Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

10 Ways Device Identifiers Can Spot a Cybercriminal

Device IDs, which are assigned to mobile devices to distinguish one from another, can help organizations flag fraud, cyberattacks, and other suspicious activities.

Joshua Goldfarb, Field CISO

December 9, 2020

4 Min Read
(Image: <a href="https://stock.adobe.com/contributor/207141310/suttipun?load_type=author&prev_url=detail"target="new">Suttipun</a> via Adobe Stock)

A device identifier is an ID assigned to handheld devices and used by organizations to understand, track, and analyze the devices interacting with their sites – bringing with them tremendous benefits for all involved in protecting their organizations.

But the mileage an organization gets out of their device identifier tools depends on their understanding of exactly – and how much – they offer. Following are 10 ways a device identifier tool can protect your company.

1. Separate attackers, fraudsters, and bots from legitimate users: There are many approaches to differentiating between these types of users. One such approach involves leveraging a unique device identifier to understand how many accounts each device is logging into. Only one in 1,000 devices access more than three accounts. Further, only one in 10,000 devices access more than 10 accounts. Chances are, if you observe devices accessing more than three – and certainly more than 10 – accounts, it isn't legitimate usage.

2. Recognize known legitimate users: Known good users who encounter login friction will sometimes get frustrated and give up. This means lost business and lost revenue. Recognizing known good users through the use of a device identifier can allow you to reduce their login friction, extend their session lengths, and silently reauthenticate them, among other benefits.

3. VPN doesn't throw off your logic: Changing IP address is the oldest trick in the book. Identifiers that rely on IP addresses are easily fooled by VPNs. High-quality device identifiers that examine a large number of data points to calculate a reliable, unique device identifier are not.

4. Number of transactions: The same device performing an inordinately large number of transactions is a red flag that something is awry. Very rarely is this type of activity legitimate. By tracking the number of transactions per device over time, an organization can monitor for and alert on suspicious or malicious activity.

5. Proxy networks: Some nefarious actors may try to hide or disguise their identity by hopping through proxy networks. Without a device identifier, an organization is at a disadvantage. With a reliable and unique device identifier, this disadvantage becomes an advantage. By calculating how many IP addresses each device is coming from, organizations can pick up on the same device visiting their sites from many different IP addresses via proxy networks.

6. Unknown devices: Most legitimate users use a small number of devices. For example, a typical user may have a mobile phone, a tablet, and perhaps one or two computers from which they access most sites. If an organization observes that a given user is accessing their account from a large number of different devices, that could be an indication of fraud. Of course, the calculation of this ratio is highly sensitive to the uniqueness of the device identifier. 

7. Single device accessing many accounts: The inverse of the above ratio is also something organizations can calculate and monitor. If a single device is observed accessing a large number of accounts, it may be an indication of automation, bot activity, and/or credential stuffing.

8. Environment spoofing: Legitimate users may upgrade their browsers or change their devices every now and again. That said, it is not something that happens all that often. If an organization observes many user agents on a single device over a short period of time, it may be an indication that an attacker is practicing environment spoofing. There is really no legitimate reason for doing so, and, thus, the activity and transactions from a device practicing environment spoofing warrant a closer look.

9. Session hijacking: One of the techniques attackers use to masquerade as legitimate users is to hijack the sessions of those legitimate users. Typically, a given session will have one device at the other end of it, unless something else is afoot. If there are many unique device identifiers observed for the same session, it could be an indication of malicious activity, such as a man-in-the-browser (MitB) attck.

10. Login friction/credential stuffing: In general, each organization's site will have an average percentage of logins that are successful, failed, forgot password, and/or multifactor authetication-challenged. Computing and monitoring this average per device over time yields several advantages. Among those advantages is that significant fluctuations of login success rate per device over time can be a reliable indicator of either login friction for legitimate users or credential stuffing coming from attackers and fraudsters (whether automated or not).

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights