Device ID and IP Address Analysis

A customer’s computer, mobile device, and Internet connection information can help to separate good orders from bad.

Ways to Tell One Computer From the Next

The ability to uniquely identify a specific computer can prove advantageous in the fight against fraud. On one hand, if for the past two months loyal customer consistently uses the same computer to access a merchant’s site, the merchant may feel fairly certain that it’s the same person accessing his site today as it was two months ago. On the other hand, if device information indicates that,, and are all accessing the merchant’s site from the same computer, he might reason that the user behind these accounts is up to something sneaky.

If Fraudster 1 and 2 both committed fraud on the same device, there's a good chance that Fraudster 3 is also up to no good.

Specificity vs. Persistence

The primary issue with device identification (also known as device fingerprinting) is the trade-off between specificity and persistence. A specific identification will uniquely identify a single device and no other devices. A persistent identification is unlikely to change even if device settings change.

Specific Identification
Browser Cookies

Very specific

Easily erasable

The simplest method of identifying a device is by depositing a cookie on a user’s machine upon his or her arrival at a specified site. This cookie contains information related to its creation time and date, as well as user details (as desired). Pros of cookies: each cookie is unique, making it as device-specific as possible. Cons of cookies: users can erase the cookie, and thereby appear as a new unique visitor each time. It is almost too easy to erase a cookie; good users may be in the habit of erasing cookies due to privacy concerns, while malicious users can avoid tracking easily with the click of a button.

Persistent Identification
Device Information

Very persistent

Not very specific

Another method of device profiling is to use the browser session to determine usage information. A system / program / person can read system information from the browser session, stringing together this information to identify the user. Each browser session can provide a lot of data. For example, the information pulled might indicate the user’s operating system name and version number, browser name and version number, and the browser language. Thus, a device’s signature might be Windows6.1/InternetExplorer9.0/English-US.

While this example is not very specific, it is persistent. All users running that version of Windows, that version of Internet Explorer, and with English as their only defined browser language will appear as the same device. However, the signature for a given user remains the same until he changes operating system versions, browser versions, or sets languages. More advanced device fingerprinting methods use a wider array of indicators, such as installed Flash version, screen resolution, etc., to increase specificity while accounting intelligently for those factors that change the most frequently. The exact configuration determines exactly how specific and persistent the signature will be for a given user base.

In Addition to Which Computer, How About Where is the Computer?

When a user connects to a website, his IP address becomes knowable. The IP address is a string of numbers separated by periods, like this: This address indicates where on the Internet the traffic originates. This information can be used in several different ways.

First, like a device signature, the IP address can be used to identify a user between sessions. Unfortunately, IP addresses tend to be both very broad and very changeable. For example, everyone connecting to a merchant’s website from UC Berkeley’s servers will have the same IP address. On the other hand, every time someone connects to a website on a mobile device through AT&T, their IP could be different depending on how their connection is routed through AT&T’s mobile towers (or if they’re using a coffee shop’s WiFi, with its own IP shared by everyone connecting to it!). Despite all this, tracking velocity of purchases made or different accounts accessed from a particular IP address can be useful signal for detecting fraudulent behavior.

In addition to that, certain IP addresses belong to certain registered organizations, which operate out of certain geographical locations. Some of this information is publicly available, while other parts of it must be extrapolated and researched. There are a variety of paid and free resources that take in an IP address and spit out organization name, carrier code, connection type, IP country, and geographical coordinates for that specific connection. This can allow merchants to make broader observations about their fraud: for instance, rather than targeting specific IP addresses in a game of whack-a-fraudster, observing more broadly that Russian IP addresses tend to be more often tied to fraud than German IP addresses.

Bad users can take steps to obscure their true IP address, such as using proxies, VPNs or accessing the connections of virus-infected computers connected to botnets. There are methods that can pierce or mitigate this to some extent, but in short it’s best to use IP as one signal among many.