Device Fingerprinting: What Is It and How Exactly Does It Work?

Device fingerprinting can be used to stop fraudsters from attempting to hack, break into, or spam websites as well as offer detailed insights into any customer that’s coming onto your website.

Read on to learn more about this fraud prevention technique and how it’s used to protect businesses globally.

What Is Device Fingerprinting?

Device fingerprinting is collecting information about a user’s device, such as which browser they use and on which hardware, as they connect to a website, app or other server. It is done by websites and apps in order to be able to track the user’s actions and visits, and assess whether their intentions are fraudulent or otherwise harmful.

Device fingerprinting analyzes users’ configurations of software and hardware. It creates a unique ID for each configuration, in order to recognize connections between users and to highlight suspicious devices. This is called a device hash.

It’s worth noting that web cookie fingerprinting is entirely different, as those are stored on the client side of the browser whereas the findings of device fingerprinting is stored in a server-side database, making it accessible for merchants.

What Information Is Collected?

Device fingerprinting identifies each user through a range of data points, including:

• IP address
• HTTP request headers
• any installed plugins or fonts
• screen resolution
• battery information
• operating system
• user-agent
• flash data
• VPN and browser information
• time zone and language

How Does Device Fingerprinting Work?

When users access your platform, they do it with two tools: a device with a web or mobile application and an internet connection that retrieves an IP address. This creates two data sources. They are present at signup, login, checkout, or even when browsing a page. With the right solutions, we can extract useful info from these data points.

Combining knowledge about a browser and device is what we call device fingerprinting. It gives a clear picture of how the user is connecting to your service. It helps us understand user behavior, and more importantly, flag potential fraudsters. See how SEON implement device fingerprinting below:

Is Device Fingerprinting Legal?

Yes. Although it’s a contentious subject with privacy advocates, the US doesn’t have specific laws on data protection and the EU’s General Data Protection Regulations (GDPR) only requires companies to gain consent from users before tracking them with cookies. 

Recital 47 of the GDPR legislation, as well as the UK GDPR, details:

“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” 

Therefore, businesses must ensure that they are transparent about the information they will be processing; otherwise, they will become liable to further consequences.

Why Do Companies Use Device Fingerprinting?

Companies use device fingerpinting to stop fraudsters and other bad actors, as well as for cybersecurity and marketing purposes.

Fraudsters often buy or steal long lists of card numbers and login details. To use them, they must employ a trial and error method. The repetitive nature of this process means it’s near impossible to change device every time. They are left with a few options:

• Clear the cache.
• Switch browsers.
• Use private or incognito mode.
• Use virtual machines that make it look like new devices
• Use advanced device spoofing and anti fingerprinting tools such as FraudFox, AntiDetect, Kameleo, Linken sphere or MultiLogin.
• Use emulators to spoof mobile devices.

This is precisely where device fingerprinting can help. A user constantly clearing their cache before multiple login attempts points to clear account takeover attempts, if they use different IDs but the same IP address. They obviously want to blur the track to access your website.

Likewise, a user whose device generates an emulator hash should also be considered high risk – they don’t want you to identify them, and they may be browser spoofing.

However, while device fingerprinting is a great anti-fraud tool, it is not always powerful enough.

For instance, analyzing someone’s IP and device at check out is a good start. But payment information is a lot more likely to yield red flags. Device fingerprinting is therefore more efficient when combined with other fraud prevention methods.

What Are Hashes and How Do They Help?

One of the most important features of a device fingerprinting tool is the generation of specific hashes. SEON’s device tool generates hashes to catch fraudsters with more accuracy. You can think of them as unique IDs created based on specific parameters:

• Cookie hash: Creates an ID for each browser session. Clearing the browser cookies and cache and visiting again will generate a new hash. But if multiple users share the same hash, we know that they are clearly using the same browser and device.
• Browser hash: Generates an ID by combining data from the browser, operating system, device and network. This hash remains unchanged even if the user clears their browser cookies and cache, or browses privately. However, a device with multiple browsers installed, or even different browser versions, will generate different hashes.
• Device hash: Offers identification based on the device hardware (e.g HTML5 canvas, audio fingerprinting, GPU, screen data, and so on). While many users can share the same device hash (for instance two iPhone 7 Safari users), this allows us to detect remote desktop connections, virtual machines andemulators. For instance, fraudster favorite tools such as AntiDetect, FraudFox, and Multilogin each generate the same device hash, so every one of their users has the same device hash, making it obvious they are doing so. Moreover, fraudsters using extensions that spoof HTML5 canvas will have very unique IDs – and should therefore be flagged as high risk.

As you can see, they each have their pros and cons.

However, all these hashes become a near-flawless screening tool when they are leveraged together. Fraud analysts can easily create customer profiles that are precise and reliable, or even implement rules that isolate suspicious hashes automatically.

