Advancing Beyond Device Fingerprinting to Prevent Loan Fraud

Posted September 6, 2016

Advancing Beyond Device Fingerprinting to Prevent Loan Fraud

When it comes to preventing loan fraud, is it time to give a “thumbs down” to device fingerprinting?

Without a doubt, device fingerprinting plays a crucial role in any anti-fraud operation. By capturing a fixed set of device attributes—browser configuration, operating system, screen resolution and more—it can identify computers and mobile devices used to commit fraud, so you can avoid becoming the next victim.

These days, however, device fingerprinting alone is proving insufficient for preventing loan fraud, primarily for these three reasons:

  • There’s Always a First Time

Knowing you won’t fall victim to a perpetrator using the same device a second time is great. But it’s still cold comfort while you (or an earlier victim) are paying the price for that first time.

  • Identity is Malleable

Device fingerprinting only works if the attributes that make up a fingerprint never change. That’s almost never the case. After all, attributes are altered every time a user makes a device update. Which means, for instance, if an attribute includes enabled cookies, simply disabling them gives the device a new fingerprint.

  • Identity is Spoofable, Too

Cybercriminals often use location- and identity-cloaking tools to fake attributes and make sessions from a single device appear to be originating from different devices, using different browsers and operating systems.

But there are ways to overcome these challenges.

Disabling Device-Based Differentiation

To understand rapidly evolving dynamics of anti-fraud operations, consider one major online lender that found itself face-to-face with the limitations of standard device fingerprinting.

The lender, which focuses on providing quick personal loans to borrowers — many with sub-optimal credit histories — had become one of the fastest-growing online lenders in the US and Europe.

Of course, that designation also made it one of the biggest targets for fraudulent loan applications.

The problem: Its device fingerprinting solution couldn’t differentiate prospective borrowers from fraudsters if cookies were disabled on connecting devices.

What’s more, it was unable to enhance its anti-fraud efforts by correlating other attributes, like email addresses, to devices it had fingerprinted.

That’s when they turned to us for help.

First-Time Protection: Augmenting Device-Centric Anti-Fraud Solutions

In working with the lender, we identified four must-have capabilities beyond device fingerprinting alone to prevent online loan fraud:

  1. Deeper Device Analytics: Anti-fraud systems must be able to analyze many different browser, plug-in and TCP/IP connection attributes in order to recognize returning devices when one or more attributes have been altered or spoofed. This is critical to detecting whether a single device is being used to make multiple fraudulent loan applications.
  1. Trust Scoring: To effectively differentiate cybercriminals from legitimate customers, it’s essential that systems are able to dynamically asses any combination of online attributes—the device itself, email addresses and credentials, payment card numbers and other factors involved in reviewing, accepting and rejecting a loan application.
  1. Identity & Anomaly Detection: Lenders need access to global shared intelligence networks like ours that provide anonymized insights on user attributes, characteristics and behaviors patterns associated with specific devices. Using these insights, lenders can establish a unique digital identity for each prospective borrower, and create policy thresholds for approving loan requests.
  1. Deep Connection Analysis: Fraud prevention solutions must also be able to pierce hidden proxies and VPNs to determine true IP address, geo-location and other attributes associated with each loan application.

Together, these key capabilities can do more than just identify a device that has just been used to commit fraud. It can help predictively stop that notorious “first time” from ever happening—to you or anyone else.

Blasting Past the Status Quo

In fact, by establishing these competencies, that leading online lender has since been able to cut fraud a full 50%. Plus, being able to differentiate between good and bad loan applicants with more accuracy and confidence has helped it increase the number of approved, quality loans by over 2%.

To get more details, check out a full case study on the initiative here. You might just gain some important insights for evolving your own device fingerprinting solution enough to earn it a “thumbs up” from everyone—except perhaps, the fraudsters.

 

 

Armen Najarian

Armen Najarian

Chief Marketing Officer, ThreatMetrix

close btn