Financial institutions regularly use device identity for fraud prevention and to authenticate users at login or for high-risk activity. It is one of many controls that can be used to safeguard online interactions. But as with other security tools that rely on static measures, cybercriminals are finding ways to circumvent it. Taking over customer accounts is one fraud method causing the most financial impact to financial institutions – and the biggest headache. In a recent study, 72% of global banks cited account takeover as a leading cause of concern.

In addition, financial institutions are experiencing significant rates of fraud in the account opening process and have difficulty accurately distinguishing genuine applicants from cybercriminals. As financial institutions rely on growing their business through new customer acquisition, the creation of illegitimate accounts can have a huge business impact. Because new customers have never been seen before, their devices haven’t either, making device identity unhelpful for protecting against new account fraud

The bottom line: Device identity is seeing its value slowly erode over time because it cannot provide sufficient visibility beyond login and when opening digital accounts.

What Is Device Identity?

Digital identity is based on three aspects, which are also known as three factors of authentication that can be used to assert one’s digital identity: what you know, what you have, and who you are.

• What You Know: Static information only the identity holder should know such as personally identifiable information (PII) like phone number, past address, Social Security number, or passwords.
• What You Have: A unique token or a device used to verify your identity by possession.
• Who You Are: Biometrics such as fingerprint or face, voice or specific user behavior, based on how an individual interacts with a device, like tap pressure and swipe patterns, or how they enter information into a form.
  

Device identity falls into the “what you have” category, and it’s a unique identifier of the device such as a cookie or other mechanism. An advanced form of device ID is device fingerprinting, which collects unique information about a device that can then be used to link the device to an individual user. The tool will collect data on browser, operating system, internet connection, IP address, geo-location, and more.

Device ID Controls Leave Blind Spots

On their own, the first two categories are no longer able to sufficiently verify digital identity. Data breaches, phishing scams, and social media have made information in the “what you know” category easily accessible to cybercriminals. “What you have”, which includes device ID, also presents major challenges. Digital identity must be clearly defined so it can be routinely used to verify a person is who they say they are, even customers a financial institution has never seen before. Here is three ways device ID is falling short.

#1: Too easy for cybercriminals to circumvent

Cybercriminals are constantly evolving to find new ways to circumvent security and authentication controls. On its own, device ID is one they’ve got beat. Using several methods, cybercriminals are easily able to take over a device or hide their use of one.

• Remote Access Tools: Most fraud prevention solutions rely on known device and IP location parameters to measure fraud risk. However, if cybercriminals can convince a legitimate customer to download and use a remote access tool (RAT), whether a legitimate tool, such as TeamViewer, or financial malware that contains RAT capabilities, they can bypass device identity controls. RATs enable cybercriminals to entirely take over a device and make it appear that the transaction is coming from the legitimate user’s device. When a RAT is present, a bank’s system detects a genuine device fingerprint, with no traces of proxy and the proper IP and geo-location.

• Social Engineering: Using real-time social engineering schemes, cybercriminals coerce bank customers into taking action from their own device to initiate a fraudulent transaction. A social engineer will pose as a bank official and convince the customer to make an urgent money transfer to a new account which ends up being a mule account controlled by the criminal. Traditional fraud prevention tools that are device-based or activity-based cannot detect such attacks because the transaction or payment takes place within an authenticated session, from a trusted device and location, and does not use any form of malware. According the UK consumer watchdog group Which?, fraud victims lose £28K every hour to social engineering payment scams.

• ID Spoofing: Cybercriminals can mask device IDs to appear as if they are working from a previously identified and authenticated device, using methods like proxy IP addresses and man-in-the-browser (MitB) attacks from malware on the genuine user's device. Cybercriminals have also created man-in-the-middle (MitM) attacks, where they can spoof device fingerprints and JavaScript elements, not only IP and location

#2: Too hard to link a user to a device

A secondary challenge is how frequently users change their devices. New models come out, mobile phones get lost or break — regular device changes fail the requirement for identity to be fixed and stable.

Some devices can also be used by more than one person, like a desktop computer in your home office. If a device is shared among multiple users and used as the authenticator, there’s no way to tell which specific user is behind a session on that device. For example, a member of our team experienced device authentication issues with her six year old son who memorized the password to their Apple app store account and placed $395 worth of charges. While this is an example of an innocent breach of a six year old buying game tokens, it sheds light on how fragile the security is of device identification alone. Simply put, the device is not the user. It is one layer to de-risk the activity but should not be the endgame. In some geos, such as Brazil, device theft is a big problem, pushing financial institutions for additional layers of protection from account takeover. In addition, enrolling new devices is typically done by using a password, which is considered the weakest link.

#3: Lacks the capability to verify new users

Device ID has little impact when it comes to opening a new account, largely because a new user does not yet have any device history. As far as the financial institution is concerned, a criminal and a new customer will both be using equally unknown devices. In the unlikely event that a cybercriminal will use a confirmed high-risk device, there might be some added value, but the number of those cases are small.

Success Stories: How Banks Can Cover All Their Bases

Device ID remains a valid fraud detection solution and shouldn’t be abandoned. There are still many types of fraud modes of operation where device ID will be extremely helpful. However, there are use cases that it cannot cover or where its value may be limited, and that’s where behavioral biometrics come in to ensure financial institutions have all their bases covered.

A top 5 UK bank recently deployed behavioral biometrics within their mobile banking app. Within days of going live, the bank detected numerous fraud attempts linked to the TeaBot financial malware which leveraged RAT capabilities to take over a user’s device. Malware behaves in ways much different than the genuine user population, and these indicators are common in most malware families. These behaviors are uncovered in actions such as navigation paths, accelerometer data, and touch and swipe patterns. The application of behavioral biometrics as part of a layered fraud prevention strategy has demonstrated positive results in recent deployments, including at several top UK banks, identifying the use of malware in digital banking sessions with a 1:1 detection rate.

Behavioral biometrics are also changing the game for account opening protection. During account opening, typing speed, swipe patterns, and every click of the mouse tells a story — one of criminal activity or genuine user behavior. For example, BioCatch data shows that two out of three confirmed cases of account opening fraud indicate lack of familiarity with personal data. So even when you’ve never seen a customer before, you can recognize trusted behaviors, creating a smooth journey through the account opening process.

Take Your Fraud Detection Strategy Beyond Device ID

Tackling today’s threats requires a layered solution that builds trust with customers, manages risk across digital channels, and limits financial losses from cybercrime. Layering behavioral biometrics, device ID and additional data points analyzed by advanced machine learning models allows financial institutions and digital businesses to deploy a comprehensive fraud management strategy and build an online environment where customers feel safe to interact.

As noted in a recent blog post by Akif Khan, Vice President at Gartner, “Looking at user behaviour provides a very rich additional layer of risk and/or trust signals, and is a must-have in today’s environment to create a layered defence on top of your device fingerprinting solution.”

Read more in the e-book, 4 Ways Financial Scammers Are Getting Ahead, and explore the latest tactics cybercriminals are using to overcome existing fraud controls.