Device intelligence gaps are widening fraud exposure in digital channels

At a glance

What this is: Arkose Labs’ analysis argues that traditional device identification is no longer keeping pace with modern fraud tactics and that visibility gaps are being exploited across digital channels.

Why it matters: Fraud and identity teams need to understand these gaps because device intelligence now affects account takeover defence, customer friction, and the operational load of manual review across human and machine-facing access paths.

By the numbers:

• 216 merchants at MRC and 178 attendees at Identiverse were surveyed on device intelligence strategies and pain points.
• At MRC, 42% of respondents cited detecting devices used by fraud rings as a key challenge.
• Among MRC respondents, 33% reported using in-house solutions that are often cobbled together from various data points without comprehensive correlation capabilities.
• At Identiverse, 15% said their current solution isn’t performing adequately.

👉 Read Arkose Labs' analysis of device intelligence gaps and fraud risk

Context

Device intelligence is the set of controls used to recognise, correlate, and risk-score devices across sessions so fraud teams can separate legitimate users from coordinated abuse. The gap in this article is that older fingerprinting approaches no longer cope with proxy use, emulation, and shared credential behaviour in modern fraud rings.

For fraud and identity programmes, the issue is not only detection accuracy but decision quality at scale. When device identity is weak, manual review expands, account takeover defence becomes noisier, and customer experience starts to absorb the cost of false positives and missed attacks.

Key questions

Q: How should fraud teams improve device intelligence for account takeover defence?

A: Fraud teams should combine deterministic identifiers, probabilistic signals, behavioural context, and historical correlation before making a decision. That approach helps distinguish legitimate customers from coordinated abuse when proxies, emulation, and credential sharing make single-signal checks unreliable. The goal is to improve confidence in the decision layer, not just increase the number of alerts.

Q: Why do static device fingerprints fail against modern fraud rings?

A: Static fingerprints fail because attackers can spoof device attributes, rotate proxies, and reuse infrastructure across many accounts while appearing consistent enough to bypass simple matching. Legitimate users also create noise through travel, VPNs, and shared devices, so one identifier cannot separate fraud from normal variation. Teams need layered context, not a single device signature.

Q: When should organisations move beyond manual review for device-based fraud?

A: Organisations should move beyond manual review when analysts are spending most of their time cleaning up weak signals instead of resolving genuinely ambiguous cases. If the queue is driven by incomplete device data, the control has become a bottleneck rather than a safeguard. At that point, better inputs and automated correlation are more effective than adding more reviewers.

Q: What does device intelligence add to subscription abuse and account sharing detection?

A: Device intelligence can show whether the same device, browser pattern, or network path is appearing across many accounts in ways that suggest unauthorised sharing or organised fraud. That matters in subscription models because revenue loss and account compromise often start with the same visibility problem. Stronger device correlation helps teams see abuse patterns before they spread.

Technical breakdown

Why static device fingerprinting breaks down

Static fingerprinting depends on stable device attributes such as browser, hardware, or software signals. That worked when attackers reused the same tooling and environments, but it fails when fraud rings use residential proxies, spoofing software, and coordinated infrastructure to make many sessions look legitimate. The problem is not just evasion. Legitimate users also produce noisy signals through travel, VPNs, shared devices, and browser updates, which makes a single static marker too brittle for reliable risk decisions. Practical implication: teams need correlation models that combine multiple signals instead of relying on one device signature.

Practical implication: replace single-signal fingerprinting with layered correlation across device, network, and behaviour.

How behavioural and historical correlation improve device intelligence

Next-generation device intelligence evaluates patterns over time rather than asking whether a device matches a prior template. Historical behaviour, network context, and relationship analysis can show when identical device signatures appear across many accounts or when a device suddenly moves between geographies in a way that is inconsistent with normal use. This matters because fraud is often distributed across rings, not isolated to one account. Behavioural correlation does not eliminate the need for deterministic identifiers, but it adds the missing context that fraud analysts need to separate real customers from orchestrated abuse. Practical implication: build decisions from history and relationships, not just moment-in-time attributes.

Practical implication: store and analyse behavioural context so analysts can detect cross-account fraud patterns.

Why manual review becomes a control failure at scale

Manual review is often treated as a backstop, but in high-volume consumer environments it becomes a bottleneck that introduces delay, fatigue, and inconsistent outcomes. When analysts work from incomplete device data, they spend more time triaging noise and less time identifying organised fraud patterns such as account takeover or account sharing. That does not mean automation should replace judgement entirely. It means the decision system has to surface stronger evidence before a human is asked to intervene. Practical implication: reduce dependence on human review by improving the quality and consistency of device intelligence inputs.

Practical implication: reserve human review for high-confidence exceptions, not routine signal cleanup.

Threat narrative

Attacker objective: The attacker’s objective is to sustain profitable fraud while avoiding detection long enough to compromise accounts, extract value, or reuse access across multiple victims.

