What is device fingerprinting, and how does it identify fraud?

Quick Hits: 

• Device fingerprinting, or browser fingerprinting, is the process by which device data is gathered to create an accurate device profile to track a user’s activity online. 
• Device fingerprinting can supply additional details that regular cookies do not, making it an effective tool for fighting cybercriminals who employ spoofing attacks. 

Almost no one is excited when they learn that their online data is being gathered by companies. Device fingerprinting, a process that profiles and tracks devices online, is often seen as just another advertising tool. However, while device fingerprinting is being used for advertising for some companies, tracking device profiles is also an incredible tool for fighting fraud online. 

If you’re curious to know about this tool, and how it’s used to fight cybercrime, this blog will tell you everything you need to know about device fingerprinting, how it works, and how merchants can utilize it to mitigate fraud.  

What is Device Fingerprinting? 

When a user lands on a website, device fingerprinting gathers data about that user’s activity, software, and hardware configurations. This information is gathered so that it can be analyzed for suspicious activity or potential fraud. Every piece of information gathered about the device is used to create a device fingerprint profile.  

While there are a host of details that can be gathered to accurately fingerprint a device, profiles can be made with only the operating system and browser. However, device fingerprinting is more accurate when additional details can be obtained. Here’s a list of details that can be gathered for a device fingerprinting profile: 

• Browser 
• Operating System 
• IP address 
• Device Time/Time Zone 
• Language Preferences 
• Battery Level 
• Fonts 
• Display Resolution 
• Flash data 
• Installed Plugins 
• HTTP headers 
• VPN 

Gathering all of these details not only increases the accuracy of fingerprinting a device, but also creates valuable insight into the type of user the site.  

If the idea of companies tracking your device across the web makes you uncomfortable, you may be less than thrilled to know that device fingerprinting is quite legal. As long as businesses are transparent and communicate the information they process, and why, device fingerprinting is legal even under GDPR, one of the strictest personal data laws in the world. 

Why are more companies using device fingerprinting? To understand the benefits, we’ll need to dive a little deeper into how device fingerprinting works, and why it’s being seen as an alternative to web cookies.  

How does Device Fingerprinting Work? 

Device fingerprinting happens when a user visits a website with a device fingerprint tracker. This tracker, usually a piece of Javascript, will capture all the available information about the device and store it in a database accessible by the website owner. Unique fingerprints, or hashes, are then calculated and assigned. The more data the device fingerprinting code can gather, the more accurate the process will be. 

The merchant side storage is the biggest strength of device fingerprinting. Although it takes significant storage, gathering and storing data within a merchant accessible database makes device fingerprinting almost impossible to detect or block by users.  

The level of control offered by device fingerprinting methods is vastly superior to traditional web cookies. Cookies are small text files, collected by users as they visit websites, that are stored on the customer’s device. While cookies offer users a more personalized experience to users, they can also be easily deleted by users. Device fingerprinting solves this issue by storing the data with the merchant, instead of on the customer’s device. 

Device Fingerprinting & Fraud 

Device fingerprinting is a tool often used alongside, or in place of, web cookies for advertising purposes. However, its unblockable data collection also lends itself to another useful function: identifying fraud. 

A common tactic employed by cyber criminals is IP address spoofing, the practice of modifying a source address to make the network think the criminal is operating from a trusted source. Device fingerprinting, which picks up many different details from a device, is harder to spoof.  

Additionally, device fingerprinting can analyze user activity and identify fraudulent actions or fraudulent orders. For example, if a customer account is taken over and their IP address has been spoofed, device fingerprinting may still be able to pick up on key details to stop the order. If a customer’s location, language, and even screen resolution are all different than normal, device fingerprinting can recognize the unusual device being used and flag the activity. 

 Device Fingerprinting Solutions

When combined with other fraud mitigation tools, device fingerprinting can supply additional details that regular cookies cannot and prevent fraud. While device fingerprinting generates information that is incredibly helpful for cybersecurity teams, the same information in the hands of advertisers may cause unease for privacy-conscious customers. If you want to avoid the controversy, the simple solution is to use a fingerprinting device for fraud mitigation purposes only. By clearly communicating how information is used to protect customer accounts, device fingerprinting can be used legally and with great benefits.  

Kount, the leading fraud prevention platform that pioneered device fingerprinting, remains on the cutting edge of this technology. They combine device fingerprinting with their world class AI tools to effectively identify fraudulent purchases. Learn more about how Kount, and the TokenEx data protection integration, can reduce your company’s chargebacks and increase your online security here.