Category: CX/UX

Deduce Brings Continuous Authentication to the Masses

Continuous authentication is no longer exclusive to big tech

Mark Gavigan
July 22, 2022

Continuous authentication is no longer exclusive to big tech

Amazon’s Prime Day was last week, the annual free-for-all in which Prime subscribers jostle for exclusive deals. Amazon’s hefty stockpile of data (and identity intelligence) enables shoppers to jump on and off the site or app without having to reauthenticate, boosting their chances of snagging their favorite moisturizer or air fryer.

Thankfully, for companies not in the FAANG Gang, Deduce’s real-time identity intelligence provides the same convenience. This “continuous authentication” feature, which keeps trusted users logged in for 30 days (or longer—this is SecOps configurable), can now create a frictionless customer journey for all B2C companies, even if their CEO doesn’t moonlight as an astronaut. Implementation is just as seamless—without sacrificing security.

Here is why continuous authentication, and frictionless real-time digital identity verification, are central to the consumer journey, what this looks like in action, and how Deduce makes it happen.

It all starts with identity

All consumer journeys start with identity. Verifying users instantly without having them enter their username and password upon each visit goes a long way in facilitating these journeys.

Per a FIDO Alliance report, more than 67% of online shopping carts are abandoned by existing customers due to false positive challenges. Today’s customer is busy, impatient, and short on attention span. They aren’t too thrilled about logging back in for checkout or using a valid credit card and seeing the transaction wrongly declined. Companies feel the hurt of false positives, too. Every triggered multi-factor authentication (MFA) represents a costly trifacta for businesses: lost revenue, reputational damage, and churn, which potentially impacts lifetime customer value.

Delivering a smooth user experience hinges on correctly identifying legitimate customers, instantaneously. Implementing continuous authentication throughout a user’s session keeps them engaged and decreases the likelihood of cart abandonment and/or churn.

The nitty-gritty

So, how does continuous authentication actually work?

We’ve all seen the “Remember Me” box underneath login forms. Depending on the app, ticking this box activates one of two implementations: users only need to enter their password moving forward; or, most conveniently, they’ll bypass login entirely for a period of time.

Some of the trust and risk signals Deduce uses to verify identities.

Continuous authentication, including passwordless login, gives security teams the chills, but Deduce’s behavioral intelligence and real-time risk and trust signals make sure that only legitimate customers, not bad actors, are granted this privilege. After an identity is verified via risk and trust signals across network, device, geography, and activity, a customer can be issued a session extension cookie. Essentially a security token, this extension tells the authentication solution that a user is trustworthy and can be fast-tracked to check-out.

The best part about Deduce’s continuous authentication is that a user’s identity is secure even when they are not using a company’s website. If a user’s credentials are compromised on another site or app within the Deduce Identity Network, their session extension is revoked and they must reauthenticate upon return. Conversely, if the user has authenticated elsewhere on the Deduce Identity Network, that authentication is applied to their identity in real-time and they won’t need to authenticate again on other sites.

Without the required amount of data, however—on par with the likes of Amazon and Google and Apple—continuous authentication and 30+ day session extensions aren’t possible. Unless…

Not your average data stack

Don’t let data limitations get in the way of your continuously authenticated dreams. Deduce’s augmentative solution, fueled by the largest identity graph in the US, layers on top of a company’s existing data stack and effectively levels the playing field.

The Deduce Identity Network packs the identity intelligence needed to pull off continuous authentication and prevent false positive MFA challenges while neutralizing fraudsters, regardless of a company’s size. This network comprises 500M+ unique identity profiles that generate more than 1.4B daily interactions, meaning that Deduce sees the majority of the U.S. population transact in real-time, multiple times per week. As risk data evolves, our identity-backed, machine learning-driven, real-time behavioral intelligence adjusts accordingly.

Legacy identity fraud prevention solutions dependent on static data (name, address, mother’s maiden name, etc.) are no match for today’s fraudsters, and certainly can’t be trusted to power extended login sessions. Static data is more likely to have been compromised by major data breaches and trafficked to cybercriminals on the dark web. Legacy solutions also install their software on websites and apps using JavaScript, far less efficient than Deduce’s no-code integration that integrates within seconds.

With Deduce’s real-time digital identity verification, users bypass manual login for extended periods and enjoy an equally swift account creation process. Businesses and their UX teams, meanwhile, can create a frictionless consumer journey that doesn’t skimp on security, a Trusted User Experience that keeps customers coming back for more.

