Device intelligence boils down to a cup of coffee

Security ingredients (and their limitations)

Many organizations are tied to incomplete security tools, which — while capable of monitoring some user attributes — don’t do so completely or very well over time. This leaves space for bad actors to take advantage of gaps in information, and also results in a clunky user experience for good users forced to continuously verify their identities and share more personal information with brands.

It’s no surprise many businesses turn to device IDs, device fingerprints and device user-agents as the primary way of validating users. But let’s break down these three common identifiers a bit more and explore the underlying roadblocks of each:

1. Device IDs: This first string of data is unique to absolutely every device and is generated based on cookies stored on your browser. Device IDs are great identifiers, but for privacy reasons these IDs expire monthly, making them unreliable long term.Think of device IDs as your coffee cup. When you go to your favorite local spot, suppose you always bring a one-of-a-kind mug made by someone in your family. For a period of time, that cup makes you incredibly identifiable. But maybe your new cat grows fond of knocking over your mug and breaks it, and you end up purchasing a replacement. Having multiple coffee cups is not unheard of (some of us collect them), just as many users rely on numerous devices to go about their business online. However, that does make your coffee cup of choice week-to-week an incomplete identifier.
2. Device fingerprints: The second string of data incorporates your device settings and attributes, including type of device, browser used, version of the browser and language settings. This set of information remains stable over time, but is never 100% globally unique. In fact, there’s a 40% chance of finding another device with the same fingerprint as yours. Overlap across device fingerprints will only grow more common as developers continue to standardize technologies and produce devices with fewer easily recognizable flaws.Think of device fingerprints as your java order. Throughout the day, there are likely other customers who also order vanilla lattes with almond milk. While your fingerprint appears unique in the moment, a big-picture perspective reveals relatively high similarities with other users (or coffee connoisseurs) — your order may not be as special as you think it is.
3. Device user-agents: The third string of data offers basic details about your device. Again, while these underlying attributes are helpful, this small stamp of your phone/computer/tablet is easy for fraudsters to understand and replicate. Think of device user-agents as the name written on your coffee cup. Sure, your name is a helpful identifier, but someone else at the store may share your name. Likewise, over time it would be easy for others to learn and give your name at checkout.

IDs, fingerprints and user-agents offer unique and helpful information about our devices, and in many scenarios these details can prevent fraudulent interactions. That said, organizations still expect $4.1B in application fraud losses by 2023, so it’s clear current tactics alone are not enough to stop all bad actors from slipping through the cracks. Don’t worry, we’ll discuss solutions shortly — but first, an important question.

Do you want whipped cream on that?

For a long time, companies have prioritized learning as much as possible about customers. This effort revolutionized the level of personalization now expected when we shop and continues to improve user experiences across all digital channels. But there’s a lot more we can still learn about end users when we pay closer attention to not only their devices and goals, but also their behaviors when online — especially when it comes to improving security practices.

Let’s go back to our coffee shop illustration. While we were focused on the specifics of your drink order, we actually missed out on a series of extremely helpful behavioral queues. Imagine you typically stop by your local store on Friday mornings because you enjoy ending the work week on a high note. It’s not uncommon for you to walk your dog to the shop since it’s in your neighborhood (yes, you have a cat and a dog). And you always say yes when asked if you’d like whipped cream on your drink (it’s Friday after all).

Altogether, that’s a lot of identifying details that go well beyond your coffee order, and instead focus on your unique behaviors. As mentioned earlier, other customers may also order vanilla lattes or share your name. However, the time of the day you tend to swing by, how often you make purchases and the type of mug you typically bring presents a distinct picture with significantly lower overlap. This clear sense of “you” enables your barista to react appropriately upon your arrival, and may even trigger certain events like an employee grabbing your preferred cup size or a special treat for your puppy. Equipped with more behavioral knowledge about you, the barista can also make adjustments when scenarios feel off, too. While it’s unlikely that someone will try to impersonate you at your local coffee shop, if this does happen, you’d want employees to spot this deception and intervene.

These details also exist in our digital world. As mentioned above, the device intelligence strategies we turn to most often can no longer solve our security problems on their own. Fortunately, it’s possible to combine details already known through your device ID, fingerprint and user-agent with what we can now learn about users through their passive biometric habits, such as how they type, browse and hold devices.

Behavioral technologies help you avoid getting burned

Much like a bad cup of coffee, insufficient security measures and difficult user experiences leave a bitter taste in customers’ mouths. It’s important to avoid mistakes from the jump.

To do that, behavioral characteristics create a device-based profile much more difficult for bad actors to replicate — making these details a great source for both pinpointing fraud and validating good users. Behavioral technologies work well in today’s world because rather than looking out for generically “suspicious” actions to identify bad actors, your organization can turn to legacy user information and flag instances that feel off based on the behaviors of your known good actors.

This includes going beyond catching occurrences of spoofing and double device breaks, as well as the ability to reliably link several devices to the same authorized user. Layering behavioral technologies into your overall device intelligence strategy is a direct response to the advanced social engineering tactics bad actors now lean on, and avoids overreliance on data points like device IDs, fingerprints and user-agents.

Top security solutions actually provide a risk score triggered by device intelligence insights as well as behavioral information, allowing your company to automate responses based on your organization’s particular risk tolerance. Customizing fraud intervention strategies based on your unique industry and customers goes a long way toward safeguarding user experience. For example, merchants may choose to respond only to very high-risk behaviors since their customers are more sensitive to false declines, while banks fall on the opposite end and will likely respond to relatively medium-risk behaviors to prevent even one instance of financial fraud. Over time, you can change policies and introduce new triggers/rules to improve security practices.

So, the next time you visit your local coffee shop, pay attention to what makes you stand out from the crowd. You might be surprised by all the things you notice — and how those details change the way you think about device intelligence.