Site icon Merchant Fraud Journal

Device Fingerprinting Technology Alone Will Not Secure AJAX Websites

Starting in 1990 with the first web browsers, device fingerprint technology has helped industries and companies around the world fight fraudsters online as well as know their customers better. Nevertheless, despite its importance and constant updates, the application of device fingerprinting technologies remain controversial.

This is a shame, because the technology gives merchants a powerful tool to fight chargebacks and improve risk assessment.

How Secure Is Device Fingerprinting Technology on AJAX?

One example of how device fingerprinting technology can fail to prevent chargebacks is in the race to simplify UI/UX.

Companies eager to win more clients and to be truly “customer-oriented” now prioritize the simplification of their UI/UX. As a result, there is a tendency to create one-page websites and applications that do not require a standard client-server application, and that use AJAX. In fact, the majority of social media companies, payment service providers, and online banks use AJAX in this way today.

In addition, companies often combine Asynchronous JavaScript and XML web browser technologies separate from the web server software itself. This is because these technologies allow companies’ sites to send or receive data from corporate servers without requiring users to refresh the page.

Overall, the intent of these approaches is to streamline the customer journey, shorten the response time, and by extension increase customer lifetime value and satisfaction rates. However, this means companies usually implement device fingerprinting technology into the whole webpage, and not to the exact form/point of the page.

In other words, AJAX websites usually only require device fingerprints on the first user step. This is not an effective way to prevent chargebacks or fraud because it creates vulnerabilities fraudsters can exploit.

How? Fraudsters simply generate the first device fingerprint on an AJAX website using the proper browser, country, IP, ID, email, language, screen resolution, etc., allowing their fraudulent behavior in subsequent steps to fly under the radar. Ultimately, this vulnerability renders most device fingerprint solutions completely useless when it comes to preventing eCommerce fraud on sites using AJAX.

How to Use Device Fingerprinting Properly to Fight Fraud

In addition to these technical flaws, fingerprint security information is not complex enough to provide adequate protection when used on single page websites. In fact, in the vast majority of cases it’s almost impossible to determine if an order is fraudulent based on fingerprint scans alone. By extension, using fingerprints alone as criteria for eCommerce fraud prevention actually leads to high chargeback rates, many false positive declines, and by extension, revenue loss.

To solve this problem, companies should support device fingerprinting with other fraud prevention technologies. For example, the results of AML, KYC checks, rule-based scenarios, and machine learning evaluations should augment fingerprint analysis.

This way, if a fraudster uses an emulated device to create a false device fingerprint result, the supporting technologies can use discrepancies in browsers, device types, screen resolution, geolocation variance, keyboard languages, etc. to detect the fraud and fight chargebacks.

Streamlining a Multi-Layered Fraud Prevention Strategy to Fight Chargebacks

Of course, this approach comes with its own problems. Rules-based systems are often unwieldy, and machine learning algorithms take time to get up and running. However, merchants can choose between different types of machine learning depending on their tolerance for complexity: supervised and unsupervised learning.

In a supervised learning approach, a data scientist first uses historical data to create the machine learning model. Then, an algorithm combines old and new data to create profiles for fraudulent and non-fraudulent orders. Finally, the algorithm runs in a live environment and the data scientist makes adjustments as results require. In other words, a human is always behind the process. This is the most common approach.

In an unsupervised learning approach, algorithms derive patterns from a data set without taking the final result (i.e.: if the data set resulted in a chargeback) into account. This allows for pattern recognition independent of results. It also enables feedback from the data set without knowing the exact impact of the variables. In other words, feedback is not based on a correct prediction. Instead, risk analysis receive an algorithmically generated model they can use to approach data sets that show the same pattern in the future.

Ultimately, the most suitable approach to fight chargebacks on AJAX websites and apps is to use device fingerprinting technology with supervised machine learning. The combination of biometric security and rules-based risk logic will help keep risk managers one step ahead of fraudsters.


 

Contributor: Pavel Gnatenko, Product Owner at Covery, Head of Risk at Maxpay

Covery is a global risk management platform helping online companies solve fraud and minimize risk. We focus on the universality of our product and its adaptation to any type of business, based on the individual characteristics and customer needs using both rule-based and machine learning approaches.

Exit mobile version