Secure your business from login to chargeback
Stop fraud, break down data silos, and lower friction with Sift.
- Achieve up to 285% ROI
- Increase user acceptance rates up to 99%
- Drop time spent on manual review up to 80%
Overview
With Device Fingerprinting, you can uniquely identify the device a visitor is using to interact with your site, determine whether you've flagged that device as being associated with fraudulent behavior in the past, and prevent that visitor from using your site in the future.
Sift manages this blacklist for you and can also let you know when a device has been linked to fraudulent activity within our network of customers.
Important Terms
Device Fingerprint: attempts to uniquely identify the device a visitor is using in a way that's stable across sessions. There is a one-to-one mapping from a session to a Device Fingerprint and a many-to-many mapping from Device Fingerprints to users.
Session: A server-side session. There is a one-to-one mapping from a session to a Device Fingerprint and a many-to-one mapping from sessions to a user.
User: An entity that has some unique identifier like a user_id. This is in contrast to a visitor, which is an entity that may not have a unique identifier. There is a many-to-many mapping from users to Device Fingerprints, and there is a many-to-one mapping from sessions to a user.
Integration Steps
There are three, equally important steps to integrating:
- Install our JavaScript snippet
- Identify and block fraudulent devices
- Label fraudulent devices
1) Install our JavaScript snippet
Install our JavaScript snippet on every public-facing page on your site.
2) Identify and block fraudulent devices
Let's use the example of fake listings on an apartment rentals site to see how we could identify and block fraudulent users. Let's assume the goal here is to redirect fraudulent users to an error page once they attempt to post a listing (instead of persisting that listing and directing the user to a confirmation page).
To accomplish this, you would need to do the following in a relevant route handler in your server code:
- Call our
/sessionsendpoint to swap asession_idfor data associated with the device - Check the device label, if it exists
- If the label is set to “bad”, then take a negative action (i.e. redirecting to an error page, etc)
- Else, continue as normal
Alternately, you can use our /users endpoint to query for devices seen for a given user, then
check for the label placed on each associated device.
The following pseudocode outlines the basic steps we would take while handling the post in our server:
# Constants
ACCOUNT_ID = <YOUR SIFT ACCOUNT ID>
REST_API_KEY = <YOUR SIFT REST API KEY>
# Route handler called after a user attempts to post a listing
def post_listing():
# First, you would call our /sessions endpoint to fetch
# the device associated with the current session. You will
# need to pass in the session_id provided by your webserver,
# which is encased in this example in the request.session_id
# variable.
sift_session_url = \n "https://api3.siftscience.com/v3/accounts/{account_id}/sessions/{session_id}"
.format(account_id=ACCOUNT_ID, session_id=request.session_id)
# You’ll need to authenticate the request by setting the "Authorization" header
# as shown below
headers = {"Authorization": "Basic {}".format(base64.b64encode(REST_API_KEY + ":"))}
response = http.get(sift_session_url, headers = headers)
# From the response body, you would want to examine
# the "device" paragraph
device_json = response.json()["device"]
# If the label field is set for this device and
# the device has been labeled bad by you in the past,
# then redirect to an error page
if "label" in device_json and device_json["label"] == "bad":
return redirect_to("error.html")
# Else continue as normal
return redirect_to("success.html")3) Label fraudulent devices
In order to prevent fraudulent users from interacting with your site, you'll need to flag (or "label") devices those users have been linked with in the past.
Continuing with the example before, let's say you or your customer service team found that a certain user was posting fake listings. Let's also say you have an internal admin tool that agents can use to take action on your users.
You would want to add a link to your admin system to allow agents to block every device associated with a fraudulent user. Here's pseudocode that outlines a handler on your server that would block these devices after an agent clicks that link.
# Constants
ACCOUNT_ID = <YOUR SIFT ACCOUNT ID>
REST_API_KEY = <YOUR SIFT REST API KEY>
# Route handler called when an agent clicks a "block user" link in your
# internal admin system
def block_user_devices():
# You’ll need to authenticate a request by setting the “Authorization” header
# as shown below
headers = {"Authorization": "Basic {}".format(base64.b64encode(REST_API_KEY + ":"))}
# First, let's fetch all devices associated with a user
user_devices_url = \n "https://api3.siftscience.com/v3/accounts/{account_id}/users/{user_id}/devices"
.format(ACCOUNT_ID, user_id)
response = http.get(user_devices_url, headers=headers)
device_fingerprints = [d["id"] for d in response.json()["data"]]
# Call the /devices/{device_fingerprint}/label endpoint to PUT a “bad” label
# for every device associated with this user
device_label_url = \n "https://api3.siftscience.com/v3/accounts/{account_id}/devices/{device_fingerprint}/label"
# You’ll need to PUT the following object to denote
# that a device is bad
bad_label = {"label": "bad"}
for device_fingerprint in device_fingerprints:
url = \n device_label_url.format(account_id=account_id, device_fingerprint=device_fingerprint)
http.put(url,
data = bad_label,
headers = headers)