Device intelligence for banking: Strengthening identity and trust

Introduction 

Global banking institutions like JPMorgan Chase, Bank of America, Morgan Stanley, and their peers have all spent years building some of the most sophisticated authentication stacks in any consumer industry.

When compared with industry-standard security practices from just five years ago, the identity infrastructure and authentication controls at major financial institutions are undoubtedly stronger.

And yet fraud losses are not falling. 

These stats tell the story: 

• Fraud losses are projected to cost financial institutions $58.3 billion globally by 2030 — a 153% surge from 2025 levels. (Juniper Research)
• Losses from account takeover fraud in the U.S. totaled $15.6 billion in 2024, up from $12.7 billion the year prior. (Federal Reserve) 
• Every dollar lost to a fraudster costs North American financial institutions $4.41 (LexisNexis True Cost of Fraud Report)

New measures like passkeys, multi-factor authentication, and behavioral login scoring have supplanted the password-centric models of a decade ago. JPMorgan Chase recently rolled out “Extra Security at Sign-In” (ESASI) explicitly because biometric bypass and AI-generated deepfake attacks have become a live, named threat against its mobile application. Many other institutions are following suit. 

The uncomfortable reality is this: Authentication measures today are only partially effective, and fraud is still getting through. This gap is structural.

While banks have invested heavily in confirming that a login credential matches a stored record, what they have invested far less in is understanding whether the device presenting those credentials can be trusted — across sessions, across time, across a full customer journey and lifecycle. 

As AI has industrialized the ability to spoof, clone, and impersonate at scale, the authentication layer is no longer the secure boundary it once was. Persistent, cross-session device intelligence is the account security layer most Tier 1 banking institutions are still missing.

When legacy authentication controls meet AI-powered fraud 

Many authentication methods that financial institutions rely on were designed for a threat environment that no longer exists.

Biometrics were adopted to replace passwords. MFA was deployed to compensate for credential theft. Passkeys were developed to eliminate phishable secrets entirely. Each of these advances addressed the attack vector that was dominant at the time.

Yet AI has rendered several of those measures obsolete.

The biometrics loophole: The bleeding edge of deepfake bypass 

Face ID and liveness detection have become standard controls across mobile banking. They were built to defeat a simple problem: a fraudster presenting a static photograph to unlock an account. The problem has evolved considerably. Deepfake tools can now generate convincing liveness-passing images and videos in real time, defeating the motion and texture checks from detection methods that were effective even a couple years ago. Researchers and adversarial security teams have demonstrated successful bypasses against major biometric authentication systems using AI-generated faces, not photographs.

JPMorgan Chase's ESASI rollout in October 2025 acknowledged this threat directly. The additional step was introduced because the bank's existing biometric layer was no longer sufficient to guarantee that the person authenticating was the legitimate account holder. 

What passkeys don’t catch: Enrollment as a new attack surface

Passkeys represent the current gold standard for phishing-resistant authentication. The FIDO Alliance has noted 5 billion passkeys now in active use worldwide, with accelerating adoption across financial services. Major banks are actively migrating away from SMS one-time passwords toward passkey infrastructure. The transition introduces a new risk that the technology itself does not solve: enrollment fraud.

When a user registers a new passkey, they are binding a cryptographic credential to a specific device. If an attacker gains temporary account access via SIM swap or social engineering scam, they can then register a passkey on that attacker-controlled device. From that point forward, the attacker authenticates legitimately, using a passkey the system has been taught to trust.

The gap between “this device is authenticated” and “this device can be trusted” is precisely where modern account takeover operates. The credential layer sees a valid authentication. It has no visibility into whether the device on which that passkey lives has appeared across multiple unrelated accounts, or whether it carries the behavioral signatures of a fraud operation.

The evolution of account takeover: It’s no longer just credential stuffing

A decade ago, account takeover was principally a credential problem. Stolen username and password pairs, sourced from breaches and sold in bulk, powered most unauthorized access. The industry responded with MFA, breach monitoring, and credential stuffing detection. Those controls worked. 

Credential stuffing, as a standalone attack, has become a largely solved problem at Tier 1 institutions. The new forms of account takeover are harder to handle.

ATO attempts across financial services grew more than 350% between 2022 and 2023, and the trend has continued with the FBI reporting $262 million in ATO losses in 2025.

