Businesses need to know their audience and be able to track their visitors, for a variety of reasons, from marketing to scam prevention. However, many people prefer not to save cookies when asked to and periodically delete the cookies that were stored automatically. As a result, we need to have an alternative way of observation of the website visitor activity to ensure reliable fraud prevention.
Device fingerprinting identification is such a way, which tracks users without relying on cookies. This article explores how digital fingerprinting works, the fingerprint types you might use, and the benefits you gain from device fingerprint technology.
What is a fingerprint?
Let’s start with a definition of fingerprinting:
By analogy with forensics fingerprinting, digital fingerprinting allows creating a definitive profile of a user, which allows to identify them in ongoing interactions. To do that, businesses use platforms like Covery.ai, which fingerprints devices customers use to log into your website, enabling future visitor recognition and scam/fraud prevention.
Multiple applications installed on the user’s device often gather a great deal of information about the software and hardware components of that device, including its MAC address and serial numbers of different hardware pieces. Even if these apps are not supposed to transmit this data to external parties, they need to store it for possible debugging — and can provide it if requested correctly. This enables creating multiple digital fingerprint types, including the browser fingerprint.
As web browsers are present by default on any mobile device, details like browser type and version, installed extensions and add-ons, assigned IP address and other information freely provided by the client during every HTTP request allow building a diverse and stable profile of a customer’s device.
Diversity and stability are essential characteristics of a device fingerprint. Diversity is the range of device characteristics that allow pinpointing a specific device:
- Screen resolution
- Browser version
- User agent type
- Local timezone
- CPU architecture
- List of plugins
- Language
However, diversity and stability are mutually exclusive, as whenever a user adjusts any of the parameters, the diversity grows but the stability decreases. Thus, device fingerprinting cannot be a definitive method of user authentication and must be used as a part of larger fraud prevention measures and workflows.
How do fingerprints work?
Even if a visitor uses VPN and other measures to hide their IP address and prevent authentication, diverse and stable data on the device can be obtained from exploring the protocols the device uses to transmit the data. Based on the Open Systems Interconnection (OSI) model, there is a variety of protocols developers can harness when fingerprinting devices:
- OSI Layer 2: CDP
- OSI Layer 3: IPv4, IEEE 802.11, IPv6, ICMP
- OSI Layer 4: TCP/IP
- OSI Layer 5: SNMP, NetBIOS
- OSI Layer 7: SMB, FTP, HTTP, TLS/SSL, DHCP
This is extremely helpful in various scenarios, like when multiple devices access your website from a single IP address (a PC, a laptop, a tablet, and a couple of smartphones, etc) and you have to load an appropriate website version for every device. Even Google Analytics running on your website uses device fingerprinting to allow you to sort your website traffic by demography, device type, etc.
As we mentioned earlier, the most important application of digital fingerprinting is to prevent various types of fraud and scams:
- synthetic identity theft
- credit card-not-present fraud
- click fraud in marketing
- phishing
- spoofing
- account takeover
- friendly and affiliate fraud
- merchant fraud, etc.
This is done by processing information provided by client-side scripting languages like JavaScript. For example, using Canvas fingerprinting (from the canvas in HTML5, used to render 2D and 3D graphics) allows defining a device through its GPU characteristics even if a fraudster uses a VPN, proxy, or a spoofing platform to hide their tracks. If a device does not have a graphic card unit, it provides the CPU parameters instead, so a device fingerprint still works, even if IP fingerprinting is impossible (like in a public library or another local network, where multiple devices have the same external IP address).
Conclusions
Using digital fingerprints technology is essential for any business with customer-facing online systems (e-Commerce, sports betting, gambling, dating, etc.) to simplify customer tracking and mitigate fraud. However, simply fingerprinting devices is not enough to ensure security from fraud. Digital fingerprinting must work as a part of multiple features aimed at maximizing marketing efforts efficiency and minimizing the risks your business faces.
Covery provides device fingerprinting alongside KYC/KYB/AML verification and other features to help provide a positive experience for your users while mitigating risks of fraud and chargebacks. Should you like to benefit from these features — contact us, we will be glad to answer any questions!