Related Content

Let’s Get Physical (and Digital): The Path to Speedy ID Verification

The days of sluggish ID verification are over

Mark Gavigan
July 15, 2022

The days of sluggish ID verification are over

Deduce recently completed a comprehensive evaluation for a leading identity verification (IDV) platform. The deep-dive proved what we already knew to be true: uniting digital and physical identities is one of the fastest and most accurate ways of verifying the identity of new customers during the account creation workflow.

Digital and physical familiarity with a user is especially crucial in regulated industries, such as banking. Big banks call upon IDV vendors to verify legitimate users and catch bad actors, but these solutions don’t always have the real-time digital identity intelligence necessary to detect fraud at scale, or the data they rely on during the verification steps may be out of date and lead to false positive declines or costly manual reviews.

Here is a closer look at how Deduce is powering the future of digital identity verification.

It all starts with visibility

The unification of digital and physical identity, or a user’s online footprint and physical location, isn’t possible without a hefty chunk of consumer web data. Deduce’s identity graph, the largest in the US, has this data in droves: 500 million unique identity profiles and 1.4 billion daily online activities sourced from more than 150K websites and apps.

In short, Deduce sees most of the US transactional population multiple times per week. For this particular data study, many of the 69K identity profiles provided had appeared on Deduce’s Identity Network hundreds of times before (shopping, gaming, banking, etc.). Further, more than 80% of the applicants’ emails showed up on Deduce’s network, and nearly 8 out of 10 seen emails were linked to a familiar geography, IP, or network.

Matching a customer’s profile with their observed consumer behavior on Deduce’s network—in real time—gives IDVs, as well as fraud platforms, a significant edge. Coupling this with accurate, and much faster, network and geography verification is the coup de grâce for fraudsters committing identity theft or synthetic identity fraud.

The dynamic duo: digital & physical identity

The combo of digital and physical familiarity, plus Deduce’s real-time behavioral analysis, neutralizes the threat of identity fraud. Crucially, it also protects legitimate customers from the drudgery of manual review. Imagine applying for a bank account or time-sensitive loan that you need approved in hours, even minutes, and not hearing back for days.

In the case of a bank account application, for example, an applicant’s first and last name is typically cross-referenced with their current address. However, if they recently moved, this would likely result in a false positive for identity fraud—and a subsequent manual review—as many consumer databases take weeks to update. Deduce mitigates such an error by checking the applicant’s email against trust signals such as IP and device ID to confirm a user’s location, returning another trust signal known as “Familiar Geo.”

This is great news for any regulated industry, where regulatory compliance requires them to Know Your Customer (KYC). Dodging manual reviews cuts labor costs (~$100 per review), shortens time to approval, and stops customers from jumping ship.

The IDV evolution is here

Digital and physical familiarity coupled with malicious activity detection is a sure-fire path to customer delight and fraudster chagrin. With Deduce’s trust and risk signals, IDVs and fraud platforms can sniff out email chicanery and identity fraud while facilitating the customer journey and curtailing chargeback risk. Even customers with little to no credit history, or thin file applicants, such as students, can be more accurately identified.

For regulated industries in particular, knowing where a customer is goes a long way in determining who a customer is. Deduce’s robust layer of trust has all of the information IDVs need—well before the verification process takes place.

Want to see how Deduce can expedite your identity verification? Contact us today and get up and running in no time.

Related Content

Building Consumer Trust: 3 Trends On the Rise

Experian report shows users are more aware—and wary—of fraud

Mark Gavigan
July 7, 2022

Experian report shows users are more aware—and wary—of fraud

Experian’s annual Global Identity and Fraud Report highlights the emergence of a new digital user persona. This savvy online consumer appreciates a seamless customer experience (CX), but, above all else, prioritizes their safety. 

The report contains plenty of interesting tidbits related to business and consumer sentiment around fraud. The data begs an important question: can frictionless CX and Grade-A security play on the same team, or are they mutually exclusive?

Below you’ll find the answer to that question, plus some additional findings that caught our eye.

Fraud concern is through the roof

Businesses across the board have never been more worried about fraud. 70% of the companies surveyed in Experian’s report named fraud as their number-one concern—an all-time high. Notably, retail banking ranked as the least trustworthy vertical in regards to fraud risk, with credit card issuers not far behind.

The complexity and ubiquity of fraudsters is an obvious stressor for companies. However, with consumer fraud losses reaching $5.8 billion in 2021—up 70%—execs also know that today’s user is hip to the increase in fraud risk. Globally, over 50% of users have experienced fraud or know a victim personally. Consumers’ chief security concern is identity theft, which usurped credit card theft.

Earning trust from safety-first users is paramount. Otherwise companies will quickly feel a churning sensation.

