognized as having the same IP address, geolocation, screen resolution, and type of MacBook as one that has repeatedly been on the server, device intelligence software can give that device the green light and allow for a frictionless experience.
When you rely on device intelligence and see a new device, the application of more friction becomes necessary. From a fraud risk strategy, the device needs further analysis, for example a physical biometrics request. “You want to treat it almost a little bit more aggressively because you don’t have the confidence that this is a returning device,” said McGrandle. Additional fraud strategies should be applied to make sure that what this new user is doing is not going to result in fraud.
Device intelligence is also useful to detect suspicious device but, instead of at the individual level, at the population level. Pontes shared an example of these population-level anomalies that can be detected with device intelligence:
NuData saw traffic where, “individually, these logins do not seem very high risk because they don’t show any stark activity or repetitive inputs. “When we look at that singular level, it doesn’t show any fraud,” added Pontes. “But when we compare it to the population, we are able to identify patterns on this specific use case. We have identified that one single parameter, the user agent, [where the] last digit was changed for each login, but there were similarities when we compared and clustered all the information together.”
In short, device intelligence can help to detect population-level changes and legitimate returning users, but is not as strong at flagging the individual risk events. The rest is the gray area where device intelligence falls short.
How to avoid attacks that seem legitimate
This gray area is where companies need to add tools in addition to their device intelligence. There are a few layers of protection that can be added to decrease the success of bad actors that companies are rapidly implementing as attacks increase sophistication. Solutions that introduce passive biometrics and behavioral analytics play a crucial role in sorting out areas of uncertainty because the focus of these methods is not solely on the device.
With behavioral analysis, the focus shifts from singular devices to comparing that device to the population to identify similarities and anomalies, making it easier to address fraud even when it is a first-time attack from a specific user. It also recognizes the recurrent users by gradually attaining more confidence in who they are based on their behavior. The idea is not to create a bond between the user and the device, but to create intelligence about the user and how they are interacting with a platform.
For example, NuData hosts an enormous number of events with a high login count.
The idea behind using device solutions is finding anomalies among these attacks. Having more behavioral information to compare the devices to the population is the key to stronger fraud mitigation and bridge the gap of that gray area.