in   CoveryFraud prevention

Definition of Digital Fingerprinting

If you are an owner or C-level executive of an online business, you definitely face the fraud prevention problem. Fraud is an omnipresent threat and only fighting it constantly can prevent it from becoming an omnipotent force. Device fingerprinting is one of the most efficient ways of preventing various types of CNP fraud — affiliate fraud, friendly fraud, account takeover, triangulation fraud, etc. 

While the fingerprinting technology itself is quite simple and harmless, ethical implications of its usage cause fervent discussions on whether it is morally justifiable to use a browser fingerprint at all. As always, there are lots of pros and cons, as well as misconceptions, which blur the judgment.

This article explains what digital fingerprinting is and shows why it is a must for any business aiming to prevent fraud at scale.

What is digital fingerprinting?

To start with, let’s explain what a device, browser, or web fingerprint actually is.

Device fingerprinting technology is named this way due to its resemblance with real-life fingerprints. Instead of tracking customer devices using cookies (small files stored in visitor’s browsers, that can be uploaded only with express user consent under the GDPR and PATRIOT Act — or disabled and deleted at any moment by the user), device fingerprinting relies on actively scanning the user’s device during any session on your website using JavaScript.

Every device has to transmit a plethora of publicly available information for debugging purposes. Should any error occur while using your website, a crash report should be generated and sent to developers responsible for your platform operations. This report should include the device details, like the following:

  • OS version
  • Browser version
  • Screen resolution for mobile devices
  • Plugins and addons used
  • If VPN or TOR browser are used
  • The IP address assigned to the device
  • Various hardware and software identifiers
  • many more parameters.

This helps the developers emulate the device and try to reproduce the error in a controlled environment in order to be able to fix it in production.

Device fingerprinting is simply using a specific JavaScript string to capture all the aforementioned details live, during every connection session from every device.

How does the device fingerprinting work?

As you can see, fingerprinting technology involves simply collecting the data every device has to transmit anyways. Therefore, it is not bad or malevolent per se. However, as this does not require the user’s express consent, many consider it a kind of Big Brother tool.

Naturally, no browser fingerprint can provide 100% accuracy of device identification. People update their OS versions and browsers, install and uninstall plugins, lose their phones and buy new ones, and recover their accounts to the same parameters — while their screen resolutions change.

Therefore, there are 2 key components to any device fingerprint — its accuracy and flexibility. They are mutually exclusive, so the more accurate the web fingerprint is, the less flexible it becomes, and vice versa. Naturally, in our dynamic world, where users regularly change their devices and update hardware drivers and software versions all the time, having a 100% accurate device fingerprint is impossible.

Therefore, every time a user logs in to your website or platform, the fingerprinting technology checks the device parameters to confirm the user indeed is who they claim to be. If the system sees the OS version is updated to the latest one, the browser and plugin versions are updated, the IP address is changed, or any other combination of updates, it must decide whether these changes are not fraudulent. 

If only a couple parameters changed — like the OS and browser now having the latest version — this most likely means that the legitimate user simply updated their device software. However, should the screen resolution change along with the IP address, OS version, and browser version used (add VPN and TOR into the mix, why not) — and we clearly have an account takeover in progress. In that case, it would be prudent to block the account and contact the account owner via any of the unchanged parameters — like the phone number — for an extra verification via SMS with a one-time password. 

Conclusion

Now you know what is digital fingerprinting and how it helps unobtrusively keep track of your customers’ devices. While not expressly asking for their permission to do so, it is of immeasurable help in identifying scammers, account takeover attempts, and various fraudulent activities on the fly.
Covery uses device fingerprinting technology as one of the pillars of our end-to-end fraud prevention, risk mitigation, and chargeback management services. Should you have any more questions on how Covery can provide value to your business — contact us, we will be glad to answer!