Users aren’t cutting down on screen time

Consumers are more fraud-averse than ever before, but they aren’t spending less time or money online. Quite the opposite.

Experian’s data shows that online purchases have ticked up in recent months, including a boost in users from older age groups such as 40-54 (48%) and 55-64 (32%). Half of those surveyed plan to ratchet up their online spending over the next three months.

Active as they are, many respondents value security and privacy over the ease of a personalized online experience. This is especially true of those in the Baby Boomer (95%) and Gen X demographics (85%). Still, consumers express a desire to be repeatedly authenticated during an online session, though only one-third of them believe businesses are up to the task.

It behooves companies, then, to bolster their security defenses, while delivering a seamless customer journey.

Balancing security & convenience

A smooth, anxiety-free customer journey is built on trust. Given consumers’ growing online activity and security concerns, apps that protect them—without muddying up the customer experience—will be at the top of their list.

It’s a delicate balance, one that requires myriad data to effectively neutralize synthetic fraud, credential stuffing attacks, and all of the other tactics deployed by bad actors. Consumers, too, seem to know what it takes: 57% of them are open to sharing data in service of stronger security, and 63% believe data sharing is worthwhile (up from 51% last year). 

These are encouraging stats, but enlisting a fraud prevention solution that has its own stockpile of identity intelligence on tap is a much easier route.

Deduce proves that airtight cybersecurity without friction isn’t fiction, thanks to our Identity Network that pulls from over 500 million anonymized user profiles, 150,000+ websites and apps, and more than 1.4 billion daily activities. In fact, Deduce sees the majority of the transactional US population multiple times per week. Deduce’s real-time identity intelligence preempts fraud before it happens and ensures users aren’t wrongly identified as bad actors. This dramatically reduces false positives during account creation and expedites authentication for returning customers—both common sources of churn.

We love that more consumers are invested in their online security. With the Deduce Identity Network behind them, B2C companies can treat users to the safe and frictionless experience they deserve.

Want to provide your customers with a seamless and secure online experience? Try Deduce for free today.

Related Content

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

New Gartner report rethinks the marketer’s to-do list

Mark Gavigan
June 23, 2022

New Gartner report rethinks the marketer’s to-do list

According to a recent Gartner report, CMOs have a new priority at the top of their to-do lists—and it isn’t to order more custom flash drives and beer koozies.

The State of Marketing Budget and Strategy 2022, Gartner’s annual survey of enterprise CMOs, indicates that marketing brass are shifting most of their attention to “Customer Acquisition, Retention and Engagement.” As users grow more impatient and wary of fraud, meeting all three of these needs requires an airtight, yet seamless approach to security. It also requires a combined effort from marketing and security teams.

Though still below pre-COVID-19 levels, marketing budgets are, on average, 9.5% higher than last year. Here is why spending on the right security solution is central to attracting, engaging, and keeping users around.

In the beginning…

All customer journeys start with identity, and optimizing the customer experience (CX) starts with account creation.

This means taking a good, hard look at outdated account signup measures such as email verification. At Deduce, we’ve talked to companies signing up millions of new users every month that have churned 10 percent of these accounts because of email verification issues. Further damage awaits downstream, negatively impacting lifetime customer value and brand reputation.

To neutralize fraud—including synthetic fraud—while maintaining an easy-breezy signup process, deploy an antifraud solution that provides real-time trust signals at the account creation stage. For regulated industries, these trust signals can also reduce the cost of customer onboarding.

A churning sensation

Remember those trust signals from two sentences ago? They not only fastrack signup, but alleviate another major customer pain point: false positives.

Once customers are acquired and have created their account, getting blindsided by a false positive upon logging in will often trigger a DEFCON-1 churn reaction. Security solutions bereft of real-time identity data that rely exclusively on behavioral biometrics and device fingerprinting will generate more false positives and smack users with a multi-factor authentication (MFA) alert.

Many users don’t think MFA is worth the increased security. They don’t have time for clicking CAPTCHA squares of traffic lights or authenticating via one-time passcode. And, thanks to SIM swapping, SMS codes aren’t 100-percent secure, let alone user-friendly, anyway.

A delicate balance

If CMOs wish to treat users to a Ritz-Carlton-esque app experience, they’ll need a security solution that’s rock-solid yet frictionless.

Fortunately, Deduce lies at the intersection of CX and security. With a real-time identity network comprising 500 million anonymized user profiles, 150,000+ websites and apps, and over 1.4 billion daily activities, Deduce uses real-time identity intelligence to ensure a user is legit during account creation and beyond, greatly decreasing the likelihood of a false positive MFA trigger. Spoof-proof trust signals—geolocation, new device, time of day, etc.—promise a smooth verification process throughout the customer journey.