List of Collectable Parameters

The below are data points collected by the SEON engine for device fingerprinting. This list is constantly added to and enriched.

3 Use Cases for Device Fingerprinting

While the most widely known use case for device fingerprinting is analytics and ad tracking, the technique can be used effectively to mitigate fraud. Let’s look at this in more detail.

Ecommerce Fraud

For merchants, device fingerprinting can do more than just help with ads, as the uniqueness of a person’s fingerprint can show irregularities when attempting an order or other transaction.

Banking Fraud

Within the banking industry, you can utilize device fingerprinting to flag potentially suspicious activity such as when a user logs into a bank account via a different device, location or obscure IP address.

Ad data and Tracking

Advertisers and AdTech companies use device fingerprinting to identify and track users’ internet history to understand more about the visitor and to show them more personalized ads.

How to Implement Device Fingerprinting

With SEON, the first step would be to insert the necessary code into your platform. This is done via Javascript, iOS SDK or Android SDK. This code lets us collect parameters about the user, and identify them through the SEON interface.

Note that different integration methods enable different parameters.

For instance, the device and browser screen size isn’t relevant for connections via smartphones and tablets. Similarly, it’s important that the Android SDK extracts info about the device manufacturer, since they are so many of them that it is an identifying feature. Conversely, with iOS, it’s always Apple.

SEON can extract 500+ different parameters, examples of which you can see above.

Is Device Fingerprinting Enough to Stop Fraud?

Not exactly. While it is an incredibly useful tool, it also needs to be combined with other solutions such as data enrichment, custom rules, and IP analysis and tracking to really be effective.

The reason is that fraudsters are aware of how basic device fingerprinting works. In recent years, we’ve seen a surge in anti-device-fingerprinting solutions such as web browsers designed specifically to hide the operating system configurations. 

This is called device spoofing, and we’ve seen an arms race between fraudsters and risk management experts regarding the technology. 

How Does Device Spoofing Work?

Fraudsters who want to bypass device fingerprinting and tracking methods will use a variety of tools such as JavaScript injection.

Purpose-built device spoofing browsers, like the Mimic browser, include a canvas poisoning feature that is designed to confuse data readings. By adding noise to certain values, it is supposed to help fraudsters slip under the radar of standard device fingerprinting methods.

Sometimes, the most sophisticated attacks will use a complete recreation of the software and hardware stack. The criminals create a completely virtual environment that changes randomly every time it is switched on to avoid tracking.  While some of these tools are free, many are relatively expensive, which shows they are marketed at organized criminals.

Can Device Fingerprinting Detect Device Spoofing?

For the most part, yes. For instance, a JavaScript injection can be identified using a simple string comparison and other errors and inconsistencies also point to fraudulent usage. 

The latest device fingerprinting tools should be able to find red flags.

For instance, by creating graphical challenges, as seen with Google’s Picasso method. This asks the devices to replicate some graphics and measures any inconsistencies to confirm whether the device data actually matches that of a real browser and operating system. 

Examples of Successful Device Fingerprinting for Companies

Let’s say you are trying to block transaction fraud at your company. Your chargeback rates are too high and your risk team is losing too much time and effort trying to manually review every transaction.

You could integrate a device fingerprinting module as part of your end-to-end fraud detection system, which will also work in combination with other modules.

1. A user goes to your online site checkout.
2. You collect their device data and create an ID hash.
3. If the hash has never appeared on your site before, this could raise suspicion.
4. You run a data enrichment module, which confirms that the email address has never been used to register to any social media profiles.
5. The information is fed through your risk rules, which raises the risk score.

At this stage, you clearly see that there are many red flags, so you act accordingly.

You could, for instance, automatically block the transaction, always based on your risk preferences. You can also trigger heavier KYC checks, such as asking for proof of address, or even a selfie with an ID.

Finally, you could send the transaction for manual review to your team, who will use their judgment to accept or reject it. 

Conclusion: Device Fingerprinting for Fraud Detection

Gleaning such a precise picture of your users’ devices is an incredible tool to improve your fraud detection rate.

However, all this data is only useful if you know how to leverage it. Device fingerprinting is powerful, but it’s nothing without the right insights.

We believe fraud detection should employ a combination of data enrichment, machine learning, and human intelligence.

The first two are something SEON can help you leverage today. As for human intelligence, we sure believe our tools are the first step towards giving fraud managers more control, efficiency, and peace of mind.

Frequently Asked Questions

You might also be interested in reading about

• SEON: 10 Best Fraud Prevention Software and Tools
• SEON: The Ultimate Guide to Reverse Email Lookup and Email Search

Learn more about:

Data Enrichment | Fraud Detection API | Fraud Detection with Machine Learning & AI

External Sources

• Twitter: Chric Blec Tweet About Track DeFi Activity
• Privacy Regulation: Recital 47 EU GDPR