What Is Device Fingerprinting and How Exactly Does It Work?

Device fingerprinting can be used to stop fraudsters from attempting to hack, break into, or spam websites as well as offer detailed insights into any customer that’s coming onto your website.

Read on to learn more about this fraud prevention technique and how it’s used to protect businesses globally.

What Is Device Fingerprinting?

It is a way to identify someone’s device using information related to its software and hardware, allowing you to reach conclusions about their intentions, as well as track their activity.

Device fingerprinting collects information about a user’s device, such as which browser they use and on which hardware, as they connect to a website, app or other server. It is done by websites and apps in order to be able to track the user’s actions and visits, and assess whether their intentions are fraudulent or otherwise harmful.

Note that there are different sub-types of device fingerprinting, such as mobile device fingerprinting and cross-device fingerprinting.

Device fingerprinting analyzes users’ configurations of software and hardware. It creates a unique ID for each configuration, in order to recognize connections between users and to highlight suspicious devices. This is called a device hash.

In addition to device fingerprints, anti-fraud solutions may also utilize data collected via cookie fingerprinting, a different method of gathering information about user’s preferences when entering any website. This information is stored on the user’s device and can be an accurate identifier (and a reliable signal to spot multi-accounting attempts and more), as it is highly unlikely that two different users would have the exact same cookie session. However, users can decide to opt in or out of using cookies or delete their cookie session at any point, making it very easy for users with malintent to cover their tracks.

Information collected via device fingerprinting on their hardware, software, and browser settings is stored on a server-side database, making it accessible for merchants and harder to modify or delete from the user side. While it is more likely that two separate users have matching hardware settings if they are using the exact same device model and settings, this information, combined with further data points, can still shine a light on fraudulent activities.

How Does Device Fingerprinting Work?

When users access your platform, they do it with two tools: a device with a web or mobile application and an internet connection that retrieves an IP address. This creates two data sources. They are present at signup, login, checkout, or even when browsing a page. With the right fraud detection software, we can extract useful info from these data points.

Combining knowledge about a browser and device is what we call device fingerprinting. Based on the device of the user, this might be mobile device fingerprinting, desktop device fingerprinting, etc. It gives a clear picture of how the user is connecting to your service. It helps us understand user behavior, and more importantly, flag potential fraudsters.

For example, here are just a few of the attributes that the SEON engine collects about a user’s device as part of device fingerprinting:

  • device model and number
  • operating system
  • screen size and resolution
  • flash data
  • user-agent
  • system language and system country
  • device orientation
  • battery level
  • installed fonts and installed plugins
  • system uptime

How Accurate Is Device Fingerprinting?

As a method, device fingerprinting has the capacity to be incredibly accurate, with the rate of accuracy increasing with the number of attributes being collected and analyzed. There are different ways in which we could answer this question:

In terms of catching fraud, device fingerprinting is a time-honored, key method. This is because the more information we have about a user’s device, the easier it is to spot red flags, such as the use of suspicious tools often employed by fraudsters, privacy browsers, as well as various types of spoofing. 

Why Do Companies Use Device Fingerprinting?

Companies use device fingerprinting to stop fraudsters and other bad actors, as well as for cybersecurity and marketing purposes. Without device fingerprinting, it would be significantly more difficult to identify and stop fraud related to multi-accounting, account takeovers, digital onboarding, payment fraud and bonus abuse, among other pain points.

Fraudsters often buy or steal long lists of card numbers and login details. To use them, they must employ a trial and error method. The repetitive nature of this process means it’s near impossible to change device every time, so instead they will do some of the following to hide their tracks:

  • Clear the cache.
  • Switch browsers.
  • Use private or incognito mode.
  • Use virtual machines.
  • Use device spoofing and anti-fingerprinting tools (FraudFox, AntiDetect, Kameleo, Linken sphere, MultiLogin…).
  • Use emulators to spoof mobile devices.

This is precisely where device fingerprinting can help. For example, someone, a user found to use an emulator should be considered high risk – they don’t want you to identify them, and they may be browser spoofing.

What makes SEON’s Device Fingerprinting unique?

Read how SEON’s solution is tailor-made for fraud prevention, learn how to use it to block bonus abuse or multi-accounting attempts and more.

Read More

5 Use Cases for Device Fingerprinting Against Fraud 

While the most widely known use case for device fingerprinting are analytics and ad tracking, the technique can be used effectively to mitigate fraud. Let’s look at this in more detail.

  • Bonus & promo abuse: Data gathered through device fingerprinting can help you determine whether the bonus offer is going to a legitimate customer. You can spot users who share a similar device and password or even filter those who try to spoof their data using privacy-enhancing tools.
  • Multi-accounting attempts: By creating device or browser IDs connected to each user account based on device fingerprinting data, it’s easy to see when multiple users are accessing your platform from the same device.
  • Account takeovers: Device fingerprinting is highly effective in preventing users from logging in with unknown devices or browsers. It can also detect suspicious emulators or virtual machines fraudsters often use.
  • Chargebacks & friendly fraud: Combined with digital profiling and IP analysis, device fingerprinting data can help you verify customers’ identities and intentions and spot chargeback & friendly fraud attempts. 
  • Bot attacks: Device fingerprinting examines installed plugins, web browser version, browser window size, screen resolution, and more while also highlighting emulators and virtual machines for better bot management.

