You might not be aware of it, but the web browser with which you’re accessing this page is a treasure trove of data.

Tracking and understanding that data is often referred to as browser fingerprinting. As we’ll see in this post, this is a fantastic tool to reduce fraud rates at your company.

• What Is Browser Fingerprinting?
• How Does Browser Fingerprinting Work?
• Is Browser Fingerprinting Legal?
• What Is Cross-Browser Fingerprinting?
• The Benefits of Browser Fingerprinting
• The Shortcomings of Browser Fingerprinting
• How to Block Browser Fingerprinting
• Browser Fingerprinting: 8 Key Features for Fraud Prevention
• How SEON Does Browser Fingerprinting

What Is Browser Fingerprinting?

In real life, your fingerprints are unique and point to you as an individual. In the online world, it’s browser configurations that may point to individuals. While many people use the same browsers, their configurations of software and hardware are so varied that they can effectively act as user IDs.

Examples of these configurations include:

• iPhone 7 with Safari 14.0
• Microsoft Windows Home laptop with Edge browser 90.0.818.66
• macOS Mojave with Google Chrome 90.0.4430.212

Browser fingerprinting allows you to get granular information about each parameter of this configuration. For instance, you may be able to learn which default language the user has set for the browser, see which fonts are installed, and more. You can read a more complete list of these data points below.

The key is to get as much information as possible about who your website visitor is based on their browser configuration.

This is particularly useful in the context of fraud prevention and cybersecurity, where certain parameters may instantly point to suspicious configurations. For instance, browser fingerprinting may be able to detect when users rely on emulators or spoofing tools, which should increase your suspicions about their intentions on your website.

Because these “fingerprints” tend to be unique, they can also act as user IDs. This allows marketers and advertisers to track users across the web, and to deliver targeted content based on your online activities.

The last point to note is that browser fingerprinting is a somewhat contentious practice, which is why a number of privacy-advocacy groups have developed anti-tracking and anti-fingerprinting techniques and tools.

Which Data Is Collected?

Browser fingerprinting tools gather user data relating to users’ software and hardware configurations, including:

• system fonts
• whether cookies are enabled
• operating system
• OS language
• platform
• keyboard layout
• Tor browser or not?
• secure browser or not?
• user agent
• sensors such as accelerator, proximity and gyroscope
• browser local databases
• navigator properties
• HTTP header attributes
• web browser extensions used
• audio context analysis
• CPU class
• HTML5 canvas fingerprinting (looking at canvas size)
• touch support
• and much more…

The above shows just how many parameters are taken into account to create a browser fingerprint.

You can see this for yourself on a website such as AmIUnique.org, for instance, which will reveal how common it is to have a completely unique configuration.

How Does Browser Fingerprinting Work?

Browser fingerprinting usually works by adding a JavaScript snippet code to your website or web app code. It allows your company or a third-party vendor to extract the browser data and store it.

At SEON, we rely on three distinct methods, which have their pros and cons.

Browser Hash

Browser hash generates an ID by looking at all browser fingerprint data points such as the user agent, operating system, windows, screen, font settings and more.

• Pros: The hash doesn’t change even if the user clears their cache and cookies or uses incognito mode. 
• Cons: A computer or smartphone with multiple browsers (e.g. Edge, Chrome and Firefox) will generate different hashes. Even a browser update will force the creation of a new hash.

Cookie Hash

A new ID is created with each browser session. 

• Pros: Easy to prove multiple users are the same person if they share the same cookie hash.
• Cons: Clearing the browser cookies and cache generates a new cache.

Device Hash

The ID is created based on hardware data such as the HTML5 canvas, GPU, audio fingerprinting, whether it allows touch support, and more. 

• Pros: Fraudster tools such as AntiDetect or FraudFox will generate the same hash, which can prove the use of a virtual machine, emulator or remote desktop connection. Plugins used to spoof a device will also generate a unique ID which increases suspicion.
• Cons: There are far fewer unique IDs, as anyone with the same phone or laptop and browser version will generate the same hashes.

As you can see, it’s always better to combine all three hashes in order to get a better picture of who your users are. Legacy fraud detection methods only looked at the cookie hash or user agent, but fraudsters are now too savvy to be caught that way. 

Is Browser Fingerprinting Legal?

Yes, browser fingerprinting is legal as all the information collected is considered public. However, note that the fraud solution that collects the data should be compliant with all applicable legislation. For instance, SEON is fully GDPR compliant and ISO-27001 certified.

What Is Cross-Browser Fingerprinting?

While the standard browser fingerprinting is dependent on which browser the person uses, a new method called cross-browser fingerprinting has allowed researchers to ID people based on hardware alone.

This is a very new development that could have drastic consequences both for privacy-focused users and fraud prevention companies.

The Benefits of Browser Fingerprinting

Browser fingerprinting, as a technology, can offer numerous benefits to businesses.

