Link Analysis displays multiple orders with the same device layers, but are they all fraud?
Seeing the same device layers in the link analysis may not mean they represent fraudulent orders. For example, an iPhone/iPad with factory settings will have the same device layers as other such devices with different settings.
The best variable to look at is the Device Fingerprint to see if they are all coming from the same device.
The Kount Link Analysis tool displays two years' worth of order transaction history for over a dozen data variables, such as IP Address, Email Address, Payment Token, etc. Included in these variables are the Device Layers of the actual device associated to the current order.
In Link Analysis, Kount displays how many orders share the same Device Layer values, but that’s not the same as saying they’re linked to the Persona which exists for 14 days. We display a value for each device layer based upon what we learn in Kount's interrogation of the customer's device. The device layer information is used to create the overall device fingerprint. Using the Kount Link Analysis tool can aid you in your research to determine if a rule is needed. Note that as the Device Layer number increases from 1 to 5, so does the uniqueness of the actual device.
The Device Layers list represents a specific configuration of values for the different aspects of the device. There are 5 device layers which generically represent these device attributes/settings:
- Device Layer 1=OPERATING SYSTEM
- Device Layer 2=FLASH SETTINGS
- Device Layer 4=TCP/IP – USER AGENT
- Device Layer 5=BROWSER AND SSL
Orders with a Link Analysis history of shared values in the device layers are not an overt indication of current or historic fraud. It is common for devices to have the same device layer configurations, especially in Apple products such as iPhones, iPads, and MacBooks.
Use caution before creating any rules for negative action based upon device layer settings. Contact your Technical Account Manager for advice.