Site or app registration is often the first step for fraudsters who aim to exploit your system. Once a fraudster has an account, they can exploit it in various ways, including using it to commit credit card fraud, launder money, send spam to others, or conduct scams. This makes user verification during registration a critical step for protecting your business against these risks.
Verifying a new user’s email address and phone number is always a good idea, but it’s not sufficient to determine whether the customer is legitimate. Bad actors can circumvent these checks using SIM swapping or an anonymous email address. Even stronger checks, such as physical ID checks, can be circumvented and might deter genuine customers, and may not always be needed.
In this article, we will examine how device intelligence can strengthen identity verification during registration. Taking well-established checks and enhancing them with device-based risk signals may indicate a user is not who they claim to be. Additionally, we will discuss how ongoing device recognition can help maintain account security.
How to strengthen ID verification during registration
Registration is where you first greet your customer. You want to be friendly but cautious, in case the user is not who they claim to be.
Identity checks, such as verifying details from a driver’s license or passport, help reduce the risk of fraud or money laundering. This can be taken further by requesting scans of the documents or a selfie check of the applicant holding their ID.
These checks are essential for various services, including money transmitters, banks, and real-money gaming sites. They stop the majority of fraudsters because it is not easy to obtain the necessary information to pass an ID check. However, some fraudsters do manage to get these details from leaks, thefts, or scams. Additional intelligence beyond ID verification can defend against these determined fraudsters.
Fingerprint's device intelligence platform helps you build a picture of each visitor’s browser or device to help assess risk in that device. Specifically, our Smart Signals analyzes data from the browser and network connection to surface risk indicators, such as bot activity, privacy-focused settings, location, virtual machine use, and more. This information can help you determine the level of scrutiny necessary to verify the customer's identity.
Evaluate device discrepancies
A key aspect of device context when verifying users is determining whether the device matches what you expect for the user. For example, you can check if the device’s location matches the location provided by the user. Smart Signals, which go beyond basic IP checks, leverage numerous data points to establish a more reliable estimate of the user’s real location. You can then check their actual location against the location you would expect them to be in.
If a person is applying for a bank account in the UK but is currently located in Hong Kong, it may indicate that they are on holiday, or it could be that they are a fraudster who obtained the details through a data leak. A more rigorous assessment of ID, such as selfie checks or phone calls, would be wise.
Another way to handle an unexpected location is to require a user to re-verify their device location when they are back home as a future step, but let the registration proceed anyway.
Detect automated activity
An immediate red flag when a user registers for your site is if their behavior resembles a bot. Fraudsters commonly use bots to create fake accounts at scale, and detecting their automated activity allows you to catch any registrations before they compromise your platform.
Fingerprint’s Bot Detection Smart Signal can detect headless browsers as well as other tools often used in conjunction with automation, like virtual machines or remote control tools. Depending on your use case, you most likely don’t want to allow any bot activity on your registration page, but having the signal means you can significantly reduce your exposure to risk and decide what actions to take, like flagging it for review, increasing verification friction, or blocking it altogether.
Device risk scoring
In addition to evaluating individual device signals, you can also combine them to create a composite score to assess the fraud risk. Factors associated with a higher risk might include the use of headless browsers, high device activity, geolocation discrepancies, virtual machine detection, tamper detection, or bot-like behavior. Depending on your risk tolerance, the detection of one or more of these may flag a registrant as needing further identification or manual investigation before approval.
If you detect suspicious signals, you’ll need more checks, but you don’t want to blunt the experience for what could be your next happy customer. To strike the right balance, your verification check should be adaptive and apply higher-level checks and more friction to match the level of composite risk. An easy way to get started with this is to use the Fingerprint Suspect Score. This score provides a single integer value weighted on the likelihood of different risk signals being present to give you a ready-made way to quickly assess risk.
Check for duplicate details
During registration, it is helpful to check if any details match existing accounts, such as email and phone number, or a combination of name, address, and date of birth. When a significant overlap is found with an existing account, you might inform the current account holder that a similar account was created, with an option to declare whether or not this was intentional.
It is also worth checking if the device has been used to register or log in to other accounts. Fingerprint provides a unique visitor identifier that can be used for this, both for web and mobile apps. This might be indicative of fraud because fraudsters may be creating accounts in bulk with stolen details.
Smarter verification with device intelligence
We’ve looked at a few ways to enhance identity checks with device intelligence. Identity verification is critically important for sites and apps used by many industries, including banking, brokers, air travel, online casinos, and hotels. These measures help to prevent fraud, abuse, money laundering, and other exploits.
Traditional identification techniques that use official documents and checks against government databases are essential, but device intelligence can add an extra security layer to the verification process. Device intelligence reduces the risk of bad actors creating accounts on your site or service and allows you to perform more checks when necessary.
To learn more about how Fingerprint can help you know you are dealing with genuine customers and protect against many forms of abuse, contact our team.
FAQ
Fingerprint’s device identification uses data gathered from the browser or app, as well as signals from its connection to the server to build a unique identifier for the device. This identifier persists even after clearing cookies and is available in incognito mode.
Smart Signals are an array of valuable data points used to build a picture of the device, enabling you to detect suspicious behavior, such as bots or individuals attempting to conceal their identity. These include bot detection, browser tampering, incognito mode detection, usage of developer tools, virtual machine detection, and more.
Adding Fingerprint to your site or app is straightforward. Take a look at our quick start guide or follow one of our tutorials, such as "What is account creation fraud? How to prevent it."
VPN usage could indicate suspicious activity. However, many genuine users use VPNs for work or to enhance privacy. While VPN use can be a factor for suspicion, it is best to look at a combination of signals or use the Fingerprint Suspect Score, which takes into account all signals to provide an overall suspicion metric.