What's driving the continuing threat is not just password reuse. It’s an array of novel methods like session hijacking, SIM swap, remote access tool (RAT) deployment, and new device enrollment. 

Each of these attacks succeeds by exploiting the trust that strong authentication controls creates. Here’s how each of these methods work.

• Session hijacking: Session hijacking targets the authenticated state rather than the credential that created it. An attacker who can intercept or inject a valid session token gains access to an active banking session without ever presenting a password or biometric. At that point, every action they take looks indistinguishable from the legitimate user. The authentication happened minutes or hours earlier. The session carrying that trust is now under different control.
• Remote Access Tools (RAT): RAT attacks are one of the fastest-growing post-authentication threat vectors in financial services. In a RAT scenario, the legitimate customer authenticates normally but a second operator gains simultaneous control of the session from the device, while the customer is unaware. They may have been socially engineered into installing the tool under a false pretext. These attacks have measurable artifacts that standard authentication measures can’t see: concurrent control patterns, abnormal input cadence, and tool-specific environmental signatures. 
• SIM Swap: SIM swap attacks target the weakest link in MFA chains: the phone number. Whether via social engineering or other means, a victim's number is ported to an attacker-controlled SIM, where they can intercept one-time passwords and account recovery codes. From there, password resets and new device enrollments proceed through entirely legitimate-looking flows. The bank's systems see valid authentication events. The device presenting those credentials may be appearing for the first time, on an IP address inconsistent with the account's history, with a device profile that has never been seen in connection with the legitimate customer.

The trusted user problem: Why established accounts are the highest-value targets

Tier 1 banks have designed their systems to reward authenticated, established customers with exactly the kind of access that makes fraud profitable. They may offer higher transaction limits, faster payment rails, streamlined approval flows, and reduced friction at high-value moments. That makes these accounts appealing for attackers, while many fraud teams may not have this as a clear focal point for threats.

An account that has maintained a clean payment history, demonstrated consistent behavioral patterns, and accumulated trust over months or years is worth considerably more to a fraudster than a fresh account. 

Established accounts carry elevated limits, bypass velocity checks that new accounts trigger, and move money across real-time rails with minimal friction. They are also less likely to trigger automated review systems tuned to flag new account behavior.

Once an attacker gains access to a trusted account, they can move quickly. High-value purchases are initiated with no flags or restrictions. Funds are transferred to fraudster account destinations. The fraud becomes visible only when the genuine customer notices the activity and files a dispute. By that point, money has moved across the rapid payment rails and the losses are real.

How scam-driven fraud extends the trust timeline

Scam-driven fraud operates at the extreme end of the trusted user problem. In a scam scenario, the authenticated user is the account holder. The authentication event is not compromised. The session is not hijacked.

The user has been manipulated — through impersonation, false urgency, or social engineering — into authorizing a payment they believe is legitimate. The bank's authentication controls detect exactly what they are designed to detect: A verified customer, operating their own account, executing a transaction.

Impersonation scams, investment fraud, romance scams, and authorized push payment (APP) fraud all operate through this mechanism. The fraud often begins days or weeks before the payment is made, entirely outside the bank's visibility, across messaging platforms and communication channels the institution cannot monitor. By the time the customer initiates the transfer, every signal available to traditional controls looks normal.

Device intelligence addresses this gap by reading signals that a single point of authentication cannot. An unusual device environment. A session where tampering is evident. A payee who has is reappearing across multiple accounts in a short window.

These are the risk indicators that persist across sessions and remain visible at the device level, even when everything else looks authorized at the credential layer.

Synthetic identity and mule networks: The identities look real, the devices tell a different story

Synthetic identity fraud has become one of the most persistent structural challenges in financial services — not because it is new, but because it has scaled. The Deloitte Center for Financial Services projects that synthetic identity fraud will generate at least $23 billion in losses by 2030. At that scale, it is no longer a fraud vector. It is an industry problem.

Synthetic identities are constructed by combining real and fabricated data: A valid-but-compromised Social Security number is paired with a fabricated name and address. The resulting profile passes document verification. It passes KYC checks. It passes the credit inquiry that underlies account approval. What it cannot change is the device from which it originates.

