Device ID was one of the first methods organizations used to prevent fraud and authenticate users. It’s still in widespread use, but device authentication isn’t nearly as strong an identity solution as many think.
Device ID authenticates users by looking at certain characteristics, like browser, internet connection, mobile provider, or operating system, to link a device back to a particular individual. Say you attempt to login to your banking app from a new device. Your bank’s device ID solution will pick up on the change, flag your session, and ask for further authentication to prove your identity.
Because device ID has been around for awhile now, cybercriminals have figured out how to bypass these controls by disguising their actions and pretending to be a legitimate user.
How Fraudsters Circumvent Device ID
Cybercriminals defeat device ID by masking their use of a mobile phone, tablet, or computer or by taking over a user’s device directly. Their top four tactics are device spoofing, malware attacks, RAT attacks, and social engineering.
Armed with information about a user’s device, fraudsters can make their own device appear to be that of a legitimate user’s. Cybercriminals collect data that is the basis of device ID and then mask their activity by replicating a operating system, internet connection, or other identifying data, allowing them to get inside a previously identified and authenticated device. By using proxy IP addresses, fraudsters also are able to get around geolocation tracking.
Cyber criminals often use malware to steal an individual’s personal information, which they then use to commit fraud. Fraudsters have also developed malware variants that capture the data needed to form a device ID. Following a successful malware attack, criminals can engage in device spoofing to bypass device ID controls. Criminals also use malware attacks to take over a user’s device and initiate fraudulent activity. Because the actions appear to be coming from a legitimate device, device ID is unable to identify the criminal activity. Once installed, malware can lie dormant on a device until a criminal triggers it, making it even harder to detect and stop.
RAT attacks are hitting companies hard. RATs bypass device ID solutions completely by giving fraudsters direct access to and control over a user’s device. Once inside, fraudsters can initiate money transfers, make purchases, or complete any other action a user would make. RAT attacks go undetected for an average of 170 days.
Fraudsters use social engineering to deceive consumers into taking action from their own device. The most common forms are phishing, vishing, and smishing. Fraudsters trick individuals into handing over personal information, initiating transactions, or clicking on a link that downloads malware or a virus to their device. Social engineers will pose as a bank, insurance company, or other legitimate organization, preying on human trust to exploit victims. Because the fraud is executed by a legitimate user from their verified device, device ID is unable to detect social engineering schemes.
It’s easy for fraudsters to pretend to be someone they are not online. Personal credentials are readily available and device ID data is available for harvesting. To detect device spoofing, malware, RATs, and social engineering, authentication solutions need to go beyond looking at information users know or have to instead focus on the strongest identity factor, “Who You Are,” which is based on user behavior.
Monitoring user behavior is the most reliable way to authenticate an individual no matter where they are or what device they are using. Cybercriminals can replicate a device ID or take over a user’s device, but they can’t steal or replicate a user’s behavior.
Based on this reality, BioCatch created “Invisible Challenges,” which are patented techniques that introduce subtle behavioral tests into an online session. Tests include hand-eye coordination challenges, like causing a mouse to disappear or slowing down how a wheel spins when selecting dates, time, and numbers, and more. A user’s response allows companies to distinguish fraudulent activity from normal session activity. Malware, RATs, fraudsters, and your real customers all react differently to Invisible Challenges, which is the key to authenticating with confidence.
The next time a cybercriminal attempts to take over a device using their favorite tactics, behavior-based authentication solutions will stop them in their tracks, catching fraud in real-time and protecting customers and businesses from the damages of digital identity theft.Want to bring together advanced security and frictionless user experiences? Learn more about behavioral biometrics, a behavior-based authentication solution.