Browser Fingerprinting – Good for Fraud Detection, But Is It Enough?

Browser Fingerprinting COVER

Browser fingerprints can flag certain types of fraudsters. But here’s why you shouldn’t just rely on them.

You might not be aware of it, but the web browser you’re using to read the words on this page is a treasure trove of data.

In fact, a single click on the website AmIUnique.org, for instance, can reveal how easy it is to learn your operating system, browser name and version, time zone and preferred language, amongst others. This means your visits across numerous sites can be tracked. 

browser fingerpring all time

These tracked data points, and many more, are what constitute browser fingerprinting. As we’ll see in this post, fraud prevention tools can use the process to detect suspicious users in seconds – but you have to know when to deploy it, and how.

Browser Fingerprinting: A Definition 

A browser fingerprint tool gathers user data relating to their software and hardware configuration. These browser fingerprints points include details such as browser name, operating system, timezone, and much more. In fraud prevention, it can be used to detect suspicious connections, for instance from an emulator. 

How Does It Work?

When you connect to a website, your browser needs to send information in order to access data. By installing a JavaScript snippet on your web app, for instance, you can capture that browser fingerprint and use it for your analytics or for fraud detection.

What Kind of Browser Fingerprint Data Can Be Extracted?

Gabor Gulyas SEON quote

It turns out, the browser fingerprint holds a lot of hidden data. At SEON, we were very lucky to develop our tool to browser fingerprint module with Gábor Gulyás, a pioneer of device fingerprinting. His expertise helped us create browser fingerprinting based on hundreds of parameters, such as:

  • System fonts
  • Check if cookies are enabled
  • Language
  • Platform
  • Keyboard layout
  • Sensors such as accelerator, proximity and gyroscope
  • Browser local databases
  • Navigator properties
  • HTTP header attributes
  • Extensions used
  • Audio context analysis
  • CPU Class
  • HTML5 canvas fingerprinting (looking at canvas size)
  • Touch support
  • And much more…

His internet research website lets you test the efficiency of privacy add-ons by performing thorough browser fingerprinting, and it’s a great place to learn more about the technologies used for that analysis in the context of security and website protection. 

How Can It Flag Fraudsters?

Sophisticated fraudsters tend to operate on a large scale, by acquiring long lists of logins or credit card numbers for example on the dark web or other websites. This usually means hundreds of possible attempts before they can enter a platform or process a transaction. 

Because it’s a repetitive process, they can’t change their smartphone and laptop or browser with every attempt. Even if they try to spoof devices, there will be red flags. This is where identifying a unique configuration can help spot them – especially if one of their failed attempts puts them on a blacklist. Their only remaining options are to:

  • Clear their browser cache
  • Use a different device and web browser
  • Switch browser on the same device
  • Use private or incognito mode
  • Use a virtual machine designed to spoof their configuration settings
  • Use tools such as AntiDetect, FraudFox or MultiLogin
  • Use emulators that spoof mobile devices

But here again, the game of cat and mouse continues: fraud detection tools equipped with the right modules should be able to detect these uses, which are even clearer signs pointing towards a fraudulent user.

The Power of Browser and Device Hashes

browser fingerprinting diagram

If you can see which browser and hardware configurations are unique, it’s then easy to create a unique ID for each of them. The challenge, however, is to ensure these IDs are static, so they can remain the same even after changes in the data-set. 

The solution is to group collected data points in the right sets, so they don’t completely change with every new update. At SEON, we work with three different sets, which are:

Browser hash

This generates an ID by looking at all browser fingerprint data points such as the user agent, operating system, windows, screen, font settings and all feature statuses, which are collectible.

  • Pros: The hash doesn’t change even if the user clears their cache, cookies or uses incognito mode. 
  • Cons: a computer or smartphone with multiple browsers (Edge, Chrome and Firefox) will generate different hashes. Even a browser update will change the hash.

