Browser fingerprints are a key component of fraud detection and prevention solutions but here’s why you shouldn’t just rely on them…
You might not be aware of it, but the web browser you’re using to read the words on this page is a treasure trove of data.
These tracked data points, and many more, are what constitute browser fingerprinting. As we’ll see in this post, fraud prevention tools like device fingerprinting can help you detect suspicious users in seconds – but you have to know when to deploy it, and how.
Table of contents
- What is Browser Fingerprinting?
- How Does Browser Fingerprinting Work?
- Why Do Companies Use Browser Fingerprinting?
- How a Browser Fingerprinting Tool Flags Fraudsters?
- What are the Different Methods of Browser Fingerprinting?
- The Shortcomings of Browser Fingerprinting
- Browser Fingerprinting: 8 Key Features for Fraud Prevention
- Data Collection Must be Acknowledged
- Combining Fingerprinting With Other Anti-Fraud Tools
- Frequently Asked Questions About Browser Fingerprinting
What is Browser Fingerprinting?
Your fingerprint contains unique sets of lines that can help identify you. It’s how finger ID works on your phone or computer. The same principle applies to a digital fingerprint for your browser.
While not every browser is unique, each configuration can help identify a user, for instance by looking at the screen resolution, version, plugins installed, etc…
In fact, a single click on the website AmIUnique.org, for instance, can reveal how easy it is to learn your operating system, browser name and version, time zone and preferred language, amongst others. This means your visits across numerous sites can be tracked.
How Does Browser Fingerprinting Work?
The fingerprinting scripts send data to the fraud detection system via APIs, which allows you to analyse points such as the browser version, hardware configuration, and more.
Is Browser Fingerprinting Legal?
Yes, as all the information collected with browser fingerprinting is considered public. However, note that the fraud solution that collects the data should be compliant. For instance, SEON is fully GDPR compliant and ISO-27001 certified.
How Do Users Block Browser Fingerprinting?
The most common way avoiding tracking is through anti-fingerprinting browsers; you can find more information on some of these browsers later on in the article.
Why Do Companies Use Browser Fingerprinting?
To minimise risk companies look to understand as much as they can about the customer in question and the nature of their behaviour. By combining as many data points as possible, you can create a form of user ID. This allows you to:
- Identify loyal customers
- Flag suspicious connections
- Block account takeover attempts
- Spot connections between users
What Data Can Be Extracted?
It turns out, the browser fingerprint holds a lot of hidden data. A browser fingerprint tool gathers user data relating to users’ software and hardware configurations.
These browser fingerprints include details such as browser name, operating system, timezone, and more. In fraud prevention, it can be used to detect suspicious connections, for instance from an emulator.
At SEON, we were very lucky to develop our tool to browser fingerprint module with Gábor Gulyás, a pioneer of device fingerprinting. His expertise helped us create browser fingerprinting based on hundreds of parameters, such as:
- System fonts
- Check if cookies are enabled
- Operating system
- Keyboard layout
- Tor browser or not?
- Secure browser or not?
- User agent
- Sensors such as accelerator, proximity and gyroscope
- Browser local databases
- Navigator properties
- HTTP header attributes
- Web browser extensions used
- Audio context analysis
- CPU Class
- HTML5 canvas fingerprinting (looking at canvas size)
- Touch support
- And much more…
His internet research website lets you test the efficiency of privacy add-ons by performing thorough browser fingerprinting, and it’s a great place to learn more about the technologies used for that analysis in the context of security and website protection.
How a Browser Fingerprinting Tool Flags Fraudsters?
Sophisticated fraudsters tend to operate on a large scale, by acquiring long lists of logins or credit card numbers for example on the dark web or other websites. This usually means hundreds of possible attempts before they can enter a platform or process a transaction.
Because it’s a repetitive process, they can’t change their smartphone and laptop or browser with every attempt. Even if they try to spoof devices, there will be red flags. This is where identifying a unique configuration can help spot them and their bot attacks – especially if one of their failed attempts puts them on a blacklist. Their only remaining options are to:
- Clear their browser cache
- Use a different device and web browser
- Switch browser on the same device
- Use private or incognito online mode
- Use a virtual machine designed to spoof their configuration settings
- Use tools such as AntiDetect, FraudFox or MultiLogin
- Use emulators that spoof mobile devices
- Use dedicated browser spoofing tools
But here again, the game of cat and mouse continues: fraud detection tools equipped with the right modules should be able to detect these uses, which are even clearer signs pointing towards a fraudulent user.
