Browser fingerprinting can flag certain types of fraudsters. But here’s why you shouldn’t just rely on it.
You might not be aware of it, but the web browser you’re using to read the words on this page is a treasure trove of data.
In fact, a single click on the website AmIUnique.org, for instance, can reveal how easy it is to learn your operating system, browser name and version, time zone and preferred language, amongst others. This means your visits across numerous sites can be tracked.
These tracked data points, and many more, are what constitute browser fingerprinting. As we’ll see in this post, fraud prevention tools can use the process to detect suspicious users in seconds – but you have to know when to deploy it, and how.
Browser Fingerprinting: A Definition
Browser fingerprinting gathers user data relating to their device and browser configuration. These data points include the browser name, operating system, timezone, and much more. In fraud prevention, it can be used to detect suspicious connections, for instance from an emulated device.
What Kind of Data Can Be Extracted From a Browser?
It turns out, browser fingerprinting can discover a lot of hidden data. At SEON, we were very lucky to develop our browser fingerprinting module with Gábor Gulyás, a pioneer of device fingerprinting. His expertise helped us create browser fingerprinting based on hundreds of parameters, such as:
- System fonts
- Check if cookies are enabled
- Keyboard layout
- Sensors such as accelerator, proximity and gyroscope
- Browser local databases
- Navigator properties
- HTTP header attributes
- Extensions used
- Audio context analysis
- CPU Class
- HTML5 canvas size
- Touch support
- And much more…
His research website lets you test the efficiency of privacy add-ons by performing a thorough browser fingerprinting, and it’s a great place to learn more about the technologies used for that analysis.
How Can Browser Fingerprinting Help Flag Fraudsters?
Sophisticated fraudsters tend to operate on a large scale, by acquiring long lists of logins or credit card numbers for example on the dark web. This usually means hundreds of possible attempts before they can enter a platform or process a transaction.
Because it’s a repetitive process, they can’t change their device or browser with every attempt. Even if they try to spoof devices, there will be red flags. This is where identifying a unique configuration can help spot them – especially if one of their failed attempts puts them on a blacklist. Their only remaining options are to:
- Clear their browser cache
- Use a different device and web browser
- Switch browser on the same device
- Use private or incognito mode
- Use a virtual machine designed to spoof their configuration settings
- Use tools such as AntiDetect, FraudFox or MultiLogin
- Use emulators that spoof mobile devices
But here again, the game of cat and mouse continues: fraud detection tools equipped with the right modules should be able to detect these uses, which are even clearer signs pointing towards a fraudulent user.
The Power of Browser and Device Hashes
If you can see which browser and device configurations are unique, it’s then easy to create a unique ID for each of them. The challenge, however, is to ensure these IDs are static, so they can remain the same even after changes in the data-set.
The solution is to group collected data points in the right sets, so they don’t completely change with every new update. At SEON, we work with three different sets, which are:
This generates an ID by looking at all browser data points such as the user agent, operating system, windows, screen, font settings and all feature statuses, which are collectible.
- Pros: The hash doesn’t change even if the user clears their cache, cookies or uses incognito mode.
- Cons: a computer or smartphone with multiple browsers (Edge, Chrome and Firefox) will generate different hashes. Even a browser update will change the hash.
A new ID is created with each browser session.
- Pros: Easy to prove multiple users are the same person if they share the same cookie hash.
- Cons: clearing the browser cookies and cache generates a new cache.
The ID is created based on hardware data such as the HTML5 canvas, GPU, audio fingerprinting, whether it allows touch support and more.
- Pros: Fraudster tools such as AntiDetect or FraudFox will generate the same device hash, which can prove the use of a virtual machine, emulator or remote desktop connection. Plugins used to spoof a device will also generate a unique ID, which increases suspicion.
- Cons: there are far fewer unique ID, as anyone with the same device and browser version will generate the same hashes.
As you can see, it’s always better to combine all three hashes in order to get a better picture of who your users are. Legacy fraud detection methods used to look at the cookie hash or user agent, but fraudsters are now too savvy to be caught that way.
Which neatly brings us to the following idea: when browser fingerprinting isn’t enough.
The Shortcomings of Browser Fingerprinting
By now, it should be evident that the biggest problem with browser fingerprinting is that it’s not a foolproof method. But just to recap, here’s why:
The Data Has a Short Shelf Life
This is an area we recommend fraud managers pay specific attention to. A lot of fraud companies pride themselves on gathering hundreds or thousands of data points for browser fingerprinting.
But even if these data points aren’t permanent, they’re not good for much. While they can help identify fraud, it’s much better to incorporate and enrich them with other fraud prevention modules in order to create a multi layered fraud prevention solution.
Fraudsters are Savvy Enough
The very fact that specific software is designed to spoof devices, browsers and operating systems clearly shows that fraudsters know what’s going on. They will try their best to manipulate the data points manually.
Of course, for the good guys the fight is all about identifying these spoofing methods. One good example in recent years was to understand that the size of the canvas could indicate fraud, as bad users tend to resize their browsers to work on multiple platforms at once.
General Users Are More Concerned About Privacy
And while the general public isn’t necessarily tech-savvy enough to deploy the right tools, there is a general sense that data privacy is important, and that tracking poses a threat. As reported by the Pew Research Center, 81% of US citizens believe they do not have enough power over how their data is tracked by companies. The same amount believes that the risks outweigh the benefits, which could see a rise in consumer tech designed to address these concerns.
Combining Device Fingerprinting With Other Anti-Fraud Tools
In short, device fingerprinting is a fantastic method for identifying suspicious users. But it’s by no means sufficient by itself. This is why at SEON, we recommend combining our device fingerprinting module with others such as:
- Social media lookup: which gathers data from social networks to enrich your picture of the users on your site
- Reverse phone / email lookup: to enrich data and create a better digital footprint analysis.
- IP analysis and proxy detection: to ensure you understand more about users’ connections
- Machine Learning: the only engine powerful enough to look at all the data at scale, and suggest risk rules tailored to your business model.
All the modules are accessible as part of our SENSE platform, designed by anti-fraud experts for businesses in any vertical. To see how we help reduce the costs and resources lost to fraud by 70-80% in a few months only, don’t hesitate to contact us for a free trial.