The risks of building your own device ID

View in browser

In this edition:

The problem with internal device IDs
FaaS of the Month: Fake verification for dating app accounts

The problem with internal device IDs

By André Ferraz, CEO and Co-Founder at Incognia

I’ve been hearing from a lot of companies that they’re looking for new fraud prevention solutions.

When I ask about their device ID solution, many tell me it was built internally.

But unfortunately, many downstream fraud issues occur because companies use an unreliable device ID that makes it nearly impossible for them to recognize bad actors.

Why is the ‘build-your-own’ device ID problematic?

First, building a reliable device ID is extremely difficult. Re-identifying good users is pretty straightforward. But bad actors are constantly working to conceal themselves–and this is getting easier for them due to new privacy controls created by operating systems and browsers.

Another factor that makes it particularly difficult is that the OS-provided device fingerprints that teams often use when building an internal device ID weren’t designed for fraud prevention. They’re a shaky foundation to build on.

But even if you do manage to build a working device ID solution, there’s a third problem that many don’t consider as much as they should:

The endless maintenance and upgrading you’ll have to do to ensure it remains effective in the face of constantly evolving fraudster tactics.

At first, your new device ID may seem like it’s doing a pretty good job of defending against fraud.

But once fraudsters detect your new defense, they adapt and quickly pivot to new evasion methods.

When they find a vulnerability in your solution, they exploit it and find ways to automate that process. And then they often share their tactics with their community so that other fraudsters can follow suit.

This turns security into a continuous game of catch-up.

That’s why the real challenge of stopping fraud is not simply developing a solution. It’s the relentless upkeep and optimization of that solution. This is very costly.

And the bigger and more profitable your company is, the more lucrative a target it is for fraudsters, meaning you’ll need to invest even more in your solution.

What’s a better way forward in the fight against fraud? Find a teammate.

Team up with companies like Incognia that are totally focused on cutting-edge research and technology for fraud prevention.

Your business depends on you for protection. It's not enough to simply check the box that you have a device ID solution.

You need to be leveraging the most innovative approaches available today so you can help your business stay ahead of fraud.

Yes, you can build your own device ID. But this isn’t a battle you should be fighting on your own.

Want to go deeper on this topic? Check out our new blogpost:

Off-the-shelf device ID could be sabotaging your fraud prevention efforts

FaaS of the Month: Fake Verification for Dating App Accounts

Fraud-as-a-Service: When cybercriminals sell their tools, services, and skills to help others carry out fraud. Each month we highlight a FaaS method that you should be aware of.

Fast facts:

Bad actors are selling guides on how to trick photo verification on dating apps and selling access to accounts that have already been verified. Some even claim to be able to automate the creation and false verification of these accounts.
Once verified, the fraudster redirects users they match with to third-party chatting platforms where they can more easily phish for information or initiate romance scams.

Deep dive:

Fraudsters are swiping right on dating apps.

Trust & Safety is one of the most important parts of running a dating platform. These apps facilitate in-person meetings between strangers, so there’s a responsibility to ensure that people are who they say they are. Encouraging or even requiring users to verify their profiles is one of the ways apps are doing this today.

As an example, Tinder uses a photo verification process that gives users a blue checkmark if their appearance matches their uploaded photos. They do this by asking the user to follow video selfie prompts which are then verified via liveness detection and 3D facial recognition. Other leading apps like Bumble and Hinge follow similar procedures for photo verification, with Bumble asking users to replicate a randomly assigned selfie pose rather than submit a video.

Users trust the check mark. They expect that people with verified status will be a real person and will actually look like their pictures. But unfortunately, fraudsters have found workarounds to bypass these verification processes. And now they’re providing this as a service as well.

Screenshot HackForums net with prices for fraud

Screenshot of listing on HackForums.net (platform name redacted)

We see users on different forums either selling how-to guides for spoofing photo verification on popular dating apps, or simply selling access to already-verified accounts. Once verified, fraudsters take advantage of the increase in matches to funnel traffic to another platform, like Snapchat or Kik, where they can more easily phish for information, single out victims for romance scams, or engage in other forms of social engineering that pay off. Moving the conversation to a third-party platform makes it harder for the dating app to investigate reports of inappropriate behavior.

Verification processes have plenty of potential to make dating apps safer and more trustworthy, but when they’re compromised by fraudsters, they actually do the opposite and accidentally encourage trust in bad actors.