Identifying Users

Everyone’s configuration of software and hardware is likely to be unique. This means you can essentially turn that configuration into a user ID. 

Once you have identified the user, you can track their movements across your site. It’s also helpful to know when they are returning visitors.

Delivering Tailored Content

One of the key benefits of having a de facto user ID is that you can offer your users specific content. This could be geolocalised web pages, or redirect them towards appropriate resources.

The same applies to targeted marketing. Once you know you are dealing with a loyal customer, you can send them unique offers such as bonuses, loyalty points, or special discounts.

Blocking Account Takeover Attempts (ATO)

ATO attacks happen when someone logs into an account that isn’t theirs. But if you’ve managed to create an ID for the original account holder, it becomes much easier to spot suspicious logins. 

For instance, a new login from a previously unseen device and IP geolocation could increase your suspicions.

It’s worth noting that not all new device logins should be blocked. Sometimes it will simply be someone logging from a new mobile device or computer. The key is that you should know when to ask for extra authentication if you aren’t sure the right user is accessing an account. 

Spotting Connections Between Users

When the configurations for multiple users are similar, you can make an educated guess that you are dealing with the same person attempting a multi-accounting attack.

In the context of fraud prevention, this will allow you to prevent problems such as bonus abuse. iGaming companies and online casinos have an extra incentive to block collusive play between groups of players (or one person pretending to be multiple players).

Flag Suspicious Connections

Finally, a key part of this fingerprinting is that it will help reveal suspicious user configurations. That includes any kind of setup that points to:

• Emulators and spoofing tools: software designed to mask the real data and to replicate that from another setup
• VPN, proxy, and Tor usage: software designed to hide the real IP address and to route the user’s traffic through another network.

Once again, these kinds of data points won’t always point to fraud. But you should be extra vigilant with these users.

The Shortcomings of Browser Fingerprinting

While browser fingerprinting is a fantastic way to get an idea of who your web visitors are, it’s not a magic bullet. Here are some reasons why.

Data Has a Short Shelf Life

This is an area we recommend fraud managers pay specific attention to. A lot of fraud companies pride themselves on their ability to track hundreds or thousands of online data points for browser fingerprinting.

But the ability to track more personal data isn’t always better, if it is stale. What is a much better and smarter approach is to find and enrich the fresh points with other fraud prevention modules in order to create a multi-layered fraud prevention solution to protect your business and users.

Fraudsters Are Savvy Enough

The very fact that specific software is designed to spoof devices, browsers and operating systems clearly shows that fraudsters have experience with browser fingerprinting. They will try their best to manipulate the data to hide their real-world identity. 

Of course, for the good guys, the fight is all about identifying these spoofing methods and setting up good tracking techniques. One good example of this from recent years was when it was understood that a browser fingerprint of the size of the canvas can help to indicate fraud – because bad agents tend to resize their browsers to work on multiple platforms at once.

General Users Are More Concerned About Privacy

The rise of privacy-centered browsers such as Brave or Firefox shows that users don’t enjoy being tracked. These browsers and others, such as the latest version of Microsoft Edge, build privacy features into their code – for example, by disabling JavaScript, blocking tracking pixels and tracking cookies by default, or only allowing HTTPS.

There is also no shortage of anti-tracking options for general users, such as the Tor browser, NoScript (which blocks JavaScript everywhere), Ghostery (which lets you block and audit your browser fingerprint), or the dozens of ad-blocking tools that regularly top the list of the most downloaded extensions on any app store.

And while the general public isn’t necessarily tech-savvy enough to deploy the right tools, there is a general sense that data privacy is important and that tracking poses a threat. As reported by the Pew Research Center, 81% of US citizens believe they do not have enough power over how their data is tracked by companies. The same amount believes that the risks outweigh the benefits, which could see a rise in consumer tech designed to address these concerns.

Data Collection Must Be Acknowledged

There are data collection and privacy issues that should be raised with browser fingerprint and canvas fingerprinting tools.

This is why you have to make sure that your browser fingerprint solution is compliant with local laws and regulations. While it is a legal practice, you may need to acknowledge every digital fingerprint in your terms and conditions, as some visitors may wish to opt out (like with a cookie policy).

How to Block Browser Fingerprinting

It’s worth noting that every time risk managers deploy new browser fingerprinting features, organized fraudsters create tools designed to confuse them.

This is particularly evident with the rise of anti-fingerprinting browsers, or browser spoofing tools, which are deployed to emulate other configurations. Privacy advocates also recommend them to those who want to avoid targeted marketing or simply to reduce personal data collection.

Browser Fingerprinting: 8 Key Features for Fraud Prevention

Browser fingerprinting is a process, which means that several different tools can offer similar results. Let’s take a look at the standard features and see how they work.

Hashing

All the data returned from browser fingerprinting is processed through a hash function. This is a long string of letters and numbers which processes data of arbitrary sizes into fixed-sized values. This makes it easier to log the information, encrypt, analyze and compare it. 

