If breaking policy didn’t have any consequences, it wouldn’t mean anything to have a policy. When you’re trying to maintain a respectful platform and a good experience for your users, policies are a necessary piece of foundation that set the expectation for conduct on that platform. When people breach policy, they threaten the business, and a ban or suspension is usually the appropriate response.
But what happens when a ban isn’t really a ban? What happens when banning someone isn’t enough to keep them off the platform?
If you’re banning someone from your platform, it’s probably for a good reason. The point of a ban is that you don’t want to see them again—allowing them to continue operating on your platform threatens your users’ experience, your security, your profits, or all of the above. When someone is able to easily circumvent a permanent ban or suspension, it’s easy to see why that might cause problems.
More than the obvious, though, is that ban evasion goes hand-in-hand with multi-accounting—that is, making a stockpile of fake accounts to use for promo abuse, backups in case of a ban, phishing, making fake listings, or other below-board purposes. Ban evasion is bad enough on its own for allowing abusive people back onto your platform, but having a ban evasion problem also means you probably also have a multi-accounting problem, and that means you could be dealing with more fraud than you realize.
As Cody Summers of TaskRabbit said in the Merchant Risk Council webinar, “Ban Evasion: The Great Fraud Enabler,” ban evasion also enables organized fraudsters to experiment with which attack vectors work best on your platform:
“It's a basic way to test your overall security readiness, like a litmus test. If they can evade being banned, they can throw a bunch of different schemes at you and see what works. And this is something that came up when talking to folks about their experiences fighting ATO or account takeover fraud. If you're unfortunate enough to be targeted by a more sophisticated group, you need to be able to effectively shut it down. You have to be able to effectively ban the fraudsters or it's going to hurt. Why else would they stop?”
Fraudsters aren't incentivized to respect suspensions or bans. Without a way to reliably enforce bans, most bad actors are liable to find a way back onto your platform.
Platforms obviously have some methods in place to try and stop this exact scenario from happening, but unfortunately, fraudsters have adapted to many of the industry standards of the past decade.
A device’s unique device ID is one way to identify it, but this is easily sidestepped by fraudsters with no technical skill or investment necessary—if they know how to factory reset their phone, they know how to get around the OS device ID.
Device fingerprinting is stronger, but traditional device fingerprinting is still vulnerable. If DF relies on a combination of screen resolution, make, model, operating system version, installed apps, and so on to identify phones, then manipulating or obfuscating any of these factors can help fraudsters change their fingerprint and escape detection.
2. Buying multiple devices
Even if device fingerprint spoofing weren’t possible, many organized fraudsters already own multiple devices anyway to help scale their operations. Making a new account from a new device is a good way for fraudsters to ban evade because most platforms will have no way of knowing that it’s a previously banned user rather than what it appears to be—a completely new sign up.
Buying multiple devices is obviously much more costly than just factory resetting one or two, but if fraudsters can stretch the lifespan of their accounts before they get banned, the investment might just be worth the return they get by abusing the platform and its users.
As Incognia CEO and co-founder André Ferraz explained in the MRC ban evasion webinar, “When fraudsters are making a lot of money by performing these scams, for example, they can afford to use multiple devices. We've seen many cases of fraudsters that were leveraging 20 devices, 50 devices, even hundreds of devices because again, they were making a lot of money. So it was worth it to purchase a lot of phones or PCs.”
Sometimes, what looks like a phone to your fraud detection software isn’t a phone at all—it’s a phone emulator program being run on a computer. This makes changing the parameters that make up a traditional device fingerprint pretty simple, since the emulator program itself can typically be used to customize the virtual device's attributes.
App tampering tools can be another out-of-the-box way to commit multi-accounting by allowing fraudsters to manipulate the information they send to an app, hampering that app's ability to collect accurate fingerprinting data.
So, fraudsters are wise to how we fight ban evasion at the most basic levels, and they’ve gotten creative to compensate. How do you keep fighting ban evasion without increasing false positives?
The answer is in attacking the root of the problem—multi-accounting. To get even more specific than that, it’s about being able to re-identify individuals across devices and accounts. Knowing that this device, account, or location belongs to this specific person is an excellent way to prevent the same individuals from making multiple accounts under different identities.
It’s true that traditional device fingerprinting has a lot of vulnerabilities, but that doesn’t mean that we have to throw the whole concept away; far from it. Instead, we think in terms of device intelligence. For example, a device integrity check at onboarding can identify warning signs of bad actors: emulators, app tampering tools, location spoofing apps, multiple app instances running, and more. This information contributes to a risk assessment that helps teams make decisions about which signups get through and which don’t.
Location behavior is another incredibly powerful signal to bind individuals more closely to their devices and accounts. After all, it’s one thing to buy a new phone, but it’s another entirely to move apartments just to keep abusing promotions or sending phishing messages on an online marketplace platform.
If you ban an iPhone 12, and a day later, a new, completely clean iPhone 12 reappears trying to make an account from the exact same apartment, it’s a pretty good bet that that device belongs to the same banned individual as before. Similarly, knowing location down to the apartment level can help identify larger-than-normal congregations of devices and accounts. For instance, there’s probably no legitimate reason for three hundred different accounts to be accessed from the same house and the same five devices.
Fraudsters are notoriously creative and adaptive, but so are fraud fighters. By fighting ban evasion and multi-accounting, though, we stay a step ahead of the fraudsters by cutting their game off at the source. If you can stop fraudsters from getting back inside every time you catch and ban them, you can use your budget more effectively to protect your users and your platform as much as possible.