Fraudsters and cybercriminals react to the introduction of new security solutions by moving to a different part of the value chain or by changing and updating their attack methods.This is why it is important to have a holistic strategy for fighting fraud, and also to make sure that the solutions that are used to underpin that strategy are constantly evolving to stay a step ahead of cybercriminals. This applies equally to recognizing devices, a process which has long been seen as an important piece of any multi-factor authentication system.
Cybercriminals have come up with a wide variety of ways to harvest login credentials from a victim’s desktop or laptop computer. Once they have this sensitive data, account takeovers can be made against their victims from the fraudsters’ pool of devices. Device recognition helps to combat this by looking at which device is logging into a customer account. Recognizing that the device connecting to a secure system is a known device and registered to a genuine user allows for more confidence in a connection, and helps in blocking unknown or fraudulent devices.
An additional benefit is the ease of use this method provides. Once a device is registered, the factor can virtually work transparently to an end user, while still allowing for easy management of exceptions, for example, when a user needs to log in from a new or temporary device.
Changes in technology, genuine user behavior and preferences, as well as advances in attacks made by fraudsters, introduce new challenges. This means methods of identification must be improved and made future-proof. Users now expect to be protected by such solutions without having to make any changes themselves. Modern users are more tech savvy and aware of the challenges present in storing cookies or downloading additional software than in past years. They are also much more concerned about their privacy while browsing and are more inclined to stay up-to-date with the latest security and software updates to browsers. This is a good thing, but can create issues for some legacy methods which seek to recognize devices, for example:
- Use of Private Browsing – In this age of suspicion towards large companies and governments, many users have set their browsers to private so third-parties cannot see their Internet activities. But many device identification systems depend on this information to verify particular devices, and are helpless when they cannot access a user’s browsing history. The next wave of device identification must have a way to identify these users even when the private browsing mode is enabled. Additionally, in most cases private browsing will also block the storing of cookies.
- More Changes to Browser Environments – as device recognition solutions have moved to using a clientless, cookieless approach, they have come to rely on pieces of information about the device and browser which can be collected from the session. Changes to the browser such as a version update can cause static solutions to fail to recognize the device following such changes.
In sum, there is a need for device recognition techniques to become resistant to genuine environmental changes.
Device browser characteristics used to identify a particular device are always changing – perhaps the operating system has been updated since the device last visited an online platform, a certain plug-in such as Flash was added or deleted, or the screen resolution was changed. These are just three of the most common possibilities, but there are many others, and all of these small changes to a device’s browser taken together between logins create a host of challenges to the static device fingerprints that most device identification systems depend on.
Hoping for the best is not a strategy, and device recognition solutions must become more dynamic and complex if they are to identify legitimate customer devices with precision. To that end, the latest version of DetectID, Easy Solutions’ multi-factor authentication platform, takes a heuristic approach to device authentication, analyzing a number of characteristics and the context in which they are provided, including such elements as device configuration, browser configuration, IP address, geolocation data, and much more. This wide-ranging information can then be compared against devices which the user has previously used. The solution performs intelligent comparison of these details, taking into account which aspects are likely to change and which are not, while also evaluating the historical changes for the particular device. In this way, even devices that have undergone genuine contextual changes, or have been moved into private modes, can be recognized.
Digital fingerprints need to reflect how people actually interact with their devices, and not hope that users will never carry out the activities that ruin digital fingerprints. Imagine a home security system that promised 100-percent security if the criminals try to enter through the front door, but can’t guarantee protection if the criminals enter through the windows. Would you place your trust in that system? Yet that’s what so many organizations do when it comes to identifying devices.
Cybercriminals have already killed the password as a secure authentication method, and they are evolving to the point where they are killing certain second authentication factors as well. We remain vigilant so authentication remains a step ahead of the threats seeking to undermine it and constantly innovate DetectID’s user authentication to be more effective and easier to deploy with each new version. Electronic commerce’s continued convenience, and the trust we place in it as consumers, depends on it.
To learn more about DetectID, please visit: https://www.easysol.net/products/easy-sol-products/detectid