1 από 16

February 2023

Capabilities Gathering Survey Results

2 από 16

Background

Goal

  • Ensure completeness of capabilities inventory
  • Prioritize capabilities needed by the anti-fraud ecosystem Anonymity of information: Gathering: Key terms to know Capabilities:

Anonymity of information

  • Only company region, industry, and size (number of employees) were collected
  • Company name is optional
  • Consolidated results (not individual responses) shared within W3C's Anti-Fraud Community Group Capabilities

What are capabilities?

  • Capabilities are the high-level functional requirements for a given set of anti-fraud use cases, and are not specific to any sources of truth or technologies. Capabilities are aligned to specific use cases. For capabilities, please focus on capabilities that a browser can communicate about a device

Logistics

  • Survey was open November 7 2022 - January 31 2023
  • The survey was distributed via the AFCG and 1:1 conversations between Google and members of anti-fraud ecosystem

3 από 16

Responding Company Demographics

4 από 16

Key Use Cases

Other use cases:

  • Financial Transactions
  • Login
  • Fraudulent activity using the platform
  • Malicious Download Compromised Landing Site/Pages
  • Payments
  • Browser compromise Auto-Redirect
  • Scam Ads Cryptojacking

5 από 16

Key Use Cases

6 από 16

Key Capabilities Across All Use Cases

7 από 16

Account Takeover: Key Capabilities

Recognize the same device

Geo Attestation

Counters

Token Binding

Device & Boot Attestation

User Presence

Intent

App / Site Attestation

Element Visibility

Post-Boot Attestation

Token Binding

Recognize the same device

Counters

Geo Attestation

User Presence

Device & Boot Attestation

Intent

Post-Boot Attestation

App / Site Attestation

Element Visibility

Most commonly selected capabilities

Importance of capabilities

8 από 16

Account Takeover: Other Capabilities

  • Identity Verification
  • Unique Identifier: Provide ability to uniquely identify and track users across the industry.
  • A way to technologically enforce a "1 per person" limit
  • Detect automatic connection from a bot
  • Whether the device is being controlled by automation software
  • Campaign Binding: With user consent, bind a credential (such as a cookie) to a campaign and or image to ensure it is not compromised at any stage after scanning.
  • Whether the browser has been modified in some way

9 από 16

Account Creation: Key Capabilities

Geo Attestation

Recognize the same device

User Presence

Counters

Token Binding

Device & Boot Attestation

App / Site Attestation

Intent

Post-Boot Attestation

Element Visibility

Recognize the same device

Token Binding

Counters

Geo Attestation

Device & Boot Attestation

User Presence

App / Site Attestation

Post-Boot Attestation

Intent

Element Visibility

Most commonly selected capabilities

Importance of capabilities

10 από 16

Account Creation: Other Capabilities

  • Unique Identifier: Provide ability to uniquely identify and track users across the industry.
  • Detect automatic account creation
  • Device fingerprinting/inspection to determine if a device is typical of an active fraud ring
  • Identity Verification
  • Whether the device is being controlled by automation software
  • A way to technologically enforce a "1 per person" limit
  • Campaign Binding: With user consent, bind a credential (such as a cookie) to a campaign and or image to ensure it is not compromised at any stage after scanning.
  • Inspect device IP and compare to IP ranges of known bad actors, or VPN/proxy services
  • Whether the browser has been modified in some way

11 από 16

Payment Fraud: Key Capabilities

Token Binding

Counters

Recognize the same device

Geo Attestation

User Presence

Device & Boot Attestation

Intent

App / Site Attestation

Post-Boot Attestation

Element Visibility

Most commonly selected capabilities

Importance of capabilities

Recognize the same device

Geo Attestation

Token Binding

Counters

User Presence

Device & Boot Attestation

Post-Boot Attestation

App / Site Attestation

Intent

Element Visibility

12 από 16

Payment Fraud: Other Capabilities

  • Identity Verification
  • A way to technologically enforce a "1 per person" limit
  • Inspect device IP and compare to IP ranges of known bad actors, or VPN/proxy services
  • Whether the device is being controlled by automation software
  • Device fingerprinting/inspection to determine if a device is typical of an active fraud ring
  • Whether the browser has been modified in some way

13 από 16

eCommerce Fraud: Key Capabilities

Token Binding

Counters

Recognize the same device

Geo Attestation

Device & Boot Attestation

User Presence

Intent

App / Site Attestation

Element Visibility

Post-Boot Attestation

Most commonly selected capabilities

Importance of capabilities

Geo Attestation

Recognize the same device

Counters

Token Binding

Device & Boot Attestation

User Presence

Post-Boot Attestation

App / Site Attestation

Intent

Element Visibility

14 από 16

eCommerce Fraud: Other Capabilities

  • Identity Verification
  • A way to technologically enforce a "1 per person" limit
  • Device fingerprinting/inspection to determine if a device is typical of an active fraud ring
  • Whether the device is being controlled by automation software
  • Inspect device IP and compare to IP ranges of known bad actors, or VPN/proxy services
  • Whether the browser has been modified in some way

15 από 16

IVT in Advertising: Key Capabilities

App / Site Attestation

Element Visibility

Counters

Device & Boot Attestation

Token Binding

Geo Attestation

User Presence

Recognize the same device

Post-Boot Attestation

Intent

Most commonly selected capabilities

Importance of capabilities

Geo Attestation

Counters

Token Binding

Recognize the same device

App / Site Attestation

Element Visibility

User Presence

Intent

Device & Boot Attestation

Post-Boot Attestation

16 από 16

Out-of-band Feedback Mechanism