Device reuse as a persistent signal

Fraudsters can fabricate identities with increasing sophistication. They cannot fabricate hardware. The same physical device, or the same virtualized environment running on shared infrastructure, may be reused across multiple account opening attempts, mule account provisioning sessions, and transaction routing events. Emulator farms allow attackers to simulate thousands of unique users simultaneously, but the underlying device configurations converge. Cross-account clustering at the device layer reveals the coordination that identity-layer checks are blind to.

A single device appearing across twenty account openings is invisible to KYC. It is visible to device intelligence.

Mule networks prioritize speed and disposability

Mule accounts are short-lived by design. Once an account has received and forwarded funds, it is typically abandoned and replaced. The identities rotate. The accounts rotate. The devices, as a rule, do not. This asymmetry is one of the most reliable signals available to fraud detection systems operating at the device layer. It is also one of the signals that point-in-time identity checks are structurally incapable of surfacing.

A mule network where funds flow through accounts that share device attributes — browser configurations, hardware fingerprints, behavioral patterns — looks like isolated transactions at the account level. At the device level, it looks like operational fraud.

The Microsoft Dynamics 365 sunset gap

Across the industry, Tier 1 banks and their partners have relied for years on enterprise fraud platforms to provide device-level signals. Microsoft Dynamics 365 Fraud Protection was among the most widely adopted. It was a comprehensive fraud management platform that provided device fingerprinting, bot detection, velocity analysis, and network intelligence across the customer lifecycle.

In February 2026, Microsoft sunsetted the product.

The implications of that decision are still being absorbed. For institutions that integrated Dynamics 365 Fraud Protection into their fraud stacks, the sunset represents a functional gap at the device intelligence layer. Replacement planning has varied widely, and in many cases, teams have defaulted to tools that do not offer equivalent persistent device identity capabilities.

The limitations of cookie-based fingerprinting

The most common fallback is cookie-based device tracking, which assigns an identifier to a browser session via a stored cookie. When the cookie is present on return visits, the system recognizes the device. 

This approach has structural limitations that make it unsuitable as a primary device intelligence layer for banking environments. Cookie-based fingerprinting is inadequate because: 

• Cookies are browser-scoped and session-bound. A user switching browsers, clearing their history, or using private browsing mode appears as a new device on every visit. There is no continuity across sessions unless the cookie stays intact. And increasingly, it does not.
• Privacy controls are aggressively limiting cookie persistence. Safari's Intelligent Tracking Prevention caps third-party cookie lifetimes. Firefox's Enhanced Tracking Protection blocks them. Chrome's Privacy Sandbox is restructuring the third-party cookie ecosystem entirely. The result is that cookie-based device recognition is becoming unreliable at precisely the moment institutions need it most.
• Cookies carry no environmental intelligence. A cookie can confirm that a browser returned. It cannot confirm the hardware it is running on, whether that hardware is running in a virtualized environment, whether a remote access tool is active, or whether the same configuration appeared yesterday under a different account.
• Fraudsters routinely clear cookies as a basic operational security measure. An attacker running an emulator farm or a synthetic identity operation resets cookies between sessions as a matter of course. Cookie-based recognition fails at the first point of adversarial pressure.

The difference between legacy fingerprinting and persistent device intelligence 

Legacy fingerprinting tools, including cookie-based approaches and session-level browser fingerprinting, were designed to help fraud teams answer a narrow question: 

Have we seen this browser before? 

Persistent device intelligence answers a different set of questions: 

Have we seen this specific visitor profile before — across accounts, over a sustained time horizon, and in what behavioral context?

The difference matters because modern fraud operates across sessions, across accounts, and across time. An attacker probing a bank's authentication flow does not present themselves once. They probe repeatedly, across multiple attempts, varying identity details while maintaining consistent underlying device infrastructure.

A system that resets its recognition at every session cannot connect those attempts. A system that maintains persistent cross-session device identity can.

Requirements list: What banks need from a Microsoft Dynamics replacement

Institutions looking to re-tool and upgrade their fraud stack should evaluate replacements for Microsoft Dynamics 365 against a set of requirements that cookie-based and session-level tools cannot meet.

