Devices & OS Widget

As part of the data enrichment magic SEON does, you can get valuable information about the device and system specifications of the gadgets user actions are traced back to. We use device fingerprinting to gather this information which comes in very handy when trying to catch a fraudster. Here’s everything you need to know about the Device and OS widget on the Transaction Details pages.

Learn more: Looking for different widgets? Check these pages:
Transaction Details – Widgets Overview
Data enrichment widgets
AML widget
Custom fields and industry-specific widgets

Integrating SEON Device Fingerprinting allows the collection of a range of information about the user’s client device. Device Fingerprinting Modules are available for JavaScript or as a mobile SDK (iOS and Android).

Learn more: To learn more about how the system works, please refer to the Device Fingerprinting Documentation.

If the device widget is not active and showing as no data being received, please make sure you have set up your integration correctly. Our API Documentation can help to understand what may have gone wrong, and our support team is ready to help with any troubleshooting.

We collect more than 50 different data points using our JS Agent/SDKs to provide you with the clearest possible picture of user devices; you can find a full list of these in our API Documentation.
 

You will also find an individual risk score assigned to each device in the top section of the widget.

Our fraud experts constantly collect and analyze data from different fraud rings and malicious attacks. We then identify behavioral patterns and create rules in SEON to spot telltale signs such as bots, device spoofing, and many more.

These rules are used to add points to the risk score, determining the final device score of a transaction. A device score of 4 or higher is considered suspicious.
 

On the top of the widget, you’ll find essential information, such as the device type, the OS, the browser, or the user agent. You’ll also see the device(s) connected to the user in the dropdown.

Unique identifier based on the cookie session. If someone shares the same cookie hash with someone else, they are most likely using the same browser and device. It is the most accurate identifier for shared devices. However, if the client clears the browser’s cookies and storage cache, this ID will change.

A unique identifier based on the complete browser profile. This includes details on the screen resolution, hardware, font, plugin set, network layers, and specific features in the browser.

This is a very good way to make connections between shared devices, but in some rare cases, specifically for mobile devices, the ID can be the same. This may occur if they have precisely the same hardware, software, and settings profile.

If the client clears the browser’s cookie and storage cache, then this ID will not change. Likewise, if someone is browsing using Incognito or InPrivate tabs, then the same ID will be returned.

Tip: You can flag a browser hash as suspicious on the top of the widget. 

Unique identifier based on the hardware of a device. It is generated based on a number of data points, including the HTML5 canvas fingerprint, WebGL driver, audio fingerprint, and others. 
It's useful to detect virtual machines and emulators. We recommend using it for blacklists if there are bad actors who share a hash or using it as an extra parameter for rules if needed.
Two identical devices with the same hardware will share the same hash. However, customers who share the hash are not likely to be related.

We also offer native iOS and Android SDKs for Device Fingerprinting purposes. These return slightly different device details, the most important among these, at least for clone search purposes, is the device_hash. In the case of the native SDKs, there is no Browser or Cookie hash, only the Device hash. However, this value will always be a 100% match if more users share the same value.

If you scroll down in the widget, you’ll find further information that can come in handy when investigating. Here are the most notable ones to observe for fraud detection purposes.

WebRTC IP checks

Web real-time communications, known as WebRTC, is a technology that enables your browser to communicate with websites by establishing a real-time peer-to-peer connection. 

While using a proxy, users might think they can mask their public IP address. With the WebRTC check, you can detect the user’s actual IP address behind their proxy because the communication channel between the website and the user’s browser exchanges their public IP address along with other data.

Domain IP checks

Like WebRTC IPs, users can have DNS (Domain Name System) IP addresses that differ from their regular IPs. The use of proxy connections can also be detected by checking for distinct DNS IPs. This is not always a cause for concern, however, because a number of legitimate users tend to utilize large, well-known companies' DNS servers to protect their privacy and to prevent their ISPs from observing their traffic. 
In conclusion, if you see a DNS IP with a much less common DNS ISP Name and the regular and DNS IP addresses of users are different, the connection can be considered suspicious. 

Time zone offset and Region language

Differences in the IP location’s time zone and that of the device can be an obvious sign of suspicious activity; the same goes for differences between languages. 

Window’s size and Screen resolution

We have found that these attributes, especially the Window’s size, can be an excellent tool for clone searches when dealing with a large fraud ring.