Device Fingerprinting: A Crucial Tool in the Fight Against Fraud
You might already be familiar with device fingerprinting as a tool for conducting market research and tracking customer preferences. However, did you know that it can also be a powerful fraud prevention tool as well?
Merchants and financial institutions are turning to device fingerprinting to track down fraudsters. So today, let’s examine how this works. We’ll see how effective it is at stopping eCommerce fraud, and also explore some scenarios in which this practice may be less than helpful.
Recommended reading
- What is Geolocation? A Key Anti-Fraud Tool for 2024
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- ECI Indicators: How to Understand 3DS Response Codes
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- Card Verification Values: What Are CVVs & How Do They Work?
What is Device Fingerprinting?
- Device Fingerprinting
Device fingerprinting is a forensic technique used to identify a device. The methodology can gather unique information based on device configurations, as well as hardware and installed software. Each piece of data helps create a unique picture of the device in question, like the lines of a human fingerprint.
[noun]/ˈdə • vīs • /
Device fingerprinting gives you the ability to block devices associated with known bad actors. You can also pinpoint suspicious activity that may suggest fraud and block those transactions.
In turn, this generates valuable data that can help you build out your fraud prevention strategy going forward. It's a more accurate way of detecting and preventing third-party criminal fraud attacks.
Most businesses already use device fingerprinting in some way. For example, many employ the technique to track users for marketing or analytics purposes. Tracking customers’ activities on your site can also help you identify opportunities for improvement, helping you provide a better overall customer experience.
How Device Fingerprinting Works
When users access your platform, they do it by employing two basic tools: a device with a web or mobile application, and an internet connection that retrieves an IP address. This creates two data sources. They are present at signup, login, checkout, or even when browsing a page. With the right solutions, we can extract useful info from these data points.
Combining knowledge about a browser and device is what we call device fingerprinting. It gives a clear picture of how the user is connecting to your service. It helps us understand user behavior, and more importantly, flag potential fraudsters.
Anytime a user visits a site, that individual leaves behind clues about their activity. IP address, for instance, is a commonly-known example of this digital forensic data. However, there are hundreds of potential indicators you can use to identify individual devices. You can identify users and track their activities based on:
- Screen resolution
- Browser version
- User-agent
- Local time zone
- CPU architecture
- Plugins installed
- Language
- IP address
- HTTP request headers
- Operating system
- Installed fonts
- Timestamp
- Touch support
- Flash plugin data
None of these data points in isolation are reliable indicators to track down a user’s activity. When combined, however, these clues can help create a profile of the individual user based on the device used to access the site. These profiles can be surprisingly revealing about the user’s activity.
Device Fingerprinting & Privacy Concerns
As you might have guessed, any comprehensive data mining device is bound to stir up privacy concerns among the general public.
Device fingerprinting is capable of revealing much of a user’s personal information at first scan. So, it’s no surprise that privacy advocates and legislators have raised objections. The reason for this is a general lack of specified protections with regard to online data privacy in the US.
This is a potential issue because it isn’t immediately obvious to US users that they are being fingerprinted if they are on a mobile device. They may not know to respond or turn off the technology before their data can be collected.
In the UK and EU, General Data Protection Regulations madate that merchants must obtain explicit user consent before attaching cookies to a particular session. Device fingerprinting is not mentioned specifically in the law. However, the GDPR does define “the processing of personal data” in a very broad manner, so merchants will need to comply with the following criteria:
- Express user consent is given to utilize the platform
- The information collected must be strictly used to protect the user’s private data
- The information collected cannot pertain to marketing or promotional purposes without express consent
Device Fingerprinting Vs. Cookies: What’s the Difference?
You might be asking: how is device fingerprinting different from the use of cookies to track user data? It can be helpful here to draw a distinction between the two.
Device fingerprinting is similar to browser cookies but more robust and detailed; it’s also longer-lasting, as users can easily delete cookies. In fact, in the wake of legislation like the GDPR, it’s now easy for customers to stop individual sites from using cookies altogether.
Device fingerprinting doesn’t have this limitation. Unlike cookies, which store local data on a user’s machine, device fingerprinting focuses on data transmitted through the connection of different devices. The specific information nodes are communicated between devices according to one of three approaches:
Device fingerprinting has many uses for merchants, but its primary utility is fraud prevention. So, although the platform does offer a significant marketing potential, consumers should not be worried: its main purpose is to detect and deter acts of fraud.
Device Fingerprinting & Fraud Prevention
Let’s assume that you’re using IP addresses to try and eliminate fraud. When you identify a transaction as fraudulent, you can isolate the IP address associated with the buyer and blacklist that individual. That sounds easy enough, right?
Unfortunately, it’s not always that simple. For instance, you could have numerous devices using the same IP address. Libraries and universities are good examples of this. In either case, you could have hundreds—or even thousands—of different devices all sharing the same IP address. Trying to ban one user based on the associated IP address could mean inadvertently banning thousands of legitimate customers.
Fraudsters may also use tools like VPNs or proxy servers to change their IP address at will. So, while IP address is a useful fraud management indicator, it can’t be your primary one. You need information on the individual device responsible for a transaction. This is where the device fingerprinting comes in.
Device fingerprinting lets you give each device a unique ID. By drilling down to the device level, you get a much more detailed picture of your buyer. Employing device fingerprinting to intercept bad transactions and ban fraudsters can give you a much more in-depth picture than other fraud tools.
Device fingerprinting can help stop a range of different fraud tactics. Take click fraud, for example. If you’re engaged in affiliate marketing, device fingerprinting can help you spot bad traffic and ban those fraudsters from your network.
