Device Fingerprinting: what is it and what is it used for?

Covery Blog / Antifraud, Covery / Device Fingerprinting: what is it and what is it used for?

Device Fingerprinting: what is it and what is it used for?

As a business owner, one of your main tasks is to minimize your expenses while ensuring a superior customer experience. To achieve this goal, you should try to detect and prevent online fraud at the earliest stages, to avoid losses from fraud and costly chargebacks. Device fingerprinting technology is one of your best bets in this regard.

While enshrouded in a variety of myths and misconceptions, web fingerprinting is actually a surprisingly good tool, if used correctly. This is why it is actively used for marketing purposes and to prevent fraud by companies in the US, Canada, and the EU countries like Italy and France. Covery uses device fingerprinting in our daily activities as an enterprise-grade anti-fraud system, so today we share our insights on how fingerprinting technology works.

What is device fingerprinting?

In simple words, it is the creation of a digital fingerprint of a device in order to identify it easily, using its software and hardware markers, just as real-life fingerprints use skin prints for personal identification.

How does it work? Do you recall your desktop, web, and apps asking for permission to send system details in crash reports after some glitch? It is needed by developers, so they are able to emulate your device parameters, repeat the crash and write a bug fix for it. 

Actually, your devices send this information all the time, as a part of HTTP package requests. They must inform a server about their OS, web browser version, screen resolution, language preferences, whether any plug-ins, add-ons or VPN tools are running, etc. 

They must also provide their IP addresses, geolocation and time zone markers, etc., so that the server can check these against blocklists and prevent access from countries under sanctions, etc. 

Note that all these details are provided without user concern and it cannot be done in any other way, as these are technical details needed to establish a connection. Thus said, web fingerprinting is totally legal and ISO27001/GDPR/PATRIOT Act compliant, even though you never expressed your consent to sending this data.

How does device fingerprinting work?

Device fingerprinting technology simply runs a script on an online merchant’s landing pages, which captures these details sent by every device in every data package during every session. This allows creating a digital fingerprint of this device and identifying it to prevent fraud or as a part of marketing analysis. This fingerprint is described by 2 main parameters — precision and flexibility. These are mutually exclusive, so the more flexible a fingerprint is the less precise it becomes, and vice versa. 

For example, you have a customer who logs in daily using their iPhone 10 or Macbook Pro, using the same IP address and email number, from the same location. Tracking these two devices helps identify this user as reliable and even allows you to reduce some additional verification steps to make their customer experience better. These fingerprints are precise and not flexible, as the user does not install/remove various plug-ins over time, or does not move around too much, so identification reliability is around 98%.

However, new iOS and macOS versions come through, and both devices update to the latest versions. This is some flexibility, so while the rest of the markers remain unchanged, some do have to be updated in the profile. Thus, the first login after the update will see identification precision of around 90%, but if the behavioral pattern remains unchanged — the scoring will come back to 98% soon.

Let’s now imagine this user switches to Android (and/or Windows or Linux). The geolocation, login schedule, timezone, email and phone address, browser version and a plethora of other parameters change, so precision drops to nearly 50%, and their risk score will decrease from “trusted” to “potentially risky”. Of course, it is the customer’s full right to switch to any devices they want — but your system should still recognize them. Should their behavior remain the same — after a couple of sessions the profile will be updated as depicted above.

Let’s now imagine someone tries to log in using these credentials from a Xiaomi phone somewhere in the Philippines or China, using a VPN and tries to reset the password or transfer funds to another card at once. Device fingerprinting technology will immediately alert your anti-fraud system of a potential account takeover fraud, so you can freeze account access, decline transactions and contact the rightful owner, who most likely fell victim to a phishing attack.

This is barely a single example, but web fingerprinting is quite complicated and can help detect very elaborated scam schemes and prevent online fraud of multiple types.

How does device fingerprinting help protect private information?

As we explained before, device fingerprinting helps identify devices, not people without the need to invoke additional security checks. It does not store SSN, banking card numbers, and other sensitive information. However, it allows online merchants to timely detect and prevent online fraud, as we explained above. This way, it protects your customers’ private information. Even if a customer fell victim to some fraud scheme — with device fingerprinting you can be sure you will not be held liable for it and will actually be able to help them recover from the situation, to provide a strong positive customer experience.

Given all that, is browser fingerprinting bad, as mass media often try to persuade you? No, it is the opposite. Unlike cookies, which have to be stored in the local storage of every device, can be disabled in the browser, and can be deleted manually at any moment — device fingerprinting technology is a reliable real-time anti-fraud tool. 

Conclusions

While being a relatively new approach to fighting online fraud, device fingerprinting technology is a totally legitimate, predictable, and reliable way to prevent online fraud. Covery uses web fingerprinting to timely alert its users of potential fraud schemes and as a part of the ongoing fraud prevention strategy. The ability to track devices and analyze updates in their statuses on the fly helps protect sensitive details of your customers, prevent account takeover fraud and safeguard your business from costly expenses.

However, device fingerprinting is just a smaller part of a much bigger antifraud system. Covery helps deal with multiple business tasks — from KYC/AML checks automation to transaction monitoring and fraud prevention on various customer journey stages. To find out about all the value Covery can provide to your business — order a free demo and take a look!

FAQ

What is device profiling against fraud?

It is a continuous process of creating and updating device fingerprints, which allows you to identify fraudulent schemes on the fly and prevent online fraud of various types.

Is browser fingerprinting bad?

No, it is a very useful technology, depending on the way you use it. A knife is a tool that can be used for cooking or committing a crime, which does not make a knife bad.

How does device fingerprinting help protect private information?

It allows identifying users through their devices without requesting sensitive details; it also helps stop account takeover fraud in progress and many other fraud types.