What About Cross-Browser Fingerprinting?
While standard browser fingerprinting is dependent on which browser the person uses, a new method called cross-browser fingerprinting allowed researchers to ID people based on hardware alone. It is a very new development, which could have drastic consequences both for privacy-focused users and fraud prevention companies.
What are the Different Methods of Browser Fingerprinting?
If you can see which browser and hardware configurations are unique, it’s then easy to create a unique ID for each of them. Every time a user connects to your website, it’s thanks to a device (smartphone, laptop, tablet…) and a browser (Google Chrome, Mozilla Firefox, Brave, Safari…). This is the basis of what we’ll call a user configuration.
Examples of these configurations include:
- iPhone 7 with Safari 14.0
- Microsoft Windows Home laptop with Edge Browser 90.0.818.66
- macOS Mojave with Google Chrome 90.0.4430.212
The browsers themselves contain even more unique data points, such as:
- The kind of active plugins
- The set time zone
- Language settings
- Screen resolution
The challenge, however, is to ensure these IDs are static, so they can remain the same even after changes in the data-set.
The solution? Stitch the data in the right sets, so they don’t completely change with every new update. At SEON, we work with three different sets, which are:
This generates an ID by looking at all browser fingerprint data points such as the user agent, operating system, windows, screen, font settings and all feature statuses, which are collectable.
- Pros: The hash doesn’t change even if the user clears their cache, cookies or uses incognito mode.
- Cons: a computer or smartphone with multiple browsers (Edge, Chrome and Firefox) will generate different hashes. Even a browser update will change the hash.
A new ID is created with each browser session.
- Pros: Easy to prove multiple users are the same person if they share the same cookie hash.
- Cons: clearing the browser cookies and cache generates a new cache.
The ID is created based on hardware data such as the HTML5 canvas, GPU, audio fingerprinting, whether it allows touch support and more.
- Pros: Fraudster tools such as AntiDetect or FraudFox will generate the same hash, which can prove the use of a virtual machine, emulator or remote desktop connection. Plugins used to spoof a device will also generate a unique ID, which increases suspicion.
- Cons: there are far fewer unique ID, as anyone with the same phone or laptop and browser version will generate the same hashes.
As you can see, it’s always better to combine all three hashes in order to get a better picture of who your users are. Legacy fraud detection methods used to look at the cookie hash or user agent, but fraudsters are now too savvy to be caught that way.
Which neatly brings us to the following idea: when browser fingerprinting isn’t enough.
The Shortcomings of Browser Fingerprinting
By now, it should be evident that the biggest problem with browser fingerprinting security is that it’s not a foolproof method to protect your website. But just to recap, here’s why:
Data Has a Short Shelf Life
This is an area we recommend fraud managers pay specific attention to. A lot of fraud companies pride themselves on their ability to track hundreds or thousands of online data points for browser fingerprinting.
But the ability to track more personal data isn’t always better, if it is stale. It’s much better to find and enrich the fresh points with other fraud prevention modules in order to create a multi layered fraud prevention solution to protect your business and users.
Fraudsters are Savvy Enough
The very fact that specific software is designed to spoof devices, browsers and operating systems clearly shows that fraudsters have experience of browser fingerprinting. They will try their best to manipulate the data manually to hide their real world identity.
Of course, for the good guys, the fight is all about identifying these spoofing methods and setting up good tracking techniques. One good example in recent years was to understand that a browser fingerprint of the size of the canvas works to indicate fraud, as bad agents tend to resize their browsers to work on multiple platforms at once.
General Users Are More Concerned About Privacy
And while the general public isn’t necessarily tech-savvy enough to deploy the right tools, there is a general sense that data privacy is important and that tracking poses a threat. As reported by the Pew Research Center, 81% of US citizens believe they do not have enough power over how their data is tracked by companies. The same amount believes that the risks outweigh the benefits, which could see a rise in consumer tech designed to address these concerns.
Browser Fingerprinting: 8 Key Features for Fraud Prevention
Browser fingerprinting is a process, which means that several different tools can offer similar results. Let’s take a look at the standard features and see how they work.
