Device Fingerprinting: What Is It and How Exactly Does It Work?

Device fingerprinting can be used to stop fraudsters from attempting to hack, break into, or spam websites as well as offer detailed insights into any customer that’s coming onto your website.

Read on to learn more about this fraud prevention technique and how it’s used to protect businesses globally.

What Is Device Fingerprinting?

It is a way to identify someone’s device using information related to its software and hardware, allowing you to reach conclusions about their intentions, as well as track their activity.

Device fingerprinting collects information about a user’s device, such as which browser they use and on which hardware, as they connect to a website, app or other server. It is done by websites and apps in order to be able to track the user’s actions and visits, and assess whether their intentions are fraudulent or otherwise harmful.

Note that there are different sub-types of device fingerprinting, such as mobile device fingerprinting and cross-device fingerprinting.

Device fingerprinting analyzes users’ configurations of software and hardware. It creates a unique ID for each configuration, in order to recognize connections between users and to highlight suspicious devices. This is called a device hash.

It’s worth noting that web cookie fingerprinting is entirely different, as those are stored on the client side of the browser whereas the findings of device fingerprinting are stored in a server-side database, making it accessible for merchants.

How Does Device Fingerprinting Work?

When users access your platform, they do it with two tools: a device with a web or mobile application and an internet connection that retrieves an IP address. This creates two data sources. They are present at signup, login, checkout, or even when browsing a page. With the right solutions, we can extract useful info from these data points.

Combining knowledge about a browser and device is what we call device fingerprinting. Based on the device of the user, this might be mobile device fingerprinting, desktop device fingerprinting, etc. It gives a clear picture of how the user is connecting to your service. It helps us understand user behavior, and more importantly, flag potential fraudsters.

For example, here are just a few of the attributes that the SEON engine collects about a user’s device as part of device fingerprinting:

• device model and number
• operating system
• screen size and resolution
• flash data
• user-agent
• system language and system country
• device orientation
• battery level
• installed fonts and installed plugins
• system uptime

What Is Cross-Device Fingerprinting?

More commonly known as cross-device tracking, this describes any method of tracking users and their activity across different devices, despite the fact that they use different devices. To do so, one would have to find identifiers that do not change when the user switches to a new phone, computer or tablet, for instance. 

As a result, someone might be able to track an individual’s activity when that person changes from their mobile phone to a desktop computer, for example, even if this person is not logged into any online profiles. 

At the time of writing, technologies such as ultrasonic audio beacons, supercookies and web beacons have been used to this end. A related solution is cross-browser fingerprinting, a method devised by researchers in 2011 that seeks to track users across different browsers. 

Possible applications include advertising, surveillance, law enforcement and espionage.

While device fingerprinting is legal and anonymous, many have made clear their concerns about the privacy implications of cross-device fingerprinting as well as its effects on society and politics – including government agencies and researchers.

How Accurate Is Device Fingerprinting?

As a method, device fingerprinting has the capacity to be incredibly accurate, with the rate of accuracy increasing with the number of attributes being collected and analyzed. There are different ways in which we could answer this question:

• In terms of accuracy in the information it gathers and returns, sophisticated device fingerprinting modules can successfully identify data points, as well as attempts at spoofing these data points – which typically come from discrepancies in the device fingerprint.

• In terms of catching fraud, device fingerprinting is a time-honored, key method. This is because the more information we have about a user’s device, the easier it is to spot red flags, such as the use of suspicious tools often employed by fraudsters, privacy browsers, as well as various types of spoofing. 

• Device fingerprinting also generates a device hash, which is helpful in figuring out the activities of its user or users within the context of time. For example, it can help us to know how many different users have logged on from the same device. In isolation, device hashes are not as accurate as other types of hashes, as we will see below, but they are still useful to consider as part of a complete profile of the user.

Can Device Fingerprinting Detect Device Spoofing?

For the most part, yes. For instance, a JavaScript injection can be identified using a simple string comparison and other errors and inconsistencies also point to fraudulent usage. 

