Rapid smartphone and tablet adoption has led to huge new opportunities for mobile e-commerce, including the rise of mobile-only companies like Uber and HotelTonight. However, mobile fraud patterns are significantly different than desktop ones. Most notably, the common anti-fraud technique device fingerprinting is ineffective and leads to many false positives when trying to use it for mobile fraud detection.
Limits of mobile device fingerprinting
Device fingerprinting is the set of system configuration settings that collectively can identify a computer. On the mobile web, customers don’t have many of these settings, such as Flash cookies or user-customizable plug-ins/extensions. As a result, sites frequently see seemingly identical devices; worsened due to certain mobile carriers (e.g. MetroPCS) having a relatively small IP address pool. Inside mobile apps, the customer’s system configuration settings aren’t available at all. Therefore, since the demise of UDID this past spring, mobile app developers haven’t had an easy way to identify devices.
MAC address- a temporary fix?
To address this, we’d advised our clients to implement Bluetooth MAC address identification as a substitute for mobile device fingerprinting. For some customers, this reduced credit card fraud by 80% almost immediately. Unfortunately, Apple will effectively be blocking access to the MAC address in iOS 7 since every iOS device will report an identical 02:00:00:00:00:00. Beta testers already are. While just the latest step in Apple’s efforts to get developers onto their iAd platform, it poses a serious challenge to mobile fraud detection.
Mobile fraud detection with large-scale machine learning
There are no easy workarounds. It is possible that Apple will grant select companies access to the device’s MAC address, but so far that hasn’t happened. Implementing a mobile fraud detection model that analyzes data beyond device fingerprint (e.g. fine-grained GPS location) and outputs an assessment of fraud likelihood will provide the only truly long term solution. At Sift Science, we believe that large-scale machine learning is the best approach, since it integrates every possible data point and adapts to the specific fraud patterns of each business. Drop us a line—we’d love to chat about your specific fraud challenges.