All the data returned from browser fingerprinting is processed through a hash function. This is a long string of letters and numbers, which processes data of arbitrary sizes into fixed-sized values. It makes it easier to log the information, encrypt, analyse and compare it.
(For instance, SEON works with hundreds of parameters, but only three kinds of hashes: Cookie Hash, Browser Hash and Device Hash.)
Websites written in HTML5 contain a code element called the canvas. This element is used to draw graphics on a web page. It also generates data such as the font size or active background colour setting, which come into play when creating a unique user ID for tracking. It is the most powerful feature of browser fingerprinting.
- HTML5 Canvas fingerprinting detects: installed client fonts, browser font size, active background colour, graphics card, operating system, and more…
The html5 fingerprint is used as a fraud prevention technique based on the fact that the same canvas image may be rendered differently on different computers.
- A WebGL fingerprint detects: graphics card model, screen resolution…
User Agent Detection
A User Agent, or UA, is part of the software designed to identify a browser with the website. It is a string, which, when detected by a site, can display tailored content for specific browsers.
There are a few caveats to user agent detection. Firstly, web developers often rely on user-agent switching tools to visualise how a site will look on a variety of devices. Fraudsters use the same tool to spoof a browser. Default Android web browsers use the same user agents as Safari to make compatibility easier. Google is also depreciating user agents in their Chrome browser.
Still, user agent detection is an integral part of browser fingerprinting.
- User agent detection reveals: browser name, version or version number.
Producing sound from a mobile browser and device audio stack is surprisingly complex. A website uses the AudioContext API to send a low-frequency sound through the browser to the device and measures how it processes that data. It helps it know how to process audio, but no audio is recorded, collected or played, so you don’t need microphone and speaker access. And yet, it can inform fingerprinting with multiple parameters and values.
- Audio fingerprinting detects: AudioBuffer value, DynamicsCompressor value…
Companies who create mobile apps specifically for smartphone OS can use a specific SDK (software development kit) to get extra information about devices, whether they are built by Apple, Samsung or other vendors.
- Such mobile device fingerprinting products detect: Mac address, serial number (Android only), device time zone, battery health, CPU details…
By default, Tor makes each user have the exact same fingerprint which provides companies with a lack of Tor fingerprinting information, ultimately providing a fraudster anonymity from basic anti-fraud solutions.
- To combat this, running a test to see if the user’s IP matches a known Tor exit node can enable you to detect and block this traffic.
Whilst a Tor user might not have any malicious intent, Tor users should be flagged as “high risk” by default due to the higher likelihood of fraudulent activity.
Selenium is an open-source tool that automates browsers, originally intended to be a tool in web application testing. Selenium is very easy to set up and allows users to run scripted actions in a distributed manner.
Whilst it might be a useful tool for developers, it’s also the tool of choice for malicious actors who would want to scrape your website, eg. ticket scalpers. Unfortunately, these people are also incentivised to hide what they’re doing, and you need to be proactive in catching them.
Data Collection Must be Acknowledged
There are data collection and privacy issue that should be raised with browser fingerprint and canvas fingerprinting tools.
Combining Fingerprinting With Other Anti-Fraud Tools
In short, online browser fingerprinting is a fantastic method for identifying suspicious users. But it’s by no means sufficient by itself. This is why at SEON, we recommend combining our module with others such as:
- Social media lookup: which gathers data from social networks to enrich your picture of the people on your site
- Reverse phone / email lookup: to enrich data and create a better online digital footprint analysis.
- IP analysis and proxy detection: to ensure you understand more about visitors’ connections
- Machine Learning: the only engine powerful enough to look at all the data at scale, and suggest risk rules tailored to your business model.
All the browser fingerprinting modules are accessible as part of our SENSE platform, designed by anti-fraud experts for businesses in any vertical. To see how we help reduce the costs and resources lost to fraud by 70-80% without sacrificing user experience, try a free demo with us.
Frequently Asked Questions About Browser Fingerprinting
A range of industries across ad tech, fintech and fraud prevention all can use browser fingerprinting to understand more about their customers.
Browser fingerprinting analyses any given users’ software and hardware configurations which in turn creates unique IDs that can be used to highlight suspicious behaviour. It can help spot a range of potential fraudulent activities including: synthetic IDs, identity theft, CNP fraud, phishing, spoofing, account takeover and affiliate fraud.
You might also be interested in reading about
Learn more about:
See a live demo of our product
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.