The Financial Federal Institutions Examination Council has explained the fallibility of this system:
“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.
“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.
While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.
According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.” You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec
If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.
Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.