For instance, SEON works with hundreds of parameters, but only three kinds of hashes: cookie hash, browser hash, and device hash.

Canvas Fingerprinting

Websites written in HTML5 contain a code element called the canvas. This element is used to draw graphics on a web page. It also generates data such as the font size or active background color setting, which come into play when creating a unique user ID for tracking. It is the most powerful feature of browser fingerprinting.

• HTML5 canvas fingerprinting detects: installed client fonts, browser font size, active background color, graphics card, operating system, and more…

The HTML5 fingerprint is used as a fraud prevention technique based on the fact that the same canvas image may be rendered differently on different computers.

WebGL Fingerprinting

Like the canvas element, WebGL is a JavaScript API that renders on-screen images and graphics. An image is rendered with a fixed size and, because different GPUs use different algorithms to display it, you can estimate the kind of graphics card your user has installed.

• A WebGL fingerprint detects: graphics card model, screen resolution…

User Agent Detection

A user agent, or UA, is part of the software designed to identify a browser with the website. It is a string which, when detected by a site, can display tailored content for specific browsers.

There are a few caveats to user agent detection, all related to how this data point is used in the real world. Firstly, web developers often rely on user-agent switching tools to visualize how a site will look on a variety of devices. Fraudsters use the same type of tool to spoof a browser. Default Android web browsers use the same user agents as Safari to make compatibility easier. Google is also depreciating user agents in its Chrome browser.

Still, user agent detection is an integral part of browser fingerprinting and remains useful when considered in tandem with other elements. 

• User agent detection reveals: browser name, version or version number.

Audio Fingerprinting

Producing sound from a mobile browser and device audio stack is surprisingly complex. In audio fingerprinting, a website uses the AudioContext API to send a low-frequency sound through the browser to the device, and measures how the device processes that data. This helps inform how to process audio – but no audio is recorded, collected, or played, so you don’t need microphone and speaker access. And yet, this technique can inform fingerprinting with multiple parameters and values.

• Audio fingerprinting detects: AudioBuffer value, DynamicsCompressor value…

Device Fingerprinting

Companies who create mobile apps specifically for smartphone OS can use a specific SDK (software development kit) to get extra information about devices, whether they are built by Apple, Samsung or other vendors.

• Such mobile device fingerprinting products detect: MAC address, serial number (Android only), device time zone, battery health, CPU details…

Tor Detection

By default, Tor makes each user have the exact same fingerprint. This ensures companies lack Tor fingerprinting information, ultimately providing fraudsters anonymity from basic anti-fraud solutions. 

However, Tor detection works by running a test to see if the user’s IP matches a known Tor exit node, thus determining whether a user is running Tor. While a Tor user might not have any malicious intent, Tor users should be flagged as high risk by default due to the statistically higher likelihood of fraudulent activity.

Selenium Detection

Selenium is an open-source tool that automates browsers, which was originally intended to help with web application testing. Selenium is very easy to set up and allows users to run scripted actions in a distributed manner.

Though it is a useful tool for developers, it’s also the tool of choice for malicious actors who would want to scrape your website – e.g. ticket scalpers. Unfortunately, these people are incentivized to hide what they’re doing, and you need to be proactive in catching them.

While Selenium itself is difficult to detect, you can use JavaScript to check for evidence of WebDriver, the technology behind it. In fact, our upcoming rule update will automatically flag browsers that are automated as risky, allowing you to block bot traffic and service abuse.

How SEON Does Browser Fingerprinting

At SEON, we were very lucky to develop our tool to browser fingerprint module with Gábor Gulyás, a pioneer of device fingerprinting. His expertise helped us create browser fingerprinting based on hundreds of parameters. However, we also recommend combining our module with other fraud detection methods, such as:

• Social media lookup, which gathers data from social networks to enrich your understanding of the people on your site
• Reverse phone/email lookup to enrich data and create a better online digital footprint analysis
• IP analysis and proxy detection to ensure you understand more about connections between visitors
• Machine learning, the only engine powerful enough to look at all the data at scale and suggest risk rules tailored to your business model

All the browser fingerprinting modules are accessible as part of our Sense Platform, designed by anti-fraud experts for businesses in any vertical. To see how we help reduce the costs and resources lost to fraud by 70–80% without sacrificing user experience, try a free demo with SEON.

Frequently Asked Questions

You might also be interested in reading about

• SEON: 10 Best Fraud Prevention Software and Tools
• SEON: The Ultimate Guide to Reverse Email Lookup and Email Search

Learn more about:

Data Enrichment | Fraud Detection API | Fraud Detection Machine Learning

External Sources

• Cover Your Tracks: About Us
• Pew Research Center: Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information
• Tom’s Guide: The best ad blockers in 2021
• Tor Project: Changes to the Tor Exit List Service