Keynote: Fingerprinting, Device Intel & Context with Martin Makarský (Fingerprint)

The Talsec Mobile App Security Conference in Prague was a two-day, invite-only event on fraud, malware, and API abuse in modern mobile apps, held at Chateau St. Havel on November 3–4, 2025, and hosted by Talsec, freeRASP, and partners. It brought together leading experts and practitioners to strengthen the mobile AppSec community, connect engineers with attackers and defenders, and share practical techniques for high‑stakes sectors like banking, fintech, and e‑government.

Martin Makarský, Director of Engineering at Fingerprint, delivered a keynote shifting the focus from simply collecting data to the critical challenge of interpreting that data in the context of anti-fraud efforts. He emphasized that the real difficulty in anti-fraud is "deciding what it means". The core message is that sophisticated device identification and intelligence must be coupled with human-defined business logic to effectively fight fraud without driving away legitimate users.

Who Decides? Fingerprinting, Device Intelligence, and Context in Fighting Fraud

Effective anti-fraud systems depend not only on collecting data but on interpreting that data correctly. The central challenge lies in deciding what collected signals actually mean. Advanced device identification and intelligence must work alongside clearly defined business logic to combat fraud effectively without alienating legitimate users.

Key Concepts in Anti-Fraud Systems

Several foundational technologies shape modern anti-fraud strategies:

• Fingerprinting: Fingerprinting focuses on identifying environments rather than tracking individuals. It combines ordinary system signals that are insignificant on their own but together uniquely describe an environment and form a stable signature. This enables recognition of the same browser even after cookies are cleared. Modern fingerprinting systems apply machine learning to hundreds of signals, assigning higher weight to stable attributes such as GPU or installed fonts and lower weight to volatile signals like time zone, producing a confidence-based similarity score.

• Device or Browser Identifier: Most anti-fraud systems rely on a stable identifier derived from fingerprinting. This identifier helps distinguish returning trusted users from first-time visitors or potentially risky anomalies, reducing unnecessary friction for known users.

• Device Intelligence: Device intelligence does not identify who a user is, but rather what type of environment they are using. It transforms raw signals into actionable context, revealing intent-related indicators such as VPN usage inconsistent with local time zones or sessions running in incognito mode.

The Scale of the Fraud Problem

Fraud has reached a scale that makes advanced identification and intelligence unavoidable:

• Online payment fraud is projected to cause approximately $350 billion in global losses between 2023 and 2027.

• Card fraud alone accounts for roughly $50 billion in losses each year.

• A single aggregated breach database contains 16 billion compromised login credentials—nearly twice the global population.

• 83% of organizations report experiencing at least one account takeover attack.

The Friction–Trust Tradeoff

A common reaction to rising fraud is to increase friction through additional challenges such as two-factor authentication. However, excessive friction leads to user fatigue and abandonment. Device intelligence enables a more balanced approach by allowing systems to trust users with confidence.

This approach relies on adaptive security:

• When device, environment, and behavior align with known trusted patterns—such as consistent device usage, location, and activity—no interruption is necessary.

• When signals change unexpectedly, such as a new device, operating system, or identifier, systems can introduce proportional friction. This may include step-up authentication, temporary restrictions on high-risk actions, or escalation for manual review.

Who Makes the Decision?

Balancing security and user experience raises a critical question: should algorithms make trust decisions automatically, or should humans define the rules?

Fully automated, out-of-the-box decisions (such as blocking all VPN traffic or rooted devices) fail because fraud is inherently contextual. A VPN may indicate abuse for one business and privacy-conscious behavior for another. A rooted device may represent a serious risk in mobile banking but a legitimate testing environment for quality assurance.

Universal models cannot account for a company’s specific users, business model, or risk tolerance. Effective systems should inform decisions rather than dictate them. Humans must define acceptable risk and friction, while algorithms enforce those decisions at scale.

Architecture for Adaptive Anti-Fraud

Robust anti-fraud systems operate across multiple layers:

1. Device Layer: Ensures runtime integrity by verifying that the application or browser environment has not been tampered with.

2. Edge Layer: Enables rapid responses through CDNs or firewalls, allowing immediate blocking or challenging of suspicious activity without code changes, deployments, or infrastructure updates.

3. Back-End Layer: Applies contextual interpretation and enforces decisions based on business logic and risk models.

This layered approach enables rapid reaction to emerging fraud patterns. For example, a rule deployed at the edge can instantly block sign-up attempts originating from incognito sessions, reducing response time from hours to seconds.

While systems can score risk in real time, defining trust, acceptable risk, and user friction remains a human responsibility.

Thank you Martin and Fingerprint for sharing clear and practical insights into how fingerprinting, device intelligence, and contextual decision-making shape effective anti-fraud strategies.