The latest device fingerprinting tools should be able to find red flags – for instance, by creating graphical challenges, as seen with Google’s Picasso method. This asks the devices to replicate some graphics and measures any inconsistencies to confirm whether the device data actually matches that of a real browser and operating system. 

Fraudsters who want to bypass device fingerprinting and tracking methods will use a variety of tools. Purpose-built device spoofing browsers, like the Mimic browser, include a canvas poisoning feature that is designed to confuse data readings. By adding noise to certain values, it is intended to help fraudsters slip under the radar.

Sometimes, the most sophisticated attacks will use a complete recreation of the software and hardware stack. The criminals create a completely virtual environment that changes randomly every time it is switched on to avoid tracking. While some of these tools are free, many are relatively expensive, which shows they are marketed at organized criminals.

By using sophisticated device fingerprinting solutions, as well as combining them with other methods, such as digital footprint analysis, you can detect fraudsters who try to spoof their devices. Part of this will also involve looking at inconsistencies in the data points you have gathered.

Why Do Companies Use Device Fingerprinting?

Companies use device fingerpinting to stop fraudsters and other bad actors, as well as for cybersecurity and marketing purposes. Without device fingerprinting, it would be significantly more difficult to identify and stop fraud related to multi-accounting, account takeovers, digital onboarding, payment fraud and bonus abuse, among other pain points.

Fraudsters often buy or steal long lists of card numbers and login details. To use them, they must employ a trial and error method. The repetitive nature of this process means it’s near impossible to change device every time, so instead they will do some of the following to hide their tracks:

• Clear the cache.
• Switch browsers.
• Use private or incognito mode.
• Use virtual machines.
• Use device spoofing and anti-fingerprinting tools (FraudFox, AntiDetect, Kameleo, Linken sphere, MultiLogin…).
• Use emulators to spoof mobile devices.

This is precisely where device fingerprinting can help. For example, someone, a user found to use an emulator should be considered high risk – they don’t want you to identify them, and they may be browser spoofing.

Is Device Fingerprinting Enough to Stop Fraud?

Not exactly. While it is an incredibly useful tool, it also needs to be combined with other solutions such as data enrichment, custom rules, and IP analysis and tracking to really be effective.

The reason is that fraudsters are aware of how basic device fingerprinting works. In recent years, we’ve seen a surge in anti-device-fingerprinting solutions such as web browsers designed specifically to hide the operating system configurations.

This is called device spoofing, and we’ve seen an arms race between fraudsters and risk management experts regarding the technology.

For instance, analyzing someone’s IP and device at checkout is a good start. But payment information is a lot more likely to yield red flags. Device fingerprinting is therefore more efficient when combined with other fraud prevention methods.

3 Use Cases for Device Fingerprinting

While the most widely known use case for device fingerprinting are analytics and ad tracking, the technique can be used effectively to mitigate fraud. Let’s look at this in more detail.

Ecommerce Fraud

For merchants, device fingerprinting can do more than just help with ads, as the uniqueness of a person’s fingerprint can show irregularities when attempting an order or other transaction.

This can stop payment fraud, chargebacks, loyalty program abuse and more.

Banking Fraud

Within the banking industry, you can utilize device fingerprinting to flag potentially suspicious activity such as when a user logs into a bank account via a different device, location or obscure IP address.

Pain points in banking that device fingerprinting can help with include account takeovers and money laundering, where spoofing is used to conceal the fraudster’s identity.

Ad data and Tracking

Advertisers and adtech companies use device fingerprinting to identify and track users’ internet history to understand more about the visitor and to show them more personalized ads.

While device fingerprinting tracks users for these purposes, it can also help stop ad-related fraud – for example, affiliate fraud, referral fraud and multi-accounting to achieve these.

How SEON Can Help with Device Fingerprinting

SEON can extract 500+ different parameters from a user’s device, examples of which you can see below as well as, in more detail, in our API Reference.

SEON’s device fingerprinting solutions can be deployed by API or as part of an end-to-end fraud prevention platform. The first step would be to insert the necessary code into your platform. This is done via Javascript, iOS SDK or Android SDK. This code lets us collect parameters about the user, and identify them through the SEON interface.