Cookie hash

A new ID is created with each browser session. 

  • Pros: Easy to prove multiple users are the same person if they share the same cookie hash.
  • Cons: clearing the browser cookies and cache generates a new cache.

Device hash

The ID is created based on hardware data such as the HTML5 canvas, GPU, audio fingerprinting, whether it allows touch support and more. 

  • Pros: Fraudster tools such as AntiDetect or FraudFox will generate the same hash, which can prove the use of a virtual machine, emulator or remote desktop connection. Plugins used to spoof a device will also generate a unique ID, which increases suspicion.
  • Cons: there are far fewer unique ID, as anyone with the same phone or laptop and browser version will generate the same hashes.

As you can see, it’s always better to combine all three hashes in order to get a better picture of who your users are. Legacy fraud detection methods used to look at the cookie hash or user agent, but fraudsters are now too savvy to be caught that way. 

Which neatly brings us to the following idea: when browser fingerprinting isn’t enough.

Is Browser Fingerprinting Legal?

Yes, as all the information collected is considered public. However, note that the fraud solution that collects the data should be compliant. For instance, SEON is fully GDPR compliant and ISO-270001 certified.

The Shortcomings

By now, it should be evident that the biggest problem with browser fingerprinting is that it’s not a foolproof method to protect your website. But just to recap, here’s why:

The Data Has a Short Shelf Life

This is an area we recommend fraud managers pay specific attention to. A lot of fraud companies pride themselves on gathering hundreds or thousands of data points for browser fingerprinting.

But even if these data points aren’t permanent, they’re not good for much. While they can help identify fraud, it’s much better to incorporate and enrich them with other fraud prevention modules in order to create a multi layered fraud prevention solution to protect your business and users.

Fraudsters are Savvy Enough

The very fact that specific software is designed to spoof devices, browsers and operating systems clearly shows that fraudsters know what’s going on. They will try their best to manipulate the data points manually. 

Of course, for the good guys the fight is all about identifying these spoofing methods. One good example in recent years was to understand that the size of the canvas could indicate fraud, as bad users tend to resize their browsers to work on multiple platforms at once.

General Users Are More Concerned About Privacy

The rise of privacy-centered browsers such as Brave or Firefox shows that general users don’t enjoy being tracked. These browsers and others, such as the latest version of Microsoft Edge, build privacy features into their code, for example by disabling JavaScript, blocking tracking pixels and tracking cookies by default, or only allowing HTTPS.

There is also no shortage of anti-tracking options for general users, such as the Tor browser, NoScript (which blocks javaScript everywhere), Ghostery, which lets you block and audit your web fingerprint, or the dozens of ad blocking tools which regularly top the list of the most downloaded extensions on any app store.

And while the general public isn’t necessarily tech-savvy enough to deploy the right tools, there is a general sense that data privacy is important, and that tracking poses a threat. As reported by the Pew Research Center, 81% of US citizens believe they do not have enough power over how their data is tracked by companies. The same amount believes that the risks outweigh the benefits, which could see a rise in consumer tech designed to address these concerns.

Combining Device Fingerprinting With Other Anti-Fraud Tools

In short, it is a fantastic method for identifying suspicious users. But it’s by no means sufficient by itself. This is why at SEON, we recommend combining our module with others such as:

  • Social media lookup: which gathers data from social networks to enrich your picture of the users on your site
  • Reverse phone / email lookup: to enrich data and create a better digital footprint analysis.
  • IP analysis and proxy detection: to ensure you understand more about users’ connections
  • Machine Learning: the only engine powerful enough to look at all the data at scale, and suggest risk rules tailored to your business model.

All the modules are accessible as part of our SENSE platform, designed by anti-fraud experts for businesses in any vertical. To see how we help reduce the costs and resources lost to fraud by 70-80% in a few months only, don’t hesitate to contact us for a free trial.

Learn more about our products!
Products

Sign up to our newsletter

Newsletter