Security experts are looking for new ways to detect cybercriminals. One of them would be through the device identifier that is assigned to mobile devices to distinguish them from each other. In this way, thanks to them, you can help companies detect fraud, cyberattacks and other suspicious activities. A device identifier is an identification assigned to portable devices, smartphones, and more. If companies use these identifiers, they can track and analyze the devices that interact with their sites. This brings great benefits in terms of security.
However, the tracking that an organization obtains using device identification tools depends on its correct use and exploitation of its maximum potential. Next, we will explain how a device identification tool can protect our organization.
Distinguish between legitimate users and cybercriminals
If we want to differentiate between a legitimate user and a cybercriminal we can use multiple approaches. One of them is to use a unique device identifier to know how many accounts each device is logging into . Here we will take into account that:
- Only one in 1,000 devices uses more than three accounts.
- Only one in 10,000 devices accesses more than 10 accounts.
Therefore, in the case of observing that a device accesses more than 3 or 10 accounts, it is not a legitimate use. Another issue to consider is that users allowed as a client sometimes encounter a login problem. So sometimes they get frustrated and give up, which results in a loss of business and profits.
If we are able to recognize legitimate users through the use of a device identifier, it may allow you to reduce your login problems. Thus, for example, we could extend the duration of the sessions or authenticate them silently.
VPNs and the number of transactions
Today, changing IP thanks to a VPN is the order of the day. Therefore, identifiers based on IP addresses are easily overcome by using VPNs. However, if we use a high-quality device identifier that examines a large number of data points to calculate the identifier, we can say that they cannot be easily fooled.
One important thing and cause for concern is, when a device performs an excessively large amount of transactions. This activity is rarely legitimate. A good policy in this regard is for the company to track the number of transactions per device over time, monitoring and alerting about suspicious or fraudulent activities.
Proxy networks and unknown devices
Some cybercriminals can try to hide their identity by jumping through proxy networks. In the case of not having a device identifier, a company is at a disadvantage. On the other hand, a worker, on average, usually has a smartphone, a tablet and perhaps one or two computers from which they access most of the sites. In this sense, if a company realizes that a certain user accesses their account from a large number of different devices, it may be an indication of scam or attack.
Bots and the phishing problem
In the event that we observe that a single device accesses a large number of accounts, it is possible that that device is an automatic bot for it can be an indication of automation. Then it could be bot activity and / or credential stuffing.
Legitimate users can change their devices from time to time. However, this is not something that happens often. Therefore, if an organization observes that it has many user agents on a single device for a short period of time, it should be a cause for alarm and concern. This can be a symptom that indicates that a cybercriminal is practicing environment spoofing.
Session hijacking and logon monitoring
Another technique attackers use to impersonate legitimate users is to hijack your sessions. Generally, the given session will have a device on the other end assuming something else is going on. If more than one device identifier is observed for the same session, it could be a warning of malicious activity. An example of this will be the man-in-the-browser (MitB) attack.
As a general guideline, each organization’s site has an average percentage of successful, unsuccessful, forgotten password, and multi-factor authentication challenges. If we calculate and monitor this average per device over time, it will be positive. Therefore, significant fluctuations in the login success rate per device over time can be a reliable indicator and when they are not the usual ones, they could indicate that we are being victims of an attack.