April 08 2008
Online fingerprint technology
While we don’t have the facility to fingerprint a user online, yet, it is possible to fingerprint the device they make the purchase from.
Biometric testing from afar would be one way of stopping online retail fraud, but until every keyboard/mouse or screen comes with a built in fingerprint reader or retina scanner we’ll just have to dream. However every PC/PDA etc has its own unique fingerprint made up of the software it runs, the operating system, screen resolution, processor type and ID plus hundreds of other factors. Back in February we talked to US anti-fraud company 41St Parameter about their device fingerprinting technology, and we assumed it wouldn’t be long before someone else did a similar thing.
Fraud management company CyberSource have developed Intelligent Review Technology which includes device fingerprinting and forms part of its risk management solutions for eCommerce merchants.
The device fingerprinting, builds a digital fingerprint of the computer or other device being used to place the order. The digital fingerprint can expose fraudsters who are using the same computer systems to place multiple orders using different identities or addresses.
The digital fingerprint is then used in conjunction with other fraud detection systems to give a retailer a much better insight into their customer so they can make a more informed decision on accepting the transaction. Other tests included in initial screening are global multi-merchant transaction histories, same store purchase histories, IP geolocation tests, and global validation services (e.g., validation of international address and phone number formats).
Device fingerprinting has its drawbacks; not everyone has their own PC and many users share devices, many users have multiple devices, a laptop, a computer at home and computer at work etc plus cybercafé purchasers may find that they’re turned down if a previous user of the PC has tried to purchase with a stolen card. Plus if you’re technically minded it’s theoretically possible to spoof the ID. However when we pointed this out to Tim Thompson MD of 41St Parameter he pointed out that while that was true, there were plenty of additional checks and parameters that could be added to prevent fraudsters from trying to fool the system using spoof IDs and that could stop legitimate users being branded as potential fraudsters even from a cybercafé purchase.