The trusted user experience needn’t be a slog. Safe can also mean seamless, and vice versa.

Looking for a CX-traordinary security solution? Try Deduce for free today.

Related Content

Turning the Tables on Restaurant Reservation Fraud

How reservation apps can put fraudsters in a to-go box

Mark Gavigan
May 15, 2022

How reservation apps can put fraudsters in a to-go box

A restaurant reservation can make or break someone’s evening, even someone’s week if they identify as a “foodie.” Fraudsters, of course, are well aware and have found a way to juke reservation apps and naive consumers who mistakenly believe they’re in for the Michelin Star treatment at that hard-to-get-into restaurant.

Sit-down eateries have long been fertile ground for fraud (dine-and-dashing, running the card twice in the back, hacking users through malicious QR codes), but restaurant reservation fraud—akin to ticket scalping—uniquely impacts reservation platforms, restaurants, and their would-be patrons.

Let’s take a closer look at reservation fraud and how to stop bad actors from feasting on reservation apps.

A maître d’s worst nightmare

After scammers land a restaurant reservation—typically at a ritzier establishment—they attempt to sell it on Craigslist, Facebook Marketplace, and other classifieds. The poster withholds vital information from unsuspecting buyers: other folks have purchased the same reservation.

Imagine showing up for your anniversary dinner only to find four other parties have the same reservation—a party of ten with no table and no backup plan.

Craigslist ad for restaurant reservation
A recent Craigslist ad for a restaurant reservation

Duped customers are left with hurt feelings and empty stomachs, but restaurants, many still finding their footing amid the pandemic, suffer lost revenue and the likelihood that neither of these customers will return in the future. In turn, the restaurant blames the reservation app and may seek out a similar platform that isn’t so easily manipulated.

Does such a platform exist? How can reservation apps (and restaurants) turn the tables on bad actors?

Tonight’s special: preemptive fraud detection

Deduce recently partnered with a global restaurant reservation platform to solve its reservation fraud issue. The intelligence, scalability, and preemptive nature of Deduce’s solution was precisely what the app needed to put fraudsters in a doggy bag.

Malleability played a crucial role as well. Deduce created custom risk signals and provided a continuous authentication solution for the app, Improbable Travel, to neutralize phony reservation bookers. If someone in Kansas makes reservations at restaurants in New York, Los Angeles, and New Orleans for the same day, chances are it’s a ruse, doubly so for new accounts. By flagging such cases based on geolocation and account status, and referring them to the reservation app for manual review, Deduce’s tailor-made approach reserved restaurant tables for legitimate customers only.

A recipe for success

Deduce owes its flexibility and real-time fraud detection to its Identity Network comprising 500 million anonymized user profiles, gleaned from over 150,000 websites and apps, and over 1.4 billion daily activities. In fact, Deduce sees the majority of the transactional online U.S. population multiple times per week. It verifies users through risk signals, like Impossible Travel, and trust signals such as familiar device, familiar network, familiar activity, and familiar time of day.

These real-time risk and trust signals work in tandem to spot bad actors long before any malicious behavior can take place. In the case of a restaurant reservation platform, preemptively intercepting fraud is the way to a restaurant and app user’s heart: full tables, satiated appetites, less churn.

Are you starving for an effective first line of defense against account creation fraud and to prevent ATO attacks while reducing friction for legitimate customers? Contact us today and get set up in just a few hours.

Related Content

The Trusted User Experience: A Day in the Life

What does the Deduce Identity Network look like in action?

Mark Gavigan
May 3, 2022

What does the Deduce Identity Network look like in action?

In our previous blog posts we’ve discussed the value of identity intelligence, how data poverty can mix up risk signals, and shown how the Deduce Identity Network can enable a trusted user experience.

But what does our network of 500 million user profiles and 1.4 billion daily online activities actually look like in action?

To help illustrate how Deduce’s trust signals can significantly improve the user experience—and prevent the churn that CEOs loathe—here is a day in the life of a trusted user identity on our network.

Uber—8:17 a.m.

Meet Tom. Tom is a Deduce trusted identity. We don’t know his name is Tom (Deduce defines a profile via email, device, geo, and activity), but we know he won’t be launching a credential stuffing attack any time soon.

It’s a typical work day for Tom, and Deduce’s Familiar Time of Day signal is already pointing to trust. Tom is waiting for an Uber, standing on the curb in front of his house—a new house he and his wife moved into a few weeks ago. The Uber arrives. Tom buttons his blazer, tightens his half-Windsor knot, and heads to the office.

A few minutes later, when Tom decides to check emails on his phone, he realizes the email client logged him out and he can’t remember the right password combination. Given his change of residence, Tom’s new commute path to the office could trigger an MFA (multi-factor authentication) challenge; fortunately, Deduce’s IP Address and Time of Day trust signals identify Tom as a non-malicious user and increase his allotted number of password attempts. He’s in!

Uber—8:50 a.m.

Roughly 30 minutes after boarding the Uber, Tom remembers that his wife asked him to buy plane tickets for a spontaneous Vegas trip next weekend.

Tim is only a few minutes from his office and the ticketing app with the best deal isn’t installed on his phone. Even with just a few weeks of data, Deduce’s Time of Day/Day of Week trust signals—coupled with intel from multiple cell towers—recognize Tom is commuting and expedite the account creation and verification process.

Tom acquires the last-minute tickets with time to spare.

Office—9:27 a.m.

Tom grabs his morning joe and walks to his desk. After texting his wife that they’ll soon be swimming in daiquiris and poker chips, he logs into his office computer and checks his calendar.

Uh oh. A video meeting in three minutes AND it’s on a video conferencing platform he’s never heard of?

No worries. Tom downloads and installs the software then quickly creates an account without having to verify via OTP (one-time passcode). Deduce’s recognition that Tom is actually Tom—it recognizes the IP address and device ID of his work computer at the right time of day—allows him to enter the meeting right on the dot.

Home—6:48 p.m.

Tom and his wife get home from work. They’ve hardly unpacked since moving and navigating the labyrinth of boxes in the kitchen to use the stovetop is unrealistic. Pizza it is.

Tom’s phone is dead, so he grabs his wife’s tablet. He downloads a food delivery app—the same one installed on his phone—and logs in to order their favorite: a medium Hawaiian with extra pineapple.

A user logging in on a new device might trigger an MFA under normal circumstances, but Deduce knows Trusted Tom is accessing the app from his residence on a new, albeit still familiar, network. Deduce also identifies the device ID of the tablet, as Tom’s wife has used it on the network before.

The pineapple-on-pizza debate is contentious, but we can all agree that friction has no place in the user experience.

Want to steer clear of friction and churn? Contact us today to find out how you can treat your customers like trusted users, not bad actors

Related Content

Behavioral Biometrics vs. Identity Intelligence: What’s the Difference?

Hint: One is more reliable than the other

Mark Gavigan
April 20, 2022

Hint: One is more reliable than the other

Identity fraud, including account takeover attacks, affects 15 million Americans each year. In response, companies are looking for fraud prevention solutions that are easy to deploy, frictionless, and unlikely to trigger false positives.

Two popular methods of detecting fraud are behavioral biometrics and identity intelligence. In simple terms, the former analyzes how a user acts while the latter analyzes who a user is. Most behavioral biometrics and identity-based solutions can be deployed without impeding the user experience—a key prerequisite in the digital age—but they share little else in common.

Before breaking down the key differences between behavioral biometrics and identity intelligence, let’s look closer at each approach and why an identity-centric model is more reliable.

Behavioral biometrics

Behavioral biometrics measures a user’s physical and cognitive traits to differentiate between fraudsters and real customers. Unlike physical biometrics, behavioral biometrics doesn’t scan fingerprints or eyes; instead, it looks for patterns in how a user interacts online. For example, it might invoke keystroke dynamics to determine if someone (or something) is copy-and-pasting into a text form or typing.

Here are some other ways in which behavioral biometrics can examine a user:

  • Signature analysis
  • Gait analysis
  • Voice recognition
  • Lip movement

While behavioral biometrics is easy to integrate and improves the accuracy of fraud identification systems, it has its drawbacks. Being a nascent technology, assimilating it into your existing technology stack can be expensive. Once it is activated, stockpiling enough personal data to successfully analyze a user’s behavior will take some time. The aforementioned accuracy can also take a hit if a user strays from their typical behavioral patterns—a drunk or sick user might speak or type differently, an injured user might suddenly walk with a limp. Even a user’s setup can elicit false positives: consider someone who gets flagged erroneously, via keystroke analysis, because they use different keyboards at home, at work, and on the go.

The increased likelihood of false positives outlined above makes behavioral biometrics more suitable as a complementary fraud defense rather than a core solution.

Another flaw of behavioral biometrics is bias. Some solutions rely upon training data that skews toward one demographic. For instance, a 2018 study from MIT and Stanford discovered that the facial data used in at least one system was more than 77% white and more than 83% male.

Identity intelligence

Sophisticated anti-fraud tactics such as behavioral biometrics can be effective. But, in the era of synthetic identities, it’s not enough.

