New device ID and its pesky false positive problem
Every day, supermarket and liquor store cashiers reject wannabe McLovins attempting to buy six-packs with a fake ID. Likewise, every hour—perhaps every minute—fraud prevention solutions reject online logins and transactions due to a new, unfamiliar device ID.
The problem? Only 2% of fraud is perpetrated by a new device. The new device ID risk signal, one of the most widely used by authentication platforms, is guaranteed to trigger a false positive fraud risk for the 98% of good customers—and trigger a deluge of rage along with it. Per PWC, one in three consumers ditches a brand following a negative user experience; it’s hard to get more negative than erroneous multi-factor authentication (MFA) or a wrongfully canceled purchase.
False positives cost US e-commerce merchants $2 billion per year. That’s nearly 3% of their revenue, not far behind fraud-related costs (7.6%)—a possible death knell for e-tailers with razor-thin margins.
Part Two of our “Mixed Signals” series explores the flaws of the new device risk signal, and how to combine new device ID with real-time data to keep users (and bottom lines) intact.
False positives aren’t the only problem
Device-based authentication leads to a flurry of false positives, including a 30-50% false positive rate associated with geolocation sensitivity. But it doesn’t end there. To avoid flagging legitimate customers, solutions need to track a variety of real-time risk and trust signals.
Outside of false positives, here are other downsides of counting on the new device risk signal alone:
Device spoofing. Spoofing a user’s device is a cinch and ubiquitous enough to render device ID, by itself, unsuitable for verification.
Advanced attacks. Solutions reliant upon device ID won’t detect complex attacks involving social engineering and automation (man in the middle, remote access tool attacks, etc.).
Actionability. The amount of users logging into new devices at new locations overwhelms device-based anti-fraud solutions. Consequently, good users on unfamiliar devices will be burdened with friction and deemed high-risk.
Why device ID causes false positives
The chief failing of device ID authentication is that it doesn’t account for one simple fact: consumers are constantly toggling between devices or buying new ones altogether.
Cell phones are only one of the devices that users swap because they either dropped it in the toilet or desire the latest and greatest model. It’s also not uncommon for more than one person to use a device, such as a tablet or desktop computer, making the new device risk signal an inadequate means of verifying user identity.
The increasingly remote nature in which we work and interact presents new challenges for device ID authentication—even when paired with geolocation and behavioral biometric data (both can be spoofed). For instance, someone who’s temporarily telecommuting from a family member’s house might use that individual’s computer to buy goods. Or, someone might be in quarantine at a hotel and get flagged for using their mobile device at an unusual location. Sharing login credentials with friends and relatives across households and devices is another sure-fire way to set off the device authentication tripwires.
Silencing the false alarms
Similar to device fingerprinting—a way of positively identifying a device by recognizing its unique software and hardware characteristics—real-time data is the key piece missing from device-based authentication.
The Deduce Identity Network melds the new device risk signal with other data such as device, IP, geolocation, and activity (login, checkout, account creation, password reset, etc.) to generate comprehensive real-time behavioral intelligence that drives a calculated risk or trust signal. This prevents legitimate users from being flagged and the resultant friction that makes them jump ship.
Deduce’s 500 million anonymized user profiles, 150 thousand websites and apps, and over 1.4 billion daily activities provide a rock-solid determination of user trust—or, conversely, flat-out fraud. Device spoofing is rampant, but the Deduce Identity Network won’t fall for the fakes. Fraudsters can’t afford to create a synthetic identity capable of fooling the largest real-time identity graph in the US.
The Cliff Notes: Don’t sink users in a quagmire of friction when they’re merely transacting from a new phone or shopping for clothes on their parents’ Macbook. Treat legitimate customers like distinguished guests, not criminals.
Ready to tap the collective intelligence of our Identity Network and experience the serenity of avoiding new device false positives? Click here to learn more.