Devices & OS Widget
Updated on 17.03.23
5 minutes to read
As part of the data enrichment magic SEON does, you can get valuable information about the device and system specifications of the gadgets user actions are traced back to. We use device fingerprinting to gather this information which comes in very handy when trying to catch a fraudster. Here’s everything you need to know about the Device and OS widget on the Transaction Details pages.
If the device widget is not active and showing as no data being received, please make sure you have set up your integration correctly. Our API Documentation can help to understand what may have gone wrong, and our support team is ready to help with any troubleshooting.
We collect more than 50 different data points using our JS Agent/SDKs to provide you with the clearest possible picture of user devices; you can find a full list of these in our API Documentation.
Device risk scoring
You will also find an individual risk score assigned to each device in the top section of the widget.
Our fraud experts constantly collect and analyze data from different fraud rings and malicious attacks. We then identify behavioral patterns and create rules in SEON to spot telltale signs such as bots, device spoofing, and many more.
These rules are used to add points to the risk score, determining the final device score of a transaction. A device score of 4 or higher is considered suspicious.
Device & OS information
On the top of the widget, you’ll find essential information, such as the device type, the OS, the browser, or the user agent. You’ll also see the device(s) connected to the user in the dropdown.
A unique identifier based on the complete browser profile. This includes details on the screen resolution, hardware, font, plugin set, network layers, and specific features in the browser.
This is a very good way to make connections between shared devices, but in some rare cases, specifically for mobile devices, the ID can be the same. This may occur if they have precisely the same hardware, software, and settings profile.
If the client clears the browser’s cookie and storage cache, then this ID will not change. Likewise, if someone is browsing using Incognito or InPrivate tabs, then the same ID will be returned.
Unique identifier based on the hardware of a device. It is generated based on a number of data points, including the HTML5 canvas fingerprint, WebGL driver, audio fingerprint, and others.
It's useful to detect virtual machines and emulators. We recommend using it for blacklists if there are bad actors who share a hash or using it as an extra parameter for rules if needed.
Two identical devices with the same hardware will share the same hash. However, customers who share the hash are not likely to be related.
We also offer native iOS and Android SDKs for Device Fingerprinting purposes. These return slightly different device details, the most important among these, at least for clone search purposes, is the device_hash. In the case of the native SDKs, there is no Browser or Cookie hash, only the Device hash. However, this value will always be a 100% match if more users share the same value.
Further data points
If you scroll down in the widget, you’ll find further information that can come in handy when investigating. Here are the most notable ones to observe for fraud detection purposes.
WebRTC IP checks
Web real-time communications, known as WebRTC, is a technology that enables your browser to communicate with websites by establishing a real-time peer-to-peer connection.
While using a proxy, users might think they can mask their public IP address. With the WebRTC check, you can detect the user’s actual IP address behind their proxy because the communication channel between the website and the user’s browser exchanges their public IP address along with other data.
Domain IP checks
Like WebRTC IPs, users can have DNS (Domain Name System) IP addresses that differ from their regular IPs. The use of proxy connections can also be detected by checking for distinct DNS IPs. This is not always a cause for concern, however, because a number of legitimate users tend to utilize large, well-known companies' DNS servers to protect their privacy and to prevent their ISPs from observing their traffic.
In conclusion, if you see a DNS IP with a much less common DNS ISP Name and the regular and DNS IP addresses of users are different, the connection can be considered suspicious.
Time zone offset and Region language
Differences in the IP location’s time zone and that of the device can be an obvious sign of suspicious activity; the same goes for differences between languages.
Window’s size and Screen resolution
We have found that these attributes, especially the Window’s size, can be an excellent tool for clone searches when dealing with a large fraud ring.