As SEON launches its innovative Chrome extension for data enrichment, we highlight a few of our most efficient fraud detection and prevention tools. We already covered email profiling. Today, it’s all about device fingerprinting.

What is Device Fingerprinting?

Device fingerprinting analyses users’ configurations of software and hardware. It creates a unique ID for each configuration, in order to recognise connections between users and to highlight suspicious devices.

How Does it Work?

When users access your platform, they do it with two tools: a device with a web or mobile application, and an Internet connection that retrieves an IP address. This creates two data sources. They are present at signup, login, checkout, or even when browsing a page. With the right solutions, we can extract useful info from these data points.

Combining knowledge about a browser and device is what we call device fingerprinting. It gives a clear picture of how the user is connecting to your service. It lets us understand user behaviour, and more importantly, flag potential fraudsters.

Why is it Efficient?

Fraudsters often buy or steal long lists of card numbers and login details. To use them, they must employ a trial and error method. The repetitive nature of this process means it’s near impossible to change device every time. They are left with a few options:

• Clear the cache.
• Switch browsers.
• Use private or incognito mode.
• Use virtual machines that make it look like new devices
• Use advanced device spoofing and anti fingerprinting tools such as FraudFox, AntiDetect, Kameleo, Linken sphere or MultiLogin.
• Use emulators to spoof mobile devices.

This is precisely where Device Fingerprinting can help. A user constantly clearing their cache before multiple login attempts points to clear account takeover attempts – if they use different IDs but the same IP address. They want to blur the track to access your website.

Likewise, a user whose device generates an emulator hash should also be considered high risk – they don’t want you to identify them and their data fingerprints and may use browser spoofing.

However, while device fingerprinting is a great anti-fraud tool, it is not always powerful enough. For instance, analyzing IP and device at payment is a good start. But payment information is a lot more likely to yield red flags. Device fingerprinting is therefore a more efficient technique when combined with other methods.

You can read more about examples of browser spoofing and how to detect them here. Click this link for understanding why browser fingerprinting isn’t always enough.

Device Fingerprinting In More Detail

The first step is to integrate SEON’s code into your platform. This is done either via Javascript, iOS SDK or Android SDK. This code lets us collect parameters about the user, and identify them through the SEON interface, including:

• Screen information
• Device build
• OS version
• Installed plugins
• Browser time zone
• Device number
• Battery information
• And much, much more….

See below for some of the 500 different parameters SEON can extract. You can also read our post on browser fingerprinting features here.

Note that different integration methods enable different parameters. For instance, the device and browser screen size isn’t relevant for connections via smartphones and tablets. Similarly, it’s important that the Android SDK extracts info about the device manufacturer since they are so many of them. With iOS, it’s always Apple.

What Are Hashes And How Do They Help?

One of the most important features of our device fingerprinting tool is the generation of specific hashes. You can think of them as unique IDs, created based on specific parameters:

• Cookie Hash: Creates an ID for each browser session. Clearing the browser cookies and cache will generate a new hash. But if multiple users share the same hash, it means they are clearly using the same browser and device.
• Browser Hash: Generates an ID by combining data from the browser, operating system, device and network. This hash remains unchanged, even if the user clears their browser cookies and cache, or browses privately. However, a device with multiple browsers installed, or even browser versions, will generate different hashes.
• Device Hash: Offers an ID based on the device hardware (e.g HTML5 canvas, audio fingerprinting, GPU, screen data and so on). While many users can share the same device hash (for instance two iPhone 7 Safari users), this allows us to detect Remote Desktop Connections, virtual machines or emulators. For instance, fraudster favourites such as AntiDetect, FraudFox, or Multilogin all generate the same device hash. Moreover, fraudsters using extensions that spoof HTML5 canvas will have very unique IDs – and should, therefore, be flagged as high risk.

As you can see, they each have their pros and cons. However, all these hashes become a near-flawless screening tool when they are leveraged together. Fraud analysts can easily create customer profiles that are precise, reliable or even implement rules that isolate suspicious hashes automatically.

