Browser Fingerprinting – Good for Fraud Detection, But Is It Enough?

Browser Fingerprinting – Good for Fraud Detection, But Is It Enough?

Author avatar

by Tamas Kadar

Browser fingerprints are a key component of fraud detection and prevention solutions. But here’s why you shouldn’t just rely on them.

You might not be aware of it, but the web browser you’re using to read the words on this page is a treasure trove of data.

In fact, a single click on the website AmIUnique.org, for instance, can reveal how easy it is to learn your operating system, browser name and version, time zone and preferred language, amongst others. This means your visits across numerous sites can be tracked. 

browser fingerprinting check with AmIUnique

These tracked data points, and many more, are what constitute browser fingerprinting. As we’ll see in this post, fraud prevention tools like device fingerprinting can help you detect suspicious users in seconds – but you have to know when to deploy it, and how.

What is Browser Fingerprinting?

Your fingerprint contains unique sets of lines that can help identify you. It’s how finger ID works on your phone or computer. The same principle applies to a digital fingerprint for your browser.

While not every browser is unique, each configuration can help identify a user, for instance by looking at the screen resolution, version, plugins installed, etc…

What is a Browser Fingerprinting Tool?

A browser fingerprint tool gathers user data relating to users’ software and hardware configurations. These browser fingerprints include details such as browser name, operating system, timezone, and more. In fraud prevention, it can be used to detect suspicious connections, for instance from an emulator. 

Looking For A Way to Authenticate and ID Proof Users?

Schedule a demo call with us to explore how our browser fingerprinting tools can help your business prevent fraud.

How Does Browser Fingerprinting Work?

When you connect to a website with internet access, your browser sends information to access data. By installing a JavaScript snippet on your web app, for instance, you can capture that browser fingerprint and use it for your analytics or for fraud detection.

What Are the Features to Look For?

Browser fingerprinting is a collection of processes that includes device fingerprinting, audio fingerprinting and canvas fingerprinting, amongst others. You can read about each browser fingerprinting feature in detail in this article.

What is Browser Fingerprinting Javascript?

Browser fingerprinting javascript is inserted in your website or web app code. The fingerprinting scripts send data to the fraud detection system via APIs, which allows you to analyse points such as the browser version, hardware configuration, and more.

What About Cross-Browser Fingerprinting?

While standard browser fingerprinting is dependent on which browser the person uses, a new method called cross-browser fingerprinting allowed researchers to ID people based on hardware alone. It is a very new development, which could have drastic consequences both for privacy-focused users and fraud prevention companies.

What Kind of Data Can Be Extracted?

It turns out, the browser fingerprint holds a lot of hidden data. At SEON, we were very lucky to develop our tool to browser fingerprint module with Gábor Gulyás, a pioneer of device fingerprinting. His expertise helped us create browser fingerprinting based on hundreds of parameters, such as:

  • System fonts
  • Check if cookies are enabled
  • Operating system
  • Language
  • Platform
  • Keyboard layout
  • Tor browser or not?
  • Secure browser or not?
  • User agent
  • Sensors such as accelerator, proximity and gyroscope
  • Browser local databases
  • Navigator properties
  • HTTP header attributes
  • Web browser extensions used
  • Audio context analysis
  • CPU Class
  • HTML5 canvas fingerprinting (looking at canvas size)
  • Touch support
  • And much more…

His internet research website lets you test the efficiency of privacy add-ons by performing thorough browser fingerprinting, and it’s a great place to learn more about the technologies used for that analysis in the context of security and website protection. 

How Can It Flag Fraudsters?

Sophisticated fraudsters tend to operate on a large scale, by acquiring long lists of logins or credit card numbers for example on the dark web or other websites. This usually means hundreds of possible attempts before they can enter a platform or process a transaction. 

Because it’s a repetitive process, they can’t change their smartphone and laptop or browser with every attempt. Even if they try to spoof devices, there will be red flags. This is where identifying a unique configuration can help spot them and their bot attacks – especially if one of their failed attempts puts them on a blacklist. Their only remaining options are to:

  • Clear their browser cache
  • Use a different device and web browser
  • Switch browser on the same device
  • Use private or incognito online mode
  • Use a virtual machine designed to spoof their configuration settings
  • Use tools such as AntiDetect, FraudFox or MultiLogin
  • Use emulators that spoof mobile devices
  • Use dedicated browser spoofing tools

But here again, the game of cat and mouse continues: fraud detection tools equipped with the right modules should be able to detect these uses, which are even clearer signs pointing towards a fraudulent user.

The Power of Browser and Device Hashes

browser fingerprinting diagram

If you can see which browser and hardware configurations are unique, it’s then easy to create a unique ID for each of them. The challenge, however, is to ensure these IDs are static, so they can remain the same even after changes in the data-set. 

