
Mobile fraud detection in iOS 7 - jasontan
http://blog.siftscience.com/mobile-fraud-detection-in-ios7/
======
ashearer
The article focuses on how their recommended device identifier, the Bluetooth
MAC, will become inaccessible in iOS 7, just like the UDID did in a past
update.

I'm not that familiar with the mechanics of fraud detection, and I wish the
article had delved into why a physical device ID is necessary for it. What is
the advantage of the MAC over, say, a hidden ID created randomly by the app on
first launch?

There's an obvious difference in that the MAC would allow you to correlate
identifiers across multiple apps (which is also a privacy weakness), but the
given example apps aren't particularly likely to be used in concert.

~~~
divad12
We have seen fraudsters reinstall an app over and over, each time signing up
with a new email and a new stolen credit card after their previous account was
shut down. A persistent device ID allows our clients to block a new signup
from a fraudster that is from the same physical phone the fraudster has used
before. (This greatly increases the cost of committing fraud, by forcing the
fraudster to root their phone or use a new phone each time.)

~~~
ashearer
That makes sense. Thanks.

The ability for apps to correlate across their own re-installations has fewer
privacy implications than general UDID/MAC access, so perhaps Apple may allow
it at some point. To achieve it, Apple could just change the documented
behavior of the identifierForVendor property so that it no longer resets when
all the vendor's apps are deleted. Apple's implementation could be done
several ways (such as by stashing the per-device, per-vendor ID along with the
App Store's Purchased Software data, or by generating it algorithmically from
a hash of UDID/MAC plus vendor ID). But regardless, Apple perhaps sees app re-
installs that start fresh and anonymous as a good thing.

------
gt384u
Another identifier which would seem to help accomplish the task is
identifierForVendor. As a bonus, it isn't something that can be opted out of
like the advertisingIdentifier.

~~~
ilyanep
Unfortunately, the API says that the identifier can change if the user
uninstalls then reinstalls the app.

------
zobzu
note that it talks about gps positioning, uuids, etc. obviously all this
private info is logged.

that means if they get compromised people will know exactly where you live,
where you go, etc. (of course they also just can lookup that info as well)

~~~
ilyanep
I think you would hash the data in some way to avoid privacy concerns for
device ID purposes.