These requirements include:

• Accuracy and tamper resistance. The device identifier must remain stable even when users or attackers attempt to manipulate browser signals, clear storage, or operate through virtualized environments.
• Cross-session persistence. Recognition must survive browser changes, private modes, cookie deletion, and standard privacy controls.
• Privacy compliance by design. Device intelligence in banking must operate within CCPA, GDPR, and emerging state-level frameworks, not as a post-hoc compliance exercise.
• API-first integration. The intelligence layer must connect cleanly to existing systems, ML models, transaction monitoring platforms, and AML workflows.
• Cross-account graph visibility. Device signals and data must be capable of connecting across accounts to surface coordinated behavior.

One crucial thing to remember: Replacing Dynamics 365 with cookie-based device fingerprinting means accepting several gaps in its capabilities. This means greater risk exposure, precisely at a time when AI-powered attacks are probing more frequently and consistently for any weak points they can find.

Institutions seeking to lessen their risk of exposure should prioritize stronger, persistent device intelligence capabilities.  

Five ways persistent device intelligence supports banking identity infrastructure

At scale, trust cannot be rebuilt at a single point of authentication. It has to carry forward across the entire customer lifecycle and user experience.

This is where device intelligence becomes a critical layer in modern bank identity infrastructure. It’s not meant as a full-scale replacement for authentication, but as the connective tissue that makes every other identity investment more accurate and verifiable.

1. Strengthening trust in authentication. Persistent device intelligence operates underneath the authentication layer. It does not replace biometrics or passkeys. It evaluates the full environment in which they are used, and delivers a continuous record of that environment across the full customer lifecycle, from initial onboarding through every subsequent session and transaction.
2. Delivering clear context across the customer journey. Fraud rarely confines itself to a single moment. The same devices and infrastructure that appear during a fraudulent account opening often reappear at login, during payee addition, at high-value transfers and transactions. Device intelligence makes those connections visible and highlights the risky activity for fraud teams — while staying invisible to legitimate users.
3. Detecting signs of coordinated abuse earlier. Repeat abuse is one of the strongest indicators of fraud at scale. Device intelligence can recognize risky activity across multiple accounts, sessions, or enrollment attempts, often before limits increase or funds move. This visibility allows teams to intervene selectively and rapidly: High-risk activity can be blocked, challenged, or reviewed — while legitimate users proceed without friction.
4. Improving inputs to existing ML models and AML systems. Machine learning models improve in proportion to signal quality. Device intelligence strengthens existing ML by feeding models with consistent, high-quality signals and fraud data. In anti-money laundering (AML) systems, persistent device signals add exactly the context that transaction-level data cannot provide alone. For compliance teams, adding better data inputs earlier can reduce the burden in their investigations and workflows. Suspicious transaction patterns, unusual site activity, and rapid fund movements can be traced back with more clarity to specific actions and accounts.
5. Seeing fewer false positives for trusted users. When risk assessments are based on static rules or single-point signals, false positive rates rise. The impact and strain on teams can be huge: Studies show that the burden can be up to 22 hours per false positive alert, when factoring in investigation, documentation, and review cycles. Meanwhile, for high-value financial clients, where the cost of a false positive is measured in relationship damage as well as friction, the negative impact can compound this strain and result in the loss of high-value customers. 

Device intelligence for modern banking: Trust is now infrastructure

The account security and authentication investments of the past decade were necessary. And they are no longer sufficient. 

AI has changed what is possible for attackers. Biometric spoofing, voice cloning, deepfake bypass, and passkey enrollment fraud are not theoretical risks. They are active, named threats that Tier 1 institutions are already responding to. 

With the sunset of legacy platforms like Microsoft Dynamics 365 Fraud Protection, along with the inadequacy of cookie-based replacements, there are critical gaps in many authentication and identification systems for financial institutions. 

Closing this gap requires persistent, cross-session device intelligence that works underneath the authentication layer. The banks that are able to close the gap fastest will be at the forefront of trust and account security for their customers. 

Device intelligence gives a highly accurate lens to assess risk and trust by adding behavioral and environmental context to each interaction. For the legitimate customers who travel, switch devices, or operate across multiple channels, they are served an invisibly more secure client experience. Meanwhile, suspicious devices and fraudulent actions are flagged with clearer hallmarks of potential risk and fraud.

Fraud teams have greater context and confidence for detecting threats across their identity infrastructure. By investing in device signals that persist, they can strengthen ML models and AML systems, surface risky behavior before it compounds into real losses, and adapt faster as threats evolve — while giving their most valued customers safer and more secure banking experiences.