Detecting fake identities consisting of stolen passwords and other personal info requires robust security checks at point of entry, post-authentication tools that can zero in on inconsistent behaviors and preempt fraudulent transactions. Identity intelligence achieves precisely this.

Identity intelligence leverages massive datasets rife with insights on how legitimate users interact online. This knowledge helps neutralize fraudsters even if they possess a user’s login details. Contrary to behavioral biometrics’ need to ramp up its behavioral data for a given user, identity intelligence pulls from data that is ready to go from day one and, thanks to machine learning, constantly growing and up to date.

Identity intelligence hones in on both the person and their device. If George logs in, it finds out if it’s really George, and if the device in question belongs to him. Device usage offers identity-based solutions a plethora of behavioral insights: the types of mobile apps George uses during his morning commute, the wifi network he uses at work, the VPN he accesses on his home computer. Identity intelligence is the actionable, real-time, dynamic fraud prevention approach that closes the gaps left behind by behavioral biometrics.

Identity intelligence that can’t be faked

If a company needs identity intelligence to overcome the blindspots of their existing behavioral biometrics solution, or to remove the need for behavioral biometrics altogether, they’ll need as much identity data as they can muster. No one has more of this data than Deduce.

Deduce boasts the largest real-time identity graph for online fraud in the US. The brain behind our identity intelligence, the Deduce Identity Network, comprises more than 500 million anonymized user profiles and over 1.4 billion daily activities. This sizable (and fully compliant) data stack prevents the false positives that would hinder a behavioral biometrics solution.

Furthermore, given fraudsters’ proclivity with learning to hack new technologies (like behavioral biometrics), businesses can be assured that Deduce’s identity intelligence cannot be bamboozled. Fraudsters are too cheap to outwit our network. Circumventing such a vast arsenal of user profiles, website and activity data—over an extended period of time—requires money, time and effort they can’t afford.

Want to give our identity intelligence a spin? Even if you’ve already implemented a behavioral biometrics tool, Deduce can be layered right on top. Contact us today and get started in just a few hours.

Related Content

Mixed Signals — Part Two: New Device

New device ID and its pesky false positive problem

Mark Gavigan
April 15, 2022

New device ID and its pesky false positive problem

Every day, supermarket and liquor store cashiers reject wannabe McLovins attempting to buy six-packs with a fake ID. Likewise, every hour—perhaps every minute—fraud prevention solutions reject online logins and transactions due to a new, unfamiliar device ID.

The problem? Only 2% of fraud is perpetrated by a new device. The new device ID risk signal, one of the most widely used by authentication platforms, is guaranteed to trigger a false positive fraud risk for the 98% of good customers—and trigger a deluge of rage along with it. Per PWC, one in three consumers ditches a brand following a negative user experience; it’s hard to get more negative than erroneous multi-factor authentication (MFA) or a wrongfully canceled purchase.

False positives cost US e-commerce merchants $2 billion per year. That’s nearly 3% of their revenue, not far behind fraud-related costs (7.6%)—a possible death knell for e-tailers with razor-thin margins. 

Part Two of our “Mixed Signals” series explores the flaws of the new device risk signal, and how to combine new device ID with real-time data to keep users (and bottom lines) intact.

False positives aren’t the only problem

Device-based authentication leads to a flurry of false positives, including a 30-50% false positive rate associated with geolocation sensitivity. But it doesn’t end there. To avoid flagging legitimate customers, solutions need to track a variety of real-time risk and trust signals.

Outside of false positives, here are other downsides of counting on the new device risk signal alone:

Device spoofing. Spoofing a user’s device is a cinch and ubiquitous enough to render device ID, by itself, unsuitable for verification.

Advanced attacks. Solutions reliant upon device ID won’t detect complex attacks involving social engineering and automation (man in the middle, remote access tool attacks, etc.).

Actionability. The amount of users logging into new devices at new locations overwhelms device-based anti-fraud solutions. Consequently, good users on unfamiliar devices will be burdened with friction and deemed high-risk.

Why device ID causes false positives

The chief failing of device ID authentication is that it doesn’t account for one simple fact: consumers are constantly toggling between devices or buying new ones altogether.

Cell phones are only one of the devices that users swap because they either dropped it in the toilet or desire the latest and greatest model. It’s also not uncommon for more than one person to use a device, such as a tablet or desktop computer, making the new device risk signal an inadequate means of verifying user identity.

