Mangopay Blog

Digital fingerprinting in fraud detection: how it works

Written by Marcin Mostek | Dec 5, 2023 2:33:00 PM

Digital fingerprinting is commonly used in anti-fraud payment systems of the card-not-present type (i.e., all those where we pay by card on the Internet). Have you ever wondered why the spinning circle appears when you attempt to pay by card? Painting a picture of a user through digital fingerprinting is one of the reasons for this popular feature (in addition to sending data to the payment system itself and a multitude of other operations happening at the same time). Read the whole to find out who needs digital fingerprinting and why

What is digital fingerprinting?

A fingerprint is a user-specific set of data downloaded from a browser, which can be used to confirm with a high probability the user's identity between visits to a website. The equivalent of a cookie (i.e., storing information in the browser) in the real world would be the license plate of a car. The equivalent of a fingerprint is an even more detailed description: 'red Volkswagen Passat with a broken mirror, green spoiler, and bead seat covers.'

With a web application, we want to remember the users' settings and identity between visits to the site. To do this, we need to save some information in the user's browser. The mechanism that was introduced for this purpose is an HTTP cookie. It is simply a small piece of text that the website sends to your browser and that your browser sends back on the next visit to the site. This simple trick allows for user identification. But what if a malicious user deletes this information from the browser? At this moment, fingerprinting comes to the rescue.

Contrary to appearances, such systems do not care about surveillance of Internet users or finding out who they really are; rather, it is more about blocking only those scammers who try to make payments with stolen cards. A common maneuver used by carders is to test which cards from the package/leakage they have purchased are no longer blocked and are thus fit to continue committing crimes. Usually, this is done by looking for a less secure site that offers the possibility of paying with a card or setting up a subscription (which is also based on the card).

In the first case, charity websites are very popular. They allow you to donate any amount of money. The small amount increases the chance that the legitimate owner of the card will not notice the fact of an unauthorized payment and will not report the theft to the appropriate authority, thereby blocking the card.

To understand the second case, you need to delve into the way in which card payments are processed in the subscription model. In a very simplified way, it works as follows:

  • The user is offered a trial period of the service in which they pay nothing (usually a month); however, they must provide card details in order to calculate payments in the future
  • On the side of the service provider and the bank, there is an operation of authorization (i.e., determining whether the card is active and whether it contains any money), which is practically carried out by means of collecting from the funds assigned to the card a symbolic amount (e.g., USD 1.00). This amount is returned to your account later; the delay it goes through results from the characteristics of card payments. If the authorization operation is successful, the user gains immediate access to the service.
  • After the trial period, money is withdrawn cyclically from the user account assigned to the card. With the correct authorization, you can access the service almost instantly; it allows you to immediately confirm that the card has not yet been blocked.

Of course, in most cases of this type, carders check several or several dozen cards. Of course, carder activities are masked, whether by removing cookies or by more sophisticated methods. Carder activities can be very painful for the website owner where such 'testing' takes place. They will be held accountable—whether through fines imposed on them by the payment system provider or, in extreme cases, by disconnecting from the payment network.

What can these types of proven cards be used for? It depends on the criminal's experience and inventiveness. It can be money laundering on much more secure websites where you can buy, for example, luxury goods and electronics (the more expensive, the better!) or airline tickets. However, how carders work is a topic for a completely different article.

Of course, fingerprinting is not the only way to stop the attacks described above, but rather one of many elements of anti-fraud systems. The well-known principle of defense in depth applies here.

How do you make digital fingerprints?

To begin, you have to select technologies/fields with information that can:

  • Relate to things that the user can configure/install in the system or browser

Or

  • Pass through many layers of the system, where each layer modifies the output. While the first part seems quite intuitive (e.g., collecting plugins or fonts from the browser should do the trick), what is the second option?

An example of a second approach to fingerprinting can be rendering an image in a browser using WebGL (a technology used for 3D graphics in browsers). If we dynamically create an identical image in the browser of each user, we go through the following layers:

  • The browser, or rather how the browser implemented WebGL
  • A specific version of the graphics card driver and its implementation (the drivers have a lot of 'dedicated solutions')
  • Differences in the implementation of system functions in various operating systems
  • Differences in the accuracy of floating-point calculations (try to calculate the cosine of the same value in JavaScript on different browsers and systems)
  • Graphics card alone

Each of the above-mentioned layers affects the final shape of the image. This causes the same image rendered on two different computers to look almost identical, but in practice, it is not exactly the same (difference of several pixels). It is this detail that allows users to be identified or distinguished.

 

The disadvantages of digital fingerprinting

Like all technologies, fingerprinting is not perfect and has its drawbacks. Each existing fingerprint lies somewhere on the following scale...

Stability <--------------------> Granularity

...where stability means how long a given fingerprint works -- how long it can identify a given user before it changes -- and granularity -- how many different users can have the same fingerprint (the fewer, the better).

Unfortunately, these values are mutually exclusive in the vast majority of cases. A very granular fingerprint will work for a really short time, while an extremely stable fingerprint will have the same values for different users. For example, if we use the user's IP address for fingerprinting, this fingerprint will gain granularity, although its working time will be very short. A malicious carder will change his IP address in a few hours or days.

However, if we only use information about technologies that are supported by the browser, the fingerprint will be very stable over time, but its value will be the same for all users with the same browser. Of course, as the volume of traffic increases, the chance that even a granular fingerprint will have the same value for different users increases.

As you can see, fingerprinting is a powerful tool for preventing online fraud, but it is not without its shortcomings. In the next post, I will show you how to shore up its weaknesses and provide examples of types of fingerprints.

If you wish to detect and protect your business from fraudsters spoofing their digital fingerprints, get in touch with us.