Device Fingerprinting: How It Works
By Joseph Greenwood
A device fingerprint offers a way to uniquely identify a remote computing device or user. Unlike cookies, which can be turned off or may be unavailable due to private browsing, device fingerprinting offers eCommerce professionals a valuable tool to increase security and fraud prevention. Read on to learn more.
HTTP Identification of Devices
Since the beginning of the web, and the ‘stateless’ HTTP protocol, understanding who is at the other end of a web request has always been a challenge. HTTP, because it is a stateless protocol, aims to deliver a single answer (web page) to a single question (URL). The server doesn’t maintain session information about each partner over multiple requests. This architectural design principle is responsible for the vast scalability, adoption, and performance of the web as we know it today.
As the web moved beyond stateless websites and advanced to web applications there was a need to tie a ‘state’ to these many request/response combinations from the same browser. Having a state allows for the ability to login and logout of a web application, delivers uniqueness to an individual consumer, maintains items in a shopping cart, and gives the ability to collect analytics across an entire session as a user employs the application. The problem is, however, HTTP is designed specifically not to be able to do this.
Cookies Anyone?
To create a ‘state’ from a ‘stateless’ protocol the HTTP ‘cookie’ was invented. The website sends a cookie to the browser on the first request. The browser passes back the same cookie to a website on subsequent requests which the website can then use to correlate sessions across requests. This simple yet powerful mechanism is the technology behind all eCommerce sites, bank and financial web applications, social media logins, and much more. A consumer can remove their session from a website by ‘clearing’ their cookies or by using private browsing. Once the browser stops sending that unique cookie to the website, the website no longer has the session and a new, empty state is created.
Unfortunately, since everything rests on the cookie, if sent unsecured, it is possible for an attacker to intercept this sensitive piece of data and begin sending it from their own browser or script. The server can not differentiate the hacker from the authenticated customer and the session has been effectively hijacked.
In general, cookies are useful for maintaining state, but they do not tell us much about who or what might be tied to that state. They can be compromised by fraudsters as well as simply deleted from a browser. All modern browsers enable ‘private browsing,’ which instantly removes cookies and any associated state.
Getting To Know You
Enter ‘device fingerprinting’. It attempts to go beyond normal ‘session’ identity tactics and looks for unconventional ways to identify true human interaction.
These days, there is a virtual goldmine of information beyond the cookie that a browser sends to a web server when a web request is made. This information is not considered personally identifiable information but can provide a fairly reliable indicator of unique device identity.
Device fingerprinting services will look at any combination of the following types of data points:
- IP address
- HTTP request headers
- User Agent string
- Navigator object (installed plug-ins)
- Client time zone
- Screen resolution
- Flash data provided by Flash plug-in
- List of installed fonts (flash)
- List of installed fonts (javascript)
- Silverlight data
- List of installed plug-ins
- List of mime-types
- Timestamp
Even further, based on the data above, additional data points can be obtained (see a list of data points gathered from your device or browser). By utilizing geolocation in the browser combined with Google reverse geocoding services even a physical address can be obtained!
The algorithm used by fingerprinting providers puts together hundreds of data points like these, assigns a unique fingerprint (unique hash) to this combination and stores it to their fingerprint database. Fingerprints can also be ‘linked’ to other fingerprints to identify patterns of ‘like’ fingerprints coming from a similar source. It is also possible to tie the consumer’s identity to multiple devices.
Fighting the Fraudsters
Since fingerprinting provides a unique set of variating data points tied to a particular device, a fingerprint to name it, and a way to easily compare that fingerprint to similar fingerprints, it can be used to determine who is attempting to execute multiple fraudulent credit card transactions by changing the credit card, the card name, or even faking an IP address. Fingerprint analysis also gives visibility into fraudulent requests to a website from the same device but from different network proxies.
Highly sensitive transactions such as eCommerce payment transactions, or logging into a bank or financial transactional website will benefit from utilizing a device fingerprint to help isolate fraudulent patterns and stop them before they cause damage. From an eCommerce perspective, suspected fraud on an order typically causes it to move to a review queue for further analysis. Examining the fingerprint information plays a key part in determining if that order should be canceled or released to fulfill.
Fingerprinting largely works on the principal that normal customer fingerprints are predictable while fraudulent customers utilizing evasive techniques stand out from the crowd.
Not All Fingerprinting is the Same
Since fingerprinting depends entirely on what data elements are collected, each vendor must consider what types of the data they collect and how they specifically tie fingerprints to devices.
From a legal standpoint, device fingerprinting is still a rather gray area in that it depends on what information goes into the fingerprint. Fighting fraud is one thing, but device fingerprinting for marketing and analytics purposes is another.
In the EU, for example, the Article 29 Working Party’s (which is responsible for the EU Cookie rules) opinion is that device fingerprinting should be treated by a website as equivalent to cookies in terms of requirements for gaining user consent. Simply stated, a consumer must opt-in specifically after being informed.
Prepare Now
Device fingerprinting technology helps eCommerce retailers avoid fraudulent activity by singling out atypical behavior. To determine the best approach to enhance online security for your business, stay informed of best practices and review how your eCommerce platform handles payment processing. To learn more how new fraud prevention measures will affect your online store, please feel free to contact LYONSCG.