How SEON Can Help with Device Fingerprinting

 

SEON can extract 500+ different parameters from a user’s device, examples of which you can see below as well as, in more detail, in our API Reference.

SEON’s device fingerprinting solutions can be deployed by API or as part of an end-to-end fraud prevention platform. The first step would be to insert the necessary code into your platform. This is done via Javascript, iOS SDK or Android SDK. This code lets us collect parameters about the user, and identify them through the SEON interface.

Note that different integration methods enable different parameters.

For instance, the device and browser screen size isn’t relevant for connections via smartphones and tablets. Similarly, it’s important that the Android SDK extracts info about the device manufacturer, since they are so many of them that it is an identifying feature. Conversely, with iOS, it’s always Apple.

An Example of a Successful Device Fingerprinting

Read how SEON’s device fingerprinting solution helped Viabill in a 90% drop of fraudulent transactions.

Read More

Key Features of SEON’s Device Fingerprinting Solution

One of the most important features of a device fingerprinting tool is the generation of specific hashes to catch fraudsters with more accuracy. You can think of them as unique IDs created based on specific parameters.

  • Cookie hash: Creates an ID for each browser session. Clearing the browser cookies and cache and visiting again will generate a new hash. But if multiple users share the same hash, we know that they are clearly using the same browser and device.
  • Browser hash: Generates an ID by combining data from the browser, operating system, device and network. This hash remains unchanged even if the user clears their browser cookies and cache, or browses privately. However, a device with multiple browsers installed, or even different browser versions, will generate different hashes.
  • Device hash: Offers identification based on the device hardware (e.g HTML5 canvas, audio fingerprinting, GPU, screen data, and so on). While many users can share the same device hash (for instance two iPhone 7 Safari users), this allows us to detect remote desktop connections, virtual machines and emulators. For instance, fraudsters’ favorite tools such as AntiDetect, FraudFox, and Multilogin each generate the same device hash, so every one of their users has the same device hash, making it obvious they are doing so. Moreover, fraudsters using extensions that spoof HTML5 canvas will have very unique IDs – and should therefore be flagged as high risk.

As you can see, they each have their pros and cons.

However, all these hashes become a near-flawless screening tool when they are leveraged together. Fraud analysts can easily create customer profiles that are precise and reliable, or even implement rules that isolate suspicious hashes automatically.

Still Unsure if SEON Is Right for You?

SEON offers a fully modular fraud solution and the support of a team that are experts in online fraud. See it for yourself in a bespoke demo tailored to your needs.

Ask an Expert

Conclusion

Gleaning a precise picture of your users’ devices can help you improve your fraud detection rate in a significant way. Device fingerprinting is a powerful tool you can use to block bonus abuse, multi-accounting, account takeovers, and more. However, all this data is only helpful if you know how to leverage it. 

SEON’s end-to-end fraud prevention and detection solution helps you combine device fingerprinting with other powerful tools, such as digital profiling and machine learning, to strengthen your fraud-fighting front and give your fraud managers peace of mind.

Frequently Asked Questions

Can device fingerprinting detect device spoofing?

For the most part, yes. For instance, a JavaScript injection can be identified using a simple string comparison and other errors and inconsistencies also point to fraudulent usage. 
The latest device fingerprinting tools should be able to find red flags – for instance, by creating graphical challenges, as seen with Google’s Picasso method. This asks the devices to replicate some graphics and measures any inconsistencies to confirm whether the device data actually matches that of a real browser and operating system. 

Is device fingerprinting legal?

Yes. Although it’s a contentious subject with privacy advocates, the US doesn’t have specific laws on data protection and the EU’s General Data Protection Regulations (GDPR) only requires companies to gain consent from users before tracking them with cookies. 

Is device fingerprinting GDPR compliant?

Yes. A business simply must state its intentions through a terms and conditions section. Recital 47 of the GDPR legislation, as well as the UK GDPR, details:
“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” 
Therefore, businesses must ensure that they are transparent about the information they will be processing; otherwise, they will become liable to further consequences.

What is cross-device fingerprinting?

More commonly known as cross-device tracking, this describes any method of tracking users and their activity across different devices, despite the fact that they use different devices. To do so, one would have to find identifiers that do not change when the user switches to a new phone, computer or tablet, for instance. 
As a result, someone might be able to track an individual’s activity when that person changes from their mobile phone to a desktop computer, for example, even if this person is not logged into any online profiles. 

Is device fingerprinting enough to stop fraud?

Not exactly. While it is an incredibly useful tool, it also needs to be combined with other solutions such as data enrichment, custom rules, and IP analysis and tracking to really be effective.

You might also be interested in reading about

Learn more about:

Data Enrichment | Digital Footprinting | Fraud Detection and Prevention

Sources

Share article

Speak with a fraud fighter.

Click here

Author avatar
Tamas Kadar

Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.


Sign up for our newsletter

The top stories of the month delivered straight to your inbox