Device ID and IP Address Analysis

Information from a customer’s computer, mobile device, and internet connection can help to separate trusted behaviors from suspicious.

Ways to Tell One Device From the Next

The ability to uniquely identify a specific device can prove advantageous in the fight against fraud. On one hand, if for the past two months loyal customer goodguy@gmail.com consistently uses the same computer to access a merchant’s site, the merchant may feel fairly certain that it’s the same person accessing their site today as it was two months ago. On the other hand, if device information indicates that fraudster1@hotmail.com, fraudster2@hotmail.com, and fraudster3@hotmail.com are all accessing the merchant’s site from the same computer, they might reason that the user behind these accounts is up to something sneaky.

multiple fradulent accounts

Specificity vs. Persistence

The primary issue with device identification (also known as device fingerprinting) is the trade-off between specificity and persistence. A specific identification will uniquely identify a single device and no other devices. A persistent identification is unlikely to change even if device settings change.

shoe image

The simplest method of identifying a device is by depositing a cookie on a user’s machine upon their arrival at a specified site. This cookie contains information related to its creation time and date, as well as user details (as desired). Pros of cookies: each cookie is unique, making it as device-specific as possible. Cons of cookies: users can erase the cookie, and thereby appear as a new unique visitor each time. It is almost too easy to erase a cookie—good users may be in the habit of erasing cookies due to privacy concerns, while malicious users can easily avoid being tracked with the click of a button.

computer image

Another method of device profiling is to use the browser session to determine usage information. A system, program, or person can read system information from the browser session, stringing together this information, which we call user agent. Each browser session can provide a lot of data. For example, the information pulled might indicate the user’s operating system name and version number, browser name and version number, and the browser language. A user agent can look something like Windows10/Chrome91/English-US.

While this example is not very specific, it is persistent. All users running that version of Windows, that version of Chrome, and with English as their only defined browser language will appear as the same device. However, the signature for a given user remains the same until they change operating system versions, browser versions, or set languages. More advanced device fingerprinting methods use a wider array of indicators, such as browser version, IP address, screen resolution, etc., to increase specificity while accounting for those factors that change the most frequently. The configuration determines exactly how specific and persistent the signature will be for a given user base.

In Addition to Which Device, How About Where is the Device?

When a user connects to a website, their IP address becomes known. The IP address is a string of numbers separated by periods, like this: 54.86.209.249. The address indicates where on the internet the traffic originates. This information can be used in several different ways:

First, like a device signature, the IP address can be used to identify a user between sessions. Unfortunately, IP addresses tend to be both very broad and very changeable. For example, everyone connecting to a merchant’s website from UC Berkeley’s servers will have the same IP address. On the other hand, every time someone connects to a website on a mobile device through AT&T, their IP could be different depending on how their connection is routed through AT&T’s mobile towers (or if they’re using a coffee shop’s WiFi, with its own IP shared by everyone connecting to it). Despite all this, tracking velocity of purchases made or different accounts accessed from a particular IP address can be a useful signal for detecting fraudulent behavior.

multiple people with same IP address

In addition, certain IP addresses belong to certain registered organizations, which operate out of certain geographical locations. Some of this information is publicly available, while other factors must be extrapolated and researched. There are a variety of paid and free resources that take in an IP address and output organization name, carrier code, connection type, IP country, and geographical coordinates for that specific connection. This can allow merchants to make broader observations about fraud they’ve encountered. For instance, rather than targeting specific IP addresses in a game of whack-a-fraudster, observing more broadly that Russian IP addresses tend to be more often tied to fraud than German IP addresses.

information linked to IP addresses

Bad users can take steps to obscure their true IP address, such as using proxies, VPNs or accessing the connections of virus-infected computers connected to botnets. There are methods that can pierce or mitigate this to some extent, but in short it’s best to use IP as one signal among many.

Despite the caveats associated with device and IP identification, this information is still extremely useful and can be leveraged to distinguish legitimate user activity from fraudulent. Typically, trusted activity has some semblance of consistency, while bad actors tend to mix up tactics in order to obscure their true identities and avoid detection. For example, using an incognito browser that refreshes cookies each time is not necessarily suspicious if the browser and operating system remain the same, while bad actors may use many different VPNs and devices to thwart detection systems.