The solution is to stitch the data in the right sets, so they don’t completely change with every new update. At SEON, we work with three different sets, which are:

Browser hash

This generates an ID by looking at all browser fingerprint data points such as the user agent, operating system, windows, screen, font settings and all feature statuses, which are collectable.

  • Pros: The hash doesn’t change even if the user clears their cache, cookies or uses incognito mode. 
  • Cons: a computer or smartphone with multiple browsers (Edge, Chrome and Firefox) will generate different hashes. Even a browser update will change the hash.

Cookie hash

A new ID is created with each browser session. 

  • Pros: Easy to prove multiple users are the same person if they share the same cookie hash.
  • Cons: clearing the browser cookies and cache generates a new cache.

Device hash

The ID is created based on hardware data such as the HTML5 canvas, GPU, audio fingerprinting, whether it allows touch support and more. 

  • Pros: Fraudster tools such as AntiDetect or FraudFox will generate the same hash, which can prove the use of a virtual machine, emulator or remote desktop connection. Plugins used to spoof a device will also generate a unique ID, which increases suspicion.
  • Cons: there are far fewer unique ID, as anyone with the same phone or laptop and browser version will generate the same hashes.

As you can see, it’s always better to combine all three hashes in order to get a better picture of who your users are. Legacy fraud detection methods used to look at the cookie hash or user agent, but fraudsters are now too savvy to be caught that way. 

Which neatly brings us to the following idea: when browser fingerprinting isn’t enough.

Is Browser Fingerprinting Legal?

Yes, as all the information collected with browser fingerprinting is considered public. However, note that the fraud solution that collects the data should be compliant. For instance, SEON is fully GDPR compliant and ISO-27001 certified.

The Shortcomings

By now, it should be evident that the biggest problem with browser fingerprinting security is that it’s not a foolproof method to protect your website. But just to recap, here’s why:

The Data Has a Short Shelf Life

This is an area we recommend fraud managers pay specific attention to. A lot of fraud companies pride themselves on their ability to track hundreds or thousands of online data points for browser fingerprinting.

But the ability to track more personal data isn’t always better, if it is stale. It’s much better to find and enrich the fresh points with other fraud prevention modules in order to create a multi layered fraud prevention solution to protect your business and users.

Fraudsters are Savvy Enough

The very fact that specific software is designed to spoof devices, browsers and operating systems clearly shows that fraudsters have experience of browser fingerprinting. They will try their best to manipulate the data manually to hide their real world identity. 

Of course, for the good guys, the fight is all about identifying these spoofing methods and setting up good tracking techniques. One good example in recent years was to understand that a browser fingerprint of the size of the canvas works to indicate fraud, as bad agents tend to resize their browsers to work on multiple platforms at once.

General Users Are More Concerned About Privacy

The rise of privacy-centered browsers such as Brave or Firefox shows that general users don’t enjoy being tracked. These browsers and others, such as the latest version of Microsoft Edge, build privacy features into their code, for example by disabling JavaScript, blocking tracking pixels and tracking cookies by default, or only allowing HTTPS.

There is also no shortage of anti-tracking options for general users, such as the Tor browser, NoScript (which blocks javaScript everywhere), Ghostery, which lets you block and audit your browser fingerprint, or the dozens of ad blocking tools that regularly top the list of the most downloaded extensions on any app store.

And while the general public isn’t necessarily tech-savvy enough to deploy the right tools, there is a general sense that data privacy is important and that tracking poses a threat. As reported by the Pew Research Center, 81% of US citizens believe they do not have enough power over how their data is tracked by companies. The same amount believes that the risks outweigh the benefits, which could see a rise in consumer tech designed to address these concerns.

Data Collection Must be Acknowledged

There are data collection and privacy issue that should be raised with browser fingerprint and canvas fingerprinting tools. This is why you have to make sure that your browser fingerprint solution is compliant with local laws and regulations. While it is a legal practice, you may need to acknowledge every digital fingerprint in your terms and conditions, as some visitors may wish to opt-out (like with a cookie policy).

Combining Fingerprinting With Other Anti-Fraud Tools

In short, online browser fingerprinting is a fantastic method for identifying suspicious users. But it’s by no means sufficient by itself. This is why at SEON, we recommend combining our module with others such as:

  • Social media lookup: which gathers data from social networks to enrich your picture of the people on your site
  • Reverse phone / email lookup: to enrich data and create a better online digital footprint analysis.
  • IP analysis and proxy detection: to ensure you understand more about visitors’ connections
  • Machine Learning: the only engine powerful enough to look at all the data at scale, and suggest risk rules tailored to your business model.

All the browser fingerprinting modules are accessible as part of our SENSE platform, designed by anti-fraud experts for businesses in any vertical. To see how we help reduce the costs and resources lost to fraud by 70-80% without sacrificing user experience, don’t hesitate to contact us for a free trial.

SEON Infographic - Browser Fingerprinting

Share article

Learn more about our products

Products

Author avatar
Tamas Kadar
CEO

Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.


Sign up to our newsletter