Note that different integration methods enable different parameters.

For instance, the device and browser screen size isn’t relevant for connections via smartphones and tablets. Similarly, it’s important that the Android SDK extracts info about the device manufacturer, since they are so many of them that it is an identifying feature. Conversely, with iOS, it’s always Apple.

Here are some of the hundreds of data points collected by the SEON engine for device fingerprinting. This list is constantly added to and enriched.

An Example of Successful Device Fingerprinting

Let’s say you are trying to block transaction fraud at your company. Your chargeback rates are too high and your risk team is losing too much time and effort trying to manually review every transaction.

You could integrate a device fingerprinting module as part of your end-to-end fraud detection system, which will also work in combination with other modules.

1. A user goes to your website checkout, looking to buy some items.
2. The SEON system silently collects their device data and finds that their reported screen resolution is impossible. This person is likely to be spoofing their device.
3. The information is fed through your risk rules, which raises the risk score for this transaction.
4. You consider this red flag in conjunction with the rest of their profile, which has been created by the system.

At this stage, you can act accordingly. You could, for instance, automatically block the transaction, always based on your risk preferences. You can also trigger heavier verification checks, such as asking for proof of address. Finally, you could send the transaction for manual review to your fraud analysts, who will use their judgment to accept or reject it. 

SEON allows you to do this, with the added benefit of complete customization of risk rules, fraud scoring and even actions to follow.

Beyond device fingerprinting, the solution’s unique data enrichment functionality gathers real-time data from 50+ online sources to add dozens of points to inform your decision making.

Importantly, SEON’s solutions are industry agnostic, which explains why we have been able to help organizations far and wide – from BNPL company Viabill, which saw a 90% drop in fraudulent registrations, to crowdfunding platform Patreon, which experienced a drop in customer churn.

What Are Hashes and How Do They Help?

One of the most important features of a device fingerprinting tool is the generation of specific hashes to catch fraudsters with more accuracy. You can think of them as unique IDs created based on specific parameters.

• Cookie hash: Creates an ID for each browser session. Clearing the browser cookies and cache and visiting again will generate a new hash. But if multiple users share the same hash, we know that they are clearly using the same browser and device.
• Browser hash: Generates an ID by combining data from the browser, operating system, device and network. This hash remains unchanged even if the user clears their browser cookies and cache, or browses privately. However, a device with multiple browsers installed, or even different browser versions, will generate different hashes.
• Device hash: Offers identification based on the device hardware (e.g HTML5 canvas, audio fingerprinting, GPU, screen data, and so on). While many users can share the same device hash (for instance two iPhone 7 Safari users), this allows us to detect remote desktop connections, virtual machines and emulators. For instance, fraudsters’ favorite tools such as AntiDetect, FraudFox, and Multilogin each generate the same device hash, so every one of their users has the same device hash, making it obvious they are doing so. Moreover, fraudsters using extensions that spoof HTML5 canvas will have very unique IDs – and should therefore be flagged as high risk.

As you can see, they each have their pros and cons.

However, all these hashes become a near-flawless screening tool when they are leveraged together. Fraud analysts can easily create customer profiles that are precise and reliable, or even implement rules that isolate suspicious hashes automatically.

Conclusion: Device Fingerprinting for Fraud Detection

Gleaning such a precise picture of your users’ devices is an incredible tool to improve your fraud detection rate.

However, all this data is only useful if you know how to leverage it. Device fingerprinting is powerful, but it’s nothing without the right insights.

We believe fraud detection should employ a combination of data enrichment, machine learning, and human intelligence.

The first two are something SEON can help you leverage today. As for human intelligence, we sure believe our tools are the first step towards giving fraud managers more control, efficiency, and peace of mind.

Frequently Asked Questions

You might also be interested in reading about

• SEON: 10 Best Fraud Prevention Software and Tools
• SEON: The Ultimate Guide to Reverse Email Lookup and Email Search

Learn more about:

Sources

• Twitter: Chric Blec Tweet on Track DeFi Activity
• Privacy Regulation: Recital 47 EU GDPR