Notifications
Clear all
Topic starter
12/06/2026 10:20 pm
TL;DR: High-activity devices are a fraud signal because persistent identifiers and device intelligence can reveal scaled abuse before it reaches authentication or account takeover stages, according to Fingerprint. For practitioners, the challenge is not detection alone but deciding which identity, device, and session controls must converge to contain repeat abuse.
NHIMG editorial — based on content published by Fingerprint: How to spot high-activity devices and stop scaled abuse in its tracks
By the numbers:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams respond to high-activity device signals in fraud flows?
A: Teams should treat high-activity device signals as a pattern-level abuse indicator, not as proof of one bad account.
Q: Why do device signals matter when authentication already succeeded?
A: Authentication only confirms a moment in time.
Q: What breaks when teams rely only on account-based fraud controls?
A: Account-based controls miss the durable actor in scaled abuse, which is often the device rather than the identity.
Practitioner guidance
- Cluster repeat device behaviour across accounts Correlate persistent identifiers, IP reputation, and session timing so the same device cannot evade review by switching user accounts or browser states.
- Apply step-up controls to high-risk device patterns Trigger additional verification when a device exceeds expected activity thresholds or reappears across multiple sensitive workflows.
- Separate legitimate reuse from scaled abuse Define review rules for customer support, shared devices, and power users so investigators can distinguish normal repetition from coordinated fraud.
What's in the full article
Fingerprint's full blog post covers the operational detail this post intentionally leaves for the source:
- Signal examples for spotting high-activity devices across logins, sessions, and transaction flows
- Practical use of persistent identifiers and Smart Signals in fraud detection workflows
- Implementation guidance for tuning thresholds so repeat abuse is flagged without over-blocking legitimate users
- Context on how device intelligence fits into bot and scaled-abuse prevention
👉 Read Fingerprint’s analysis of high-activity devices and scaled abuse detection →
High-activity devices and scaled abuse: what teams should watch?
Explore further
13/06/2026 1:02 am
High-activity devices are a repeat-abuse problem before they are an authentication problem. Fraud teams often look for bad credentials or failed logins, but the more durable signal is the device pattern that keeps reappearing across accounts and sessions. That is why persistent identifiers matter: they expose repetition that account-level controls do not naturally see. The practitioner takeaway is to govern abuse at the device layer, not just at the login layer.
A few things that frame the scale:
- 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when high-activity devices drive repeated abuse?
A: Accountability sits across fraud operations, IAM, and session risk owners because the control gap spans identity, device, and transaction layers. Teams need a shared escalation path so recurring device activity is investigated once and acted on consistently, rather than being handled as disconnected anomalies.
👉 Read our full editorial: High-activity devices expose the limits of fraud controls
