Browser fingerprinting can help to identify who is on your site by looking at how they connect to it. Let’s see how it works, feature by feature.
According to Panopticlick, an online protection website, only 1 in 286,777 connections shares the same browser fingerprint as another user.
This immediately sets the tone: understand how a user connects to your site, log that information, and you’ve got a fairly precise user ID system in place. It works for content personalisation, targeted ads, analytics, tracking without cookies, and, of course, fraud prevention.
But how does it work exactly, and why? And are there any features you should particularly consider for your fraud prevention strategy? Let’s break it all down below.
Browser Fingerprinting: The Basics
Every time a user connects to your website, it’s thanks to a device (smartphone, laptop, tablet…) and a browser (Google Chrome, Mozilla Firefox, Brave, Safari…). This is the basis of what we’ll call a user configuration.
Examples of these configurations include:
- iPhone 7 with Safari 14.0
- Microsoft Windows Home laptop with Edge Browser 90.0.818.66
- macOS Mojave with Google Chrome 90.0.4430.212
The browsers themselves contain even more unique data points, such as:
- The kind of active plugins,
- The set time zone,
- Language settings,
- Screen resolution,
- And much more…
Using that Data for Fraud Prevention
By combining as many data points as possible, you can create a form of user ID. This allows you to:
- Identify loyal customers,
- Flag suspicious connections,
- Block account takeover attempts,
- Spot connections between users.
It’s worth noting that every time risk managers deploy new browser fingerprinting features, organised fraudsters create tools designed to confuse them.
This is particularly evident with the rise of anti-fingerprinting browsers, or browser spoofing tools, which are designed to emulate other configurations. Privacy advocates also recommend using them for users who want to avoid targeted marketing or simply to reduce personal data collection.
The key is that the best browser fingerprinting features should also be able to identify spoofing attempts. While it doesn’t necessarily point to fraud, it should increase your suspicions.
Speaking of features, let’s see exactly what goes on under the hood of a browser fingerprinting system.
Browser Fingerprinting: the Key Features
Browser fingerprinting is a process, which means that several different tools can offer similar results. Let’s take a look at the standard features and see how they work.
All the data returned from browser fingerprinting is processed through a hash function. This is a long string of letters and numbers, which processes data of arbitrary sizes into fixed-sized values. It makes it easier to log the information, encrypt, analyse and compare it.
(For instance, SEON works with hundreds of parameters, but only three kinds of hashes: Cookie Hash, Browser Hash and Device Hash.)
Websites written in HTML5 contain a code element called the canvas. This element is used to draw graphics on a web page. It also generates data such as the font size or active background colour setting, which come into play when creating a unique user ID for tracking. It is the most powerful feature of browser fingerprinting.
- HTML5 Canvas fingerprinting detects: installed client fonts, browser font size, active background colour, graphics card, operating system, and more…
The html5 fingerprint is used as a fraud prevention technique based on the fact that the same canvas image may be rendered differently on different computers.
- A WebGL fingerprint detects: graphic card model, screen resolution…
A User Agent, or UA, is part of the software designed to identify a browser with the website. It is a string, which, when detected by a site, can display tailored content for specific browsers.
There are a few caveats to user agent detection. Firstly, web developers often rely on user-agent switching tools to visualise how a site will look on a variety of devices. Fraudsters use the same tool to spoof a browser. Default Android web browsers use the same user agents as Safari to make compatibility easier. Google is also depreciating user agents in their Chrome browser.
Still, user agent detection is an integral part of browser fingerprinting.
- User agent detection reveals: browser name, version or version number.
Producing sound from a mobile browser and device audio stack is surprisingly complex. A website uses the AudioContext API to send a low-frequency sound through the browser to the device and measures how it processes that data. It helps it know how to process audio, but no audio is recorded, collected or played, so you don’t need microphone and speaker access. And yet, it can inform fingerprinting with multiple parameters and values.
- Audio fingerprinting detects: AudioBuffer value, DynamicsCompressor value…
Companies who create mobile apps specifically for smartphone OS can use a specific SDK (software development kit) to get extra information about devices, whether they are built by Apple, Samsung or other vendors.
- Such mobile device fingerprinting products detect: Mac address, serial number (Android only), device time zone, battery health, CPU details…
By default, Tor makes each user have the exact same fingerprint which provides companies with a lack of Tor fingerprinting information, ultimately providing a fraudster anonymity from basic anti-fraud solutions.
- To combat this, running a test to see if the user’s IP matches a known Tor exit node can enable you to detect and block this traffic.
Whilst a Tor user might not have any malicious intent, Tor users should be flagged as high risk by default due to the level of risk.
Selenium is an open-source tool that automates browsers, originally intended to be a tool in web application testing. Selenium is very easy to set up and allows users to run scripted actions in a distributed manner.
Whilst it might be a useful tool for developers, it’s also the tool of choice for malicious actors who would want to scrape your website, eg. ticket scalpers. Unfortunately, these people are also incentivised to hide what they’re doing, and you need to be proactive in catching them.
Complete Fingerprinting + Risk Analysis
In fraud prevention, data is only useful if it allows you to make informed decisions to mitigate risk. This is why device and browser fingerprinting is usually combined with other prevention tools such as data enrichment and risk scoring.
- How widely used is the visitor’s screen resolution?
- How old is the browser version currently in use?
- How rare is the user agent?
- Does the browser profile appear suspicious?
- Are there high-risk plugins installed?
- Tor or Selenium used to fool fingerprinting?
- And much more…
Combine the answers to these questions with other risk rules, and you can have a complete profile of your user, but also of their online behaviour on your site.
The key is to go beyond using browser fingerprinting simply to identify users and to get a much better understanding of why they should be considered risky. Like many other tools in fraud prevention and detection, browser fingerprinting should help you make better decisions, remove doubt, and control risk however you see fit.
Learn more about our products
Jimmy is the CCO of SEON and brings his in-depth experience of fraud-fighting to assist fraud teams everywhere.