Fingerprints have been used in forensic science for over 100 years. No two people have ever been found to have the exact same fingerprint and their uniqueness makes them effective in aiding criminal investigations. And like a fingerprint, no two mobile or web devices are exactly the same – and a unique profile can be created for each one.
The technology used to create a unique profile for a device is crucial for vendors and customers in the identification, authentication and fraud-prevention space.
It’s all about companies recognizing devices used to access their services.
A future for cookies?
Vendors have developed different approaches to identify devices. One way is a software-based approach using cookies – using this method, a digital tracking code is stored in a web cookie and referenced on the client-side.
Cookies, however, are not a reliable source for device identification, as they are browser specific. In addition, consumers have become savvy to being tracked and it’s in their power to delete them. In addition, browser companies are increasingly stepping away from the use of third-party cookies.
Furthermore, browser companies are limiting the use of third-party cookies, and these limitations are only set to increase over time. Google for example, will begin its phase-out of third-party cookies in Chrome in 2024. Other browsers are also stopping the use of tracking technology.
The device fingerprint
Device fingerprinting is a process used to identify a device based on its specific and unique configuration. With the proliferation of online banking and payment fraud using mobile and web devices, device fingerprinting has been developed to create a unique profile of an individual device – i.e., its device fingerprint.
For banks and online merchants, device fingerprinting and device binding is a way to positively identify genuine devices accessing their services. It helps to create an easy, frictionless journey to passively authenticate customers. And of course, it’s a way to help identify fraudulent ones – the bad actors – as well.
In contrast to cookies, device fingerprint profiles are created using datapoints from the software configuration of the device: e.g., the operating system, browser and plug-ins etc.
Device fingerprinting can be used to help detect fraud by recognizing returning devices that have been associated with fraud.
An advantage of device fingerprinting is that it goes beyond a digital tracking code stored on the client-side with its datapoints stored on the server side. There are additional attributes related to the device which gives you additional resilience if the cookies are wiped. It provides a more reliable way than cookies to identify a device.
One of a kind
Callsign’s device fingerprinting technology goes further still, in being able to identify a device with greater precision.
Callsign’s layered device fingerprint approach uses proprietary algorithms based on both software and hardware attributes. Callsign’s machine learning (ML) intelligence uses hundreds of datapoints from software and hardware data, in order to identify a device across browsers. An example is an algorithm which analyses how the GPU. renders an image. This is just one of the many Callsign technologies used to positively identify a device with datapoints which a fraudster would find difficult to spoof.
Callsign also has a device binding capability where the device is “bound” to the user with a cryptographic key stored on the user’s device. As well as giving a strong attribute which is used in determining whether an interaction is legitimate or fraudulent, Callsign can associate a user with a specific device. When combined with the additional security controls that Callsign places in its products to assure the integrity of a device fingerprint, this satisfies the possession requirements of PSD2’s SCA stipulations.
The result is a deep and persistent device fingerprint.
Callsign’s device fingerprint technology is extremely accurate, to the extent that it can distinguish between two devices of the exact same make and model, new off the production line. Both devices could connect onto the same wireless network, browse the same website and the technology would be able to determine that the two devices are different.
In the same way that you can uniquely identify a human with a fingerprint, you can identify a device with a Callsign device fingerprint.
Positively identifying and authenticating customers without names
When Callsign’s layered intelligence (including device fingerprinting and behavioral biometrics) is applied to the online banking sector (web and mobile), it can help to positively identify genuine people with the highest-fidelity user recognition to greater than 99% accuracy.
With device fingerprinting, Callsign can recognize returning devices at a hardware level, accurately and persistently. It ensures genuine users are granted access while keeping bad actors out.
And importantly, while Callsign’s device fingerprint profile has a layered deep dataset, one important piece of data it doesn’t capture is a user’s name. Data collection points are events-based, not user-specific – and therefore don’t contain personally identifiable information (PII). The omission of the name or any other sensitive PII in the device fingerprint database.
Device fingerprint can help fight fraud
Device fingerprinting can be used to help detect fraud by recognizing returning devices that have been associated with fraud.
A recent example is Callsign’s device fingerprinting technology applied to a major U.S bank’s problem with identity fraud (or account opening fraud). Callsign was able to identify devices that were used to open fraudulent accounts and subsequently block any further attempts to open fraudulent accounts from the same device.
Device fingerprinting can also be applied to other customer journeys in the online banking and online payments space including at login – account takeover fraud (ATO) – promo abuse and checkout fraud.
Is device fingerprint on its own enough to tackle fraud?
In a word, no.
Device fingerprinting provides an important piece of the puzzle, but the magic happens when It’s layered with other intelligence modalities such as behavioral biometrics, threat detection and location intelligence. With advanced Artificial Intelligence (AI) and machine learning, Callsign’s Intelligence Engine collects, fuses and analyzes thousands of data points to provide ensembling and results management.
Callsign’s model considers fraudulent devices being identified (through device fingerprinting) with associated risky behavior such as erratic typing (through behavioral biometrics) together with high velocity location changes (through location intelligence) to create a total fraud score.
Experience with global banks and top-tier UK financial institutions has shown that Callsign’s solution delivers proven results. This includes the highest-fidelity user recognition and a reduction of fraud by more than 80%.
How Callsign device fingerprint works
Callsign identifies people and fraud, across every journey, channel and brand.
Callsign’s deep, device fingerprinting is one feature in its extensive intelligence suite. Together with behavioral biometrics, location intelligence and threat detection, Callsign is a full-stack modular platform.
Businesses using Callsign’s solution have seen a significant improvement of UX through reducing authentication steps by more than 90% (due to passive authentication and reduced friction), and a reduction in operational costs of up to 70% from a decrease in customer support demands related to failed passwords and SMS OTP authentication.
Online banks and merchants can use Callsign easily with their existing and future architecture. Using no-code orchestration, clients can build long-term digital trust and personalized user journeys with a world-leading security and privacy-first solution.
Physical fingerprints changed the way we identify people in the past, and continue to play an important role today. In the same way, digital device fingerprints are already playing an equally vital role, one that’s only set to expand in the future.