There are a number of dedicated third-party vendors who offer device fingerprinting as a service. Partnering with a technology vendor would give you the power to analyze users’ intents and behaviors based on established fraud warning signs. You can flag transactions that are likely to be malicious and prevent those purchases from going through.
Device Fingerprinting is Not Foolproof
So, while device fingerprinting can have great potential for mining user data for marketing purposes, you have to gain explicit consent from your users beforehand. That’s why its best application is as a tool to fight and prevent fraud.
Having said that, we also have to note that device fingerprinting is not a foolproof solution. There are a number of ways that fraudsters can subvert detection. For instance, the user’s fingerprint changes with any alteration to the device being fingerprinted. In other words, every software update, every plugin installation, and even something as simple as a time change can alter the record to a small degree.
Also, device fingerprinting is generally a reactive solution. You’re only able to flag and blacklist dangerous devices based on past instances of successful fraud. You’re always going to be a step behind the criminals trying to take advantage of you.
Predictive modeling can help address these shortcomings, at least to some degree. Unfortunately, the technology is still nowhere near advanced enough to provide reliable, foolproof predictive conclusions. You’ll always risk rejecting legitimate buyers while fraudsters slip by unnoticed.
Device Fingerprinting & First-Party Fraud
Having said all that, there is another valud-add to consider here. Unlike most fraud detection tools, device fingerprinting may have some utility against friendly fraud attacks.
With friendly fraud, the attacker is not some masked cybercriminal lurking in an underground basement. Instead, the fraudster is a legitimate customer who files an illegitimate post-transactional dispute against a merchant. These typically occur either accidentally or intentionally and, in either case, end up costing the merchant time and money.
When it comes to stopping friendly fraud, most tools and tactics are useless on their own. But, in the event that a known buyer engages in friendly fraud by claiming a transaction was invalid, device fingerprinting could help you. You can fight the dispute claim through representment, using device fingerprinting as compelling evidence in your case.
Even still, friendly fraud is extremely difficult to predict or identify, let alone prove. There’s no guarantee that the bank will accept your evidence over the cardholder.
Wise merchants understand that there is no one-size-fits-all solution for fraud and chargeback protection. Even the most well-prepared businesses can still be targeted by fraud of every stripe and style. So it’s always a good idea to plan ahead for any eventuality and layer up as many solutions as possible for your business.
A Multi-Layered Stratgey is Best
Here’s the bottom line: device fingerprinting is a useful and effective tool for reactive fraud management. But, while it can stop some bad actors, it won’t be able to intercept every scammer.
Fraud is a dynamic and constantly-evolving problem. Fraudsters can use a variety of different tactics and approaches to steal from you and your customers.
Device fingerprinting should be one part of a more comprehensive strategy to identify and stop fraud. It’s designed to work alongside other fraud tools and tactics, including (but not limited to):
- Address Verification Service (AVS)
- CVV Verification
- Geolocation
- Velocity Checks
- Biometrics
- Affiliate fraud screening
Data from all these fraud management tools and tactics should be examined in context by submitting each transaction to dynamic fraud scoring. This will produce a simple, data-driven figure determining the relative risk posed by each transaction. You can then reject risky transactions either automatically or on a case-by-case basis.
Learn more about fraud detectionHave additional questions about device fingerprinting as part of your fraud management plan? Want to learn more about how to build a comprehensive strategy to tackle fraud and abuse before and after each sale? Click below to speak with one of our experts.
FAQs
What is device fingerprinting used for?
Device fingerprinting is a forensic technique used to identify a device. The methodology can gather unique information based on device configurations, as well as hardware and installed software. Each piece of data helps create a unique picture of the device in question, like the lines of a human fingerprint.
How does device fingerprinting work?
Anytime a user visits a site, that individual leaves behind clues about their activity. IP address, for instance, is a commonly-known example of this digital forensic data. However, there are hundreds of potential indicators you can use to identify individual devices. Some of these include screen resolution, browser version, local time zone, and CPU architecture, just to name a few.
Is device fingerprinting legal?
Yes. Device fingerprinting is legal, but there are caveats. In the EU and UK, for example, express consent must be obtained before a user device can be fingerprinted and that user’s data leveraged for any reason.
In the US, there are no explicit regulations dictating the utility and function of fingerprinting to date. As always, though, we urge merchants to exercise caution and prudence by making the fingerprinting process as transparent as possible.
Are device fingerprinting and cookies the same thing?
Device fingerprinting is similar to browser cookies but more robust and detailed. It’s also longer-lasting, as users can easily delete cookies. In fact, in the wake of legislation like the GDPR, it’s now easy for customers to stop individual sites from using cookies altogether.
Device fingerprinting doesn’t have this limitation. Unlike cookies, which store local data on a user’s machine, device fingerprinting focuses on data transmitted through the connection of different devices.
Is device fingerprinting effective against fraud?
Yes. Device fingerprinting lets you give each device a unique ID. By drilling-down to the device level, you get a much more detailed picture of your buyer. Employing device fingerprinting to intercept bad transactions and ban fraudsters can give you a much more in-depth picture than other fraud tools.
Device fingerprinting can be useful in preventing a range of different fraud tactics. Take click fraud, for example: if you’re engaged in affiliate marketing, device fingerprinting can help you spot bad traffic and ban those fraudsters from your network.
Can device fingerprinting replace other fraud tools?
Device fingerprinting is a useful and effective tool for reactive fraud management. But, while it can stop some bad actors, no single tool can intercept every scammer.
Fraudsters can use a variety of different tactics and approaches to steal from you and your customers. This is why device fingerprinting should be one part of a more comprehensive strategy to identify and stop fraud.