1. Entry occurs when fraud rings use residential proxies, spoofed fingerprints, or fresh credentials to make abusive sessions appear normal.
2. Escalation follows when the same device patterns, credentials, or emulated environments are reused across multiple accounts and merchants, allowing the activity to blend into normal traffic.
3. Impact comes when account takeover, unauthorized sharing, data exposure, or downstream fraud losses are no longer isolated events but repeatable operations across the estate.

Breaches seen in the wild

• Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
• CI/CD pipeline exploitation case study — full server takeover via exposed .git directory and mismanaged CI/CD pipeline secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Device intelligence is now an identity governance problem, not just a fraud tooling issue. The article shows that device signals increasingly decide whether an account is trusted, challenged, or blocked. That means device identity now sits inside the same governance conversation as IAM assurance, session trust, and account takeover prevention. The implication is that fraud, IAM, and customer identity teams can no longer treat device visibility as a downstream feature.

Historical correlation is the named capability gap, and its absence creates device identity blind spots. Static recognition without longitudinal behaviour data cannot expose fraud rings that rotate infrastructure, share credentials, or emulate legitimate users at scale. The article’s strongest evidence is that respondents lack comprehensive tracking and historical insight, which leaves analysts unable to distinguish real behavioural continuity from coordinated abuse. Practitioners should treat this as a governance gap in evidence quality, not a tuning problem.

Manual review as a compensating control does not scale into a durable decision model. Once analysts are forced to resolve device uncertainty by hand, the programme has already shifted from governed detection to reactive triage. That pattern weakens confidence in the control environment because decision quality becomes dependent on human throughput rather than signal integrity. The implication is that organisations need a clearer boundary between what automation can decide and what humans should only review.

Dual identification methods are a pragmatic response to privacy and fraud pressure, but they also expose the weakness of single-mode identity checks. Deterministic and probabilistic identifiers address different parts of the trust problem, especially where privacy rules limit persistent tracking. The broader lesson is that no single device identifier can carry the burden alone when fraud rings deliberately shape their environment to mimic legitimate behaviour. Practitioners should recalibrate device trust as a composite assurance model.

Account sharing and account takeover are converging around the same device trust failure. The article shows that device intelligence is being used both to stop fraud rings and to identify unauthorised sharing in subscription environments. That convergence matters because it means one visibility gap can create both fraud loss and revenue leakage. The implication is that identity governance for consumer access must account for abuse patterns that do not fit a single security team’s remit.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• For the broader identity shift, read Ultimate Guide to NHIs , 2025 Outlook and Predictions for the governance and trust changes now shaping machine identity programmes.

What this signals

Device trust is converging with identity assurance, which means fraud teams and IAM teams need a shared operating model. When device recognition determines access decisions, the boundary between fraud prevention and identity governance starts to disappear. That makes it harder to leave visibility gaps unresolved in one domain while expecting the other to compensate.

In practice, the next control question is not whether a device is known, but whether its behaviour is trustworthy enough to be allowed to continue. Persistent trust based on a single fingerprint will become less useful as fraud rings move faster and legitimate users become noisier. Programmes that can correlate across sessions and histories will have a better chance of holding down both fraud loss and false positives.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, the broader pattern is clear: identity programmes fail when they cannot see relationships, not just actors.

For practitioners

• Replace single-signal fingerprinting Correlate device, network, behavioural, and historical signals before assigning trust so spoofed fingerprints do not dominate decisions.
• Reduce dependence on manual review Reserve analysts for exceptions that have strong supporting evidence, rather than using human review as the primary decision layer for every flagged session.
• Build fraud-ring detection into device policy Look for the same device signature across many accounts, sudden geography shifts, and repeated credential sharing patterns that indicate coordinated abuse.
• Separate customer friction from trust loss Measure false positives, challenge rates, and abandonment together so fraud controls do not quietly erode the customer experience they are meant to protect.

Key takeaways

• Modern fraud succeeds when device identity is too shallow to distinguish coordinated abuse from normal user variation.
• The survey data shows that device intelligence gaps are already affecting detection, review workloads, and confidence in current controls.
• Teams need layered correlation and clearer decision boundaries if they want to reduce account takeover without creating excessive customer friction.

Key terms

• Device Intelligence: Device intelligence is the practice of recognising and correlating devices across sessions so a programme can judge whether access patterns are legitimate or suspicious. In fraud environments, it combines device attributes with behavioural and historical context to improve decision quality.
• Deterministic Identifier: A deterministic identifier recognises a device by a stable artifact that has been seen before. It is useful when the same device returns, but it becomes weaker when attackers can alter the environment or when legitimate users create inconsistent signals.
• Probabilistic Identifier: A probabilistic identifier infers device similarity from multiple signals rather than relying on one fixed marker. It is designed to work in real time and can improve privacy posture because it does not depend entirely on persistent personal data storage.
• Account Takeover: Account takeover is unauthorised control of a user account after an attacker gains access credentials or bypasses existing checks. In device-intelligence programmes, it is often the outcome when weak correlation allows risky sessions to look trustworthy.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: Device ID Senior Fraud Executives Sound the Alarm on Device Intelligence Gaps. Read the original.