You can’t access an app without using a device. Even if that device is on an emulator or it’s been tampered with, everyone who accesses a platform has to use a device to do so. That gives device ID tremendous potential as an authentication and anti-fraud signal, but it also makes it a huge target for fraudsters to spoof and obfuscate.
Put differently, being able to consistently link devices to users means you can stop a lot of fraud, like multi-accounting, promo and voucher abuse, and ban evasion. But because it’s such a good signal for stopping repeat fraudsters, fraudsters have invested a lot of time into finding ways to dupe traditional device fingerprinting methods.
If you can make one device look like many, you can hide organized fraud and maintain access to your target platform indefinitely.
Some device IDs and fingerprinting solutions are so weak, even reinstalling the app is enough to get past them. If that doesn’t work, fraudsters can also wipe the slate clean by factory resetting their device. To the digital eyes of the platform, the newly-reset device might as well be a brand new one straight out of the box. These are the easiest ways to obfuscate a device ID, but they’re not the most efficient. For that, fraudsters turn to more technical tools.
Emulators are computer programs that can emulate a mobile device—essentially, a virtual smartphone on a desktop computer. Because the devices on an emulator are only virtual emulations and not actual devices, it’s easy to manipulate their parameters, including screen resolution, operating system version, and a host of other attributes that device fingerprints use to ID a device. Even if that were to somehow fail, it’s easy enough to just create a brand new virtual device to replace the old one.
App cloners are fraud-as-a-service (FaaS) tools that fraudsters use to run multiple instances of an app on the same device at the same time. This allows them to quickly create multiple accounts and to switch between existing accounts more easily. Like we see in the image below, some app cloners allow users to customize the attributes of the “device” reported to own each instance of the app that runs.
This creates the illusion that these app instances are all running on different devices, but in reality, there’s only one device at play.
In one case Incognia saw, a fraudster using an app cloner was able to create around 400 different accounts. Using those accounts, that fraudster was able to claim almost 2,000 euros worth of vouchers in a 30-day period.
Legacy device fingerprinting solutions aren’t persistent enough to stand up to today’s fraudsters. Stronger device fingerprinting, including tamper detection and secondary signals, is the next generation in device-to-identity binding.
In Incognia’s case, we combine our device ID solution with location intelligence to help identify device ID obfuscation attempts and identify users even when they manipulate their device’s fingerprint or even switch devices entirely.
Fraudsters aren’t going anywhere, and using an outdated device fingerprinting solution makes a platform easy pickings for multi-accounting, ban evasion, and other types of fraud and abuse.
To learn more about how Incognia is bringing device fingerprinting to the next level, visit our solutions page here.