The increasingly remote nature in which we work and interact presents new challenges for device ID authentication—even when paired with geolocation and behavioral biometric data (both can be spoofed). For instance, someone who’s temporarily telecommuting from a family member’s house might use that individual’s computer to buy goods. Or, someone might be in quarantine at a hotel and get flagged for using their mobile device at an unusual location. Sharing login credentials with friends and relatives across households and devices is another sure-fire way to set off the device authentication tripwires.

Silencing the false alarms

Similar to device fingerprinting—a way of positively identifying a device by recognizing its unique software and hardware characteristics—real-time data is the key piece missing from device-based authentication.

The Deduce Identity Network melds the new device risk signal with other data such as device, IP, geolocation, and activity (login, checkout, account creation, password reset, etc.) to generate comprehensive real-time behavioral intelligence that drives a calculated risk or trust signal. This prevents legitimate users from being flagged and the resultant friction that makes them jump ship. 

Deduce’s 500 million anonymized user profiles, 150 thousand websites and apps, and over 1.4 billion daily activities provide a rock-solid determination of user trust—or, conversely, flat-out fraud. Device spoofing is rampant, but the Deduce Identity Network won’t fall for the fakes. Fraudsters can’t afford to create a synthetic identity capable of fooling the largest real-time identity graph in the US.

The Cliff Notes: Don’t sink users in a quagmire of friction when they’re merely transacting from a new phone or shopping for clothes on their parents’ Macbook. Treat legitimate customers like distinguished guests, not criminals.

Ready to tap the collective intelligence of our Identity Network and experience the serenity of avoiding new device false positives? Click here to learn more.

Related Content

Mixed Signals — Part One: Geolocation

Wipe location spoofers and false positives off the map

Mark Gavigan
April 8, 2022

Wipe location spoofers and false positives off the map

Geolocation, geolocation, geolocation. It’s one of the common risk signals tracked by anti-fraud solutions and often the reason legitimate customers are thrown into account verification purgatory.

Geolocation locates users via a GPS signal, IP address mapped to geography, wifi network locations, or web browser location information on their device. Geolocation is helpful in combating fraud, that is, if it’s used properly. However, many fraud prevention companies erroneously depend on IP address alone, and don’t possess the data at scale to differentiate between a fraudster and someone who’s simply transacting in an unfamiliar area. This makes businesses susceptible to location spoofing—when fraudsters falsify their location by using a virtual private network (VPN) or IP spoofing techniques.

Ineffective use of geolocation also contributes to online payment fraud, which is expected to cost businesses 200 billion by 2024. Additionally, verifying location without the right intelligence leads to the much-maligned false positive, and from there metastasizes into a user experience nightmare.

How geolocation impacts users

Account takeover by way of location spoofing isn’t fun for businesses—particularly merchants who bemoan chargebacks—and neither is a false positive credit card decline, which unnecessarily annoys users and causes a churn reaction.

Imagine traveling to another state on vacation and needing to gas up your rental car. Easy enough. But the gas pump declines your credit card transaction, requiring you to call your bank and verify your identity, or, heaven forbid, actually have to go and talk to the member of staff in the office, which in turn throws off the timing of your family’s tightly packed itinerary. Even worse, what if you can’t buy a plane ticket because the airline triggered multi-factor authentication (MFA) and seats filled up by the time you verified your identity?

A recent fraud surge on the Nike SNKRS app exemplified the impact of location spoofing across verticals. The app released a special pair of sneakers only made available to customers within a certain region. Predictably, fraudsters manipulated their IP addresses in order to buy the sneakers, leaving a slew of unhappy SNKRS users in their wake.

Whether users are falsely identified as bad actors or locked out of buying a rare pair of shoes, relying on IP addresses alone to stop fraud is damaging to a brand’s user base and reputation.

IP address isn’t spoof-proof

IP addresses are easily exploited by fraudsters. Tapping a VPN or other proxy to conceal their location requires minimal sophistication. As such, businesses need to supplement IP data with additional location intelligence to accurately identify trustworthy users (and keep bad ones out). Conversely, they need to be able to identify when a legitimate, privacy-concerned user accesses online services and apps via a VPN. 

The question remains, then: What is the best (read: only) way to successfully outwit location spoofers and avoid geolocation-triggered false positives?

Relieving geolocation irritation

If location-spoofing fraudsters have your compass spinning out of control, Deduce’s identity intelligence data can provide a sense of direction. Deduce combines real-time and historical data to eliminate false positives, discerning if a user is fraudulent or if they’re simply a good, tax-paying citizen who’s on the move. 

Powered by the Deduce Identity Network—500 million anonymized user profiles, 150 thousand websites and apps, over 1.4 billion daily activities—Deduce’s algorithms analyze multiple trust signals, in addition to IP, for a given user (device, network, time of day, and a lot more) to determine if a user is legitimate.