Some Of The Collectable Parameters:

With SEON’s JavaScript snippet:

• Cookie hash
• Browser hash
• Unique device hash / identifier
• Timezone of browser and IP
• Operating system detection
• Useragent information
• Private browsing detection
• Operating system, browser languages
• Screen size of device, browser, windows
• Installed fonts and generated hash
• Installed plugins and generated hash
• Battery level
• GPU information
• Cursor, scrolling behaviour
• Browser features: flash, java etc.
• Canvas device fingerprint
• Audio fingerprint
• WebRTC IPs
• DNS: Geo + ISP
• TCP/IP Fingerprint
• Passive SSL/TLS handshake analysis

With the iOS SDK:

• Unique device hash / identifier
• Accessories information
• Audio information
• Battery information
• CPU information
• Advertising Identifier (ADID)
• Device name
• Device orientation
• Unique Device Identifier (UDID)
• iCloud ubiquity token
• iOS version data
• Jailbreak status
• Emulator detection
• Kernel information
• Boot information
• Network configuration
• Pasteboard data
• Memory information
• Proximity sensor data
• Local language
• Local timezone
• Screen brightness
• Screen resolution
• System uptime
• Storage information
• MAC address
• Wifi SSID
• TCP/IP Fingerprint
• Passive SSL/TLS handshake analysis

With the Android SDK:

• Unique device hash / identifier
• Android ID
• Android version data
• Audio information
• Battery information
• Build information
• Carrier information
• CPU information
• Device name
• Storage information
• Emulator detection
• Root status
• Kernel information
• Boot information
• Network configuration
• Pasteboard data
• Memory information
• Proximity sensor data
• Local language
• Local timezone
• Screen brightness
• Screen resolution
• System uptime
• MAC address
• Wifi SSID
• TCP/IP Fingerprint
• Passive SSL/TLS handshake analysis

Is Device Fingerprinting Enough to Stop Fraud?

Not exactly. While it is an incredibly useful tool, it also needs to be combined with other solutions such as data enrichment, custom rules, and IP analysis and tracking to really be effective.

The reason is that fraudsters are aware of how basic device fingerprinting works. In recent years, we’ve seen a surge in anti-device fingerprinting solutions such as web browsers designed specifically to hide the operating-system configurations. 

This is called device spoofing, and we’ve seen an arms race between fraudsters and risk management experts regarding the technology. 

How Does Device Spoofing Work?

Fraudsters who want to bypass device fingerprinting and tracking methods will use a variety of tools such as JavaScript injection. Purpose-built device spoofing browsers, like the Mimic browser, include a canvas poisoning feature that is designed to confuse data readings. By adding noise to certain values, it is supposed to help fraudsters slip under the radar of standard device fingerprinting methods.

Sometimes, the most sophisticated attacks will use a complete recreation of the software and hardware stack. The criminals create a completely virtual environment that changes randomly every time it is switched on to avoid tracking.  While some of these tools are free, many are relatively expensive, which shows they are marketed at organized criminals.

Can Device Fingerprinting Detect Device Spoofing?

For the most part, yes. For instance, a JavaScript injection can be identified using a simple string comparison and other errors and inconsistencies also point to fraudulent usage. 

The latest device fingerprinting tools should be able to find red flags, for instance by creating graphical challenges, as seen with Google’s Picasso method. This asks the devices to replicate some graphics, and measures any inconsistencies to confirm whether the device data actually matches that of a real browser and operating system. 

What Are Examples of Successful Device Fingerprinting for Companies?

Let’s say you are trying to block transaction fraud at your company. Your chargeback rates are too high and your risk team is losing too much time and effort trying to manually review every transaction.

You could integrate a device fingerprinting module as part of your end-to-end fraud detection system, which will also work in combination with other modules.

• A user goes to your online site checkout
• You collect their device data and create an ID hash
• If the hash has never appeared on your site before, it could raise suspicion
• You run a data enrichment module, which confirms that the email address has never been used to register to any social media profiles
• The information is fed through your risk rules, which raises the risk score.

At this stage, you clearly see that many red flags have been raised. You could, for instance, automatically block the transaction based on your risk preferences. You can also trigger heavier KYC checks (know your customer), such as asking for a proof of address, or even a selfie with an ID.

Finally, you could send the transaction for manual review to your team, who will use their judgment to accept or reject it. 

Conclusion

Gleaning such a precise picture of your users’ devices is an incredible tool to improve your fraud detection rate. However, all this data is only useful if you know how to leverage it. Device fingerprinting is powerful, but it’s nothing without the right insights.

As always, we believe fraud detection should employ a combination of data enrichment, machine learning, and human intelligence. The first two are something SEON can help you leverage today. For human intelligence, we sure believe our tools are the first step towards giving fraud manager more control, efficiency, and peace of mind.