Devices & OS Widget
Updated on 29.11.23
5 minutes to read
As part of the data enrichment magic SEON does, you can get valuable information about the device and system specifications of the gadgets user actions are traced back to. We use device fingerprinting to gather this information which comes in very handy when trying to catch a fraudster. Here’s everything you need to know about the Device and OS widget on the Transaction Details pages.
If the device widget is not active and showing as no data being received, please make sure you have set up your integration correctly. Our API Documentation can help to understand what may have gone wrong, and our support team is ready to help with any troubleshooting.
We collect more than 90 different data points using our JS Agent/SDKs to provide you with the clearest possible picture of user devices; you can find a full list of these in our API Documentation.
Device risk scoring
You will also find an individual risk score assigned to each device in the top section of the widget.
Our fraud experts constantly collect and analyze data from different fraud rings and malicious attacks. We then identify behavioral patterns and create rules in SEON to spot telltale signs such as bots, device spoofing, and many more.
These rules are used to add points to the risk score, determining the final device score of a transaction. A device score of 4 or higher is considered suspicious.
Device & OS information
On the top of the widget, you’ll find essential information, such as the device type, the OS, the browser, or the user agent. You’ll also see the device(s) connected to the user in the dropdown.
A unique identifier based on the complete browser profile. This includes details on the screen resolution, hardware, font, plugin set, network layers, and specific features in the browser.
This is a very good way to make connections between shared devices, but in some rare cases, specifically for mobile devices, the ID can be the same. This may occur if they have precisely the same hardware, software, and settings profile.
If the client clears the browser’s cookie and storage cache, then this ID will not change. Likewise, if someone is browsing using Incognito or InPrivate tabs, then the same ID will be returned.
The device hash is a specific identifier based on the hardware of the device. It is generated based on multiple data points hand-picked by our Device Fingerprinting team.
Two identical devices with the same hardware will share a hash. However, customers who share device hashes are not necessarily related. They may simply own the same type of device.
While a device hash in itself might not be enough to connect two transactions or users, we recommend using it for blacklists if there are bad actors who share a hash or as an extra parameter for rules, if needed. It’s also worth mentioning that this hash is the hardest to change, as it is unlikely that a fraudster will switch to a different device with each transaction.
When using the iOS/Android SDK, this is the only hash you can work with. Luckily, for Android and iOS devices, this is a highly unique identifier, including specifications that allow you to make informed and confident decisions: if a user shares the same mobile device hash with someone else, they are most likely using the same device.
Further data points
If you scroll down in the widget, you’ll find further information that can be useful when investigating. Here are the most notable ones to observe for fraud detection purposes.
WebRTC IP checks
Web real-time communications, known as WebRTC, is a technology that enables your browser to communicate with websites by establishing a real-time peer-to-peer connection.
While using a proxy, users might think they can mask their public IP address. With the WebRTC check, you can detect the user’s IP address behind their proxy because the communication channel between the website and the user’s browser exchanges their public IP address and other data.
Domain IP checks
Like WebRTC IPs, users can have DNS (Domain Name System) IP addresses that differ from their regular IPs. The use of proxy connections can also be detected by checking for distinct DNS IPs. However, this is not always a cause for concern because many legitimate users tend to utilize large, well-known companies' DNS servers to protect their privacy and prevent their ISPs from observing their traffic.
In conclusion, if you see a DNS IP with a much less common DNS ISP Name and users' regular and DNS IP addresses are different, the connection can be considered suspicious.
Time zone offset and Region language
Differences in the IP location’s time zone and that of the device can be an obvious sign of suspicious activity; the same goes for differences between languages.
Window’s size and Screen resolution
We have found that these attributes, especially the Window’s size, can be an excellent tool for clone searches when dealing with a large fraud ring.