By tracking online activity related to time of day, day of week, and specific activities such as logins, account creation, checkout, forgotten password, etc. over time, Deduce is able to discern “normal” behavior from fraudulent behavior. (After all, you’d be suspicious if your neighbor started mowing his lawn at 10:00pm, right?) As an identity’s activity is tracked over the course of two weeks, a month, six months, and so on, a more accurate picture of an identity’s behavior is established and the confidence factor increases. In fact, Deduce is likely the first to know when an ATO has occurred, usually well before the victim themselves.

In rare cases in which Deduce is not able to determine fraud via geolocation, our Customer Alerts feature quickly notifies consumers to confirm their identity and location. This feedback only strengthens Deduce’s algorithms to ensure such verification measures aren’t necessary in the future.

User experience isn’t the only incentive for companies to fortify their geolocation authentication. In some industries, such as online gaming, Deduce’s intelligence layer could prevent enormous fines related to regional gambling laws and/or the collapse of a company altogether. All the more reason to ditch an IP-only approach.

Ready to jump-start geolocation in your fraud prevention efforts? Contact us today and try Deduce for free.

Related Content

Passwordless Login: a Similar Flight Pattern to TSA PreCheck, Global Entry

More users are leaving passwords on the tarmac

Mark Gavigan
November 12, 2021

More users are leaving passwords on the tarmac

The rigors of boarding an airplane post-9/11 are well-documented: ID checks; removal of belts, shoes, laptops, decanting your toiletries into three fluid ounce containers; frantically stuffing plastic tubs with personal belongings before the travelers behind you hum the Jeopardy theme.

Over the past two decades, however, frequent and occasional flyers alike have subscribed to expedited customs programs from the Transportation Security Administration (TSA) and ​​U.S. Customs and Border Protection (CBP) that slingshot travelers to their terminals with their clothes and luggage untouched. The friction alleviated by programs such as TSA PreCheck and Global Entry is comparable to the slog of old-school account login — travelers hate waiting in line; modern app users hate keying in username/password combos upon each visit or being asked to verify the email they have just entered in a different application.

Passwordless authentication is the account login equivalent of PreCheck and Global Entry. Here is why passwordless is taking off, and how apps are “boarding” their users expeditiously while creating a fraud-free, Trusted User Experience.

Passwords don’t fly anymore

Just as line-weary travelers have opted for PreCheck and Global Entry, research suggests more and more users are ready to leave passwords on the tarmac.

Earlier this year, Experian’s Global Identity & Fraud Report asked more than 2,700 businesses and 9,000 consumers about their preferred login approach. For the first time since Experian’s ran this annual report, passwords landed outside the top three. Respondents, more security-conscious amid a 20-percent bump in online traffic during the pandemic, felt more comfortable logging in via physical/behavioral biometrics and SMS pin codes.

The data dictates that we are rapidly approaching a passwordless future. Like the airline passengers who get in and out of customs with a simple biometric scan, a growing contingent of app users desire a quick and seamless customer journey. Businesses must answer the call by implementing passwordless login that operates in real time yet still mitigates fraud risk. It’s not just money that’s at stake either — it’s the trust of users.

A trusted user experience attracts frequent flyers

Frustrated as travelers may be with slow-moving lines, they’re unlikely to leave the airport and take Greyhound. They have a plane to catch, and anything short of death will not warrant a ticket refund. App users, on the other hand, inundated with platforms and services, have every reason to seek out a frictionless alternative.

Businesses that don’t adopt a passwordless approach risk losing customers, some of whom will share their sluggish user experience with others and ultimately damage a brand’s reputation. Even worse, companies with lengthy authentication processes at the account signup stage will dissuade people from using the product in the first place. Recently, one QSR company admitted that they lost 10 percent of new app signups due to the email verification step not being completed, rendering the fast food app a no-food app.

In the spirit of PreCheck and Global Entry, apps must expedite the user journey by installing a passwordless login apparatus that is fast as it is safe. This requires an intelligent fraud solution with enough data to authenticate users in real time and remain in lockstep with an ever-shifting cybersecurity landscape. By analyzing multiple factors in real time — device, geography, time of login, account activity etc. — platforms can verify fast and reliably at login, get users in-app in a flash, and create a Trusted User Experience that generates customer loyalty.

Deduce can’t expand the leg room on your next flight, but we can get your user authentication flying in no time. Try us for free today, and build a fraud-free, Trusted User Experience that converts your customers into frequent thumb-tappers and mouse-clickers.

Related Content