Each month, The ThreatMetrix Global Trust Intelligence Network (The Network) screens more than 500 million site visitors, across more than 1,900 customers and 9,000 websites and uses predictive analytics to differentiate between legitimate and fraudulent behavior, personas and devices.
In a recent snapshot from May 1 through July 31, 2013, The Network found that the average online bank account is accessed by 2.4 unique devices. The data was compiled across a diverse set of industries – including banking, e-commerce, enterprise, insurance, social networks, government and healthcare – and found that bank accounts are accessed by a significantly higher number of unique devices than other industries.
In July 2013, data shows that 55 percent of bank accounts are accessed by one device, 26 percent are accessed by two devices, 11 percent are accessed by three devices, and 4 percent are accessed by four devices. While there is a significant drop-off after four devices, the data shows a very small percentage of accounts being accessed by as many as twenty devices in a one-month period, which raises some red flags.
Compared to banking, all industries analyzed show a significantly lower number of unique devices per account. In the same three-month period from May 1 through July 31, all industries combined are accessed by an average of 1.79 devices per account, compared to bank accounts being accessed by 2.4 devices on average.
According to data from July 2013, 68 percent of accounts across industries are accessed by only one device each month, 19 percent are accessed by two devices and 7 percent are accessed by three devices. After three devices, the data shows a significant drop off.
While most online businesses determine the number of devices accessing accounts by cookies, which identify a user’s activity on Web browsers, this is not the most accurate way to identify unique devices. Due to private browsing modes and common knowledge of deleting cookies, identifying unique devices with this method shows a higher number of devices, because each time users clear cookies, they are counted as a new device when returning to a website.
ThreatMetrix examined all account logins over a three-month period – from May 1 through July 31, 2013. Logins were reviewed without capturing personally identifiable information to determine the number of unique device identifiers associated with the encrypted value of the account. The number of unique devices was determined by counting the number of unique device fingerprints (SmartID) per login. Organizations were categorized into different broad categories for comparison: banking, retail, and other.