This completely changes the game on all kinds of fraud, not just ad fraud. Currently when you get caught, the service you’re abusing bans your device. To keep trying you need new hardware; attacks have a real monetary cost for the attacker. When your iPhone can present itself as infinitely many iPhones, this is neutered, and services will need different (probably more invasive) techniques to keep banned users away.
>This completely changes the game on all kinds of fraud, not just ad fraud.
As someone alt-tabbing in from real fraud investigation work, no, it doesn't. Banning burner phones and reducing banking privacy regulations would move the needle there, but those aren't even on the radar.
"Someone's script opened a page" isn't fraud. Someone built a script specifically to spam click a competitor's ads, by contrast, is.
Banning devices and identifying groups of accounts which are linked by common devices are two of the most powerful tools that my company’s fraud team talks about. We have nothing to do with advertising. YMMV.
The advertising identifier is a crappy way to do this though. There are multiple more privacy respecting ways to ban users which work much better. The IDFA can be blanked or reset where other methods like identifierForVendor cannot be reset or bypassed.
> This completely changes the game on all kinds of fraud, not just ad fraud.
Getting around a ban is not Fraud.
Regardless, a cross app ad identifier is not needed to prevent this. There are ways within your app to save data per iOS user (this is not cross app data, it's specific to your app) which would allow you to prevent this. You could use sign in with Apple/ Google/ Facebook. You could require emails. etc etc.
Not his solution, but just grab the identifierForVendor off UIDevice and ban that.
Alternatively:
> "Using DeviceCheck API’s, in combination with a server-to-server APIs, developer can set and query two bits of data per device. It will also maintain the user privacy, by not disclosing any user or device information, which is the priority point for every Apple user and most point of concern of every mobile user."
To add to what others are saying, IDFAs are specifically /not/ device IDs; they were created so that advertising tracking wouldn't carry over between multiple owners of the same phone. You can already reset your IDFA whenever you want: https://osxdaily.com/2013/02/01/reset-advertising-identifier...
Can someone (only) use IMEI plus account instead of IDFA for uniqueness?
So if you want to exclude/ban a user, you can use the IMEI+account, but outside of excluding a user from using your service, you cannot access IMEI+account.
User privacy is preserved because there's no singular ID for advertisers, and services can still ban fraud because if it's present they can use the IMEI+account to ban a user.
Maybe even have that built into the OS? The app can ban someone based on an IMEI+account, but the IMEI+account info stays on the device. The device just certifies that the combination is unique without exposing that info to the app, and the app can still ban that hardware/account, so the user would need to buy new hardware to get around the ban.
It could be. In that case, let the OS handle whether the phone/account are unique, and the app can ban that phone/account without having that unique identifier to ID the person in other cases, like advertising.
The easiest is with the identifierForVendor property of [UIDevice] which identifies that specific device for your software, but is not shared with other vendors. So you can ban Bob's iPhone across all your apps, but that ID isn't useful to other vendors.
