With more smartphones coming equipped with technology that can read each user's fingerprint, it might be time to expand this idea and check the fingerprints of the device itself — particularly as mobile and e-commerce see more fraud as a consequence of EMV tightening up security at the point of sale.
"A lot of times a company may have no insight into the device that is used to create a new account," said Mike Lynch, chief of strategy for InAuth. The Boston-based security company's InExchange, which released this week, is an opt-in subscription service in which companies share information that's tied to a device's digital ID, creating what InAuth calls a "reputation" for that device.
InAuth is in the midst of an effort to take advantage of the growth of mobile payments, both contactless and browser-based, to harness this new wealth of consumer data in a way that can benefit multiple industries. InAuth is targeting card payment companies, processors, financial institutions, merchants, retailers, airlines and health care providers with its exchange.
Even though consumers may use the same device for online shopping, online banking and paying hospital bills, the trust established by a company in one industry isn't shared with those in other industries. "You have no context on the device," Lynch said.
InAuth's technology has been placed on about 70 million devices. It creates an identity for a device that can't be erased. The device's profile, or "fingerprint," is used as one authentication factor for account openings. Other InAuth technology shields browsing and creates rules-based identity scanning.
A device's usage creates a trail that can inform the relative risk of that device, in either a "safe" or "risky" direction, Lynch said. The device's history can be fed into a company's existing risk decision processes and security posture.
"If an [issuer] identifies a device that that may have been involved in some type of fraud or had a hacking attempt, they could share it on the exchange," Lynch said. "The next [institution] could match the device's ID against the reputation network."
The exchange does not share security information related to specific people, so the information is more geared toward spotting issues with a device, such as improper attempts to remotely access the device or the presence of malware. "Negative" information is given a "reason code" that details the potential security issue; the user experience for consumers does not change.
The success of InAuth's device exchange is predicated on the willingness of merchants, financial institutions and other companies to collaborate, Lynch said.
"Collaboration in fraud fighting is proven in some areas of banking and payments, but there's still a lot of opportunity to facilitate deeper and more actionable data sharing among financial institutions and merchants alike," said Julie Conroy, a research director at Aite Group.
"Sharing of device reputation is very helpful in both identifying those devices with a good reputation, therefore providing the opportunity to reduce friction and improve the customer experience, as well as giving the consortium participants the ability to share negative experiences with the device, thus preventing successful repeated fraud attempts," she said.