Why Device ID Is Not Identity

May. 24, 2018 | by BioCatch

Businesses regularly use device identity for fraud prevention and to authenticate users. Browsing the web on your cell phone? These solutions collect information on your mobile provider, phone model, internet connection and other data to link your unique device back to you.

It works the same for computers and other mobile devices, authenticating users by recognizing their personal device. But history has proven that when it comes to using device ID as a sound form of digital identity, there are just too many gaps.

It’s time to take a look at why relying on device ID is not a reliable authentication solution.

Device ID is Not Cutting It

Resolving the question of digital identity is one of the burning issues of our day. How can you know for sure someone is who they say they are online?

In our remote digital environment, identity is most often based on three aspects: what you know, what you have, and who you are.

  • What You Know: Static information, also called personally identifiable information (PII), like passwords, the answer to a security question or your social security number or phone number
  • What You Have: A unique token or a device used to verify your identity
  • Who You Are: Specific user behavior, based on how an individual interacts with a device, like tap pressure and swipe patterns, or how they enter information into a form

On their own, the first two categories are no longer able to reliably verify digital identity. Data breaches have made information in the what you know category easily accessible to cybercriminals.

What you have, which includes device ID, also prevents major challenges. Identity has to be fixed and clearly defined so it can be routinely used to verify a person is who they say they are. That’s not possible with device identity for several reasons:

Too many stolen credentials

Data breaches and large information leaks have put our confidential information within the reach of cyber criminals. Fraudsters use stolen credentials to pose as someone other than who they really are. That means you can’t be sure a mobile device actually belongs to a trusted identity. A fraudster can easily use stolen PII to open up a new phone account, for example, under a different name and then use that device for fraud.

Too hard to link a single user to a device

Another challenge is how frequently users change their devices. New models come out, cell phones break all the time — regular device changes fail the requirement for identity to be fixed and stable. Devices are often used by more than one person. Think how often you use a desktop computer, a laptop, a tablet, and even a cell phone that’s shared among multiple users. If the device is the authenticator, there’s no way to tell which specific user is behind a session on that device.

Too easy for fraudsters to circumvent

Fraudsters are constantly evolving to find new ways to circumvent security and authentication solutions. Device ID is one they’ve got beat. Using several methods, fraudsters are easily able to take over a device or hide their use of one.

  • RATs: RAT attacks directly bypass device ID. With automated malware scripts, criminals direct specific actions to occur from a device on behalf of a user.
  • Social Engineering: Using social engineering schemes, fraudsters trick users into taking action from their own device. Maybe a social engineer poses as a user’s bank and requests the user to make a money transfer to the fraudster’s account. Device ID solutions would never pick up this type of fraud because it originates with the right user and device.
  • ID Spoofing: Cyber criminals mask device IDs to appear as if they are working from a previously identified and authenticated device. They also use proxy IP addresses to make it look like they are using a device from a legitimate location.

How Can Businesses Actually Verify Identity Online?

Solving existing and new forms of fraud, like synthetic identity fraud, social engineering schemes, and new account fraud, is only possible when you can confidently connect a user’s physical identity to their digital identity. Not only does this stop fraud, it also reduces the number of false fraud alarms as users change devices.

Behavioral biometrics creates profiles based on a user’s unique behavior patterns. This profile is then used to monitor a session from log in to log out to detect for authentic and fraudulent behaviors. Continuous authentication with behavioral biometrics is much stronger than device ID, as it’s always working to uncover fraud, instead of just upfront.

A user’s profile can also be linked across devices. Whether a person logs in on their phone, desktop, or friend’s laptop, it’s their unique behavior that’s used to authenticate, overcoming one of the main concerns with device ID. Because of this reliability, continuous authentication with behavioral biometrics also results in less false fraud alarms.

The growth of fraud has made it all too clear that our current authentication methods are falling short. Tackling the threat requires a new solution for reliably confirming identity.

Topics: Authentication, Identity Proofing