Digital fingerprinting is commonly used in anti-fraud payment systems of the card-not-present type (i.e., all those where we pay by card on the Internet). Have you ever wondered why the spinning circle appears when you attempt to pay by card? Painting a picture of a user through digital fingerprinting is one of the reasons for this popular feature (in addition to sending data to the payment system itself and a multitude of other operations happening at the same time). Read the whole to find out who needs digital fingerprinting and why
A fingerprint is a user-specific set of data downloaded from a browser, which can be used to confirm with a high probability the user's identity between visits to a website. The equivalent of a cookie (i.e., storing information in the browser) in the real world would be the license plate of a car. The equivalent of a fingerprint is an even more detailed description: 'red Volkswagen Passat with a broken mirror, green spoiler, and bead seat covers.'
With a web application, we want to remember the users' settings and identity between visits to the site. To do this, we need to save some information in the user's browser. The mechanism that was introduced for this purpose is an HTTP cookie. It is simply a small piece of text that the website sends to your browser and that your browser sends back on the next visit to the site. This simple trick allows for user identification. But what if a malicious user deletes this information from the browser? At this moment, fingerprinting comes to the rescue.
Contrary to appearances, such systems do not care about surveillance of Internet users or finding out who they really are; rather, it is more about blocking only those scammers who try to make payments with stolen cards. A common maneuver used by carders is to test which cards from the package/leakage they have purchased are no longer blocked and are thus fit to continue committing crimes. Usually, this is done by looking for a less secure site that offers the possibility of paying with a card or setting up a subscription (which is also based on the card).
In the first case, charity websites are very popular. They allow you to donate any amount of money. The small amount increases the chance that the legitimate owner of the card will not notice the fact of an unauthorized payment and will not report the theft to the appropriate authority, thereby blocking the card.
To understand the second case, you need to delve into the way in which card payments are processed in the subscription model. In a very simplified way, it works as follows:
Of course, in most cases of this type, carders check several or several dozen cards. Of course, carder activities are masked, whether by removing cookies or by more sophisticated methods. Carder activities can be very painful for the website owner where such 'testing' takes place. They will be held accountable—whether through fines imposed on them by the payment system provider or, in extreme cases, by disconnecting from the payment network.
What can these types of proven cards be used for? It depends on the criminal's experience and inventiveness. It can be money laundering on much more secure websites where you can buy, for example, luxury goods and electronics (the more expensive, the better!) or airline tickets. However, how carders work is a topic for a completely different article.
Of course, fingerprinting is not the only way to stop the attacks described above, but rather one of many elements of anti-fraud systems. The well-known principle of defense in depth applies here.
To begin, you have to select technologies/fields with information that can:
Or
An example of a second approach to fingerprinting can be rendering an image in a browser using WebGL (a technology used for 3D graphics in browsers). If we dynamically create an identical image in the browser of each user, we go through the following layers:
Each of the above-mentioned layers affects the final shape of the image. This causes the same image rendered on two different computers to look almost identical, but in practice, it is not exactly the same (difference of several pixels). It is this detail that allows users to be identified or distinguished.
The disadvantages of digital fingerprinting
Like all technologies, fingerprinting is not perfect and has its drawbacks. Each existing fingerprint lies somewhere on the following scale...
Stability <--------------------> Granularity
...where stability means how long a given fingerprint works -- how long it can identify a given user before it changes -- and granularity -- how many different users can have the same fingerprint (the fewer, the better).
Unfortunately, these values are mutually exclusive in the vast majority of cases. A very granular fingerprint will work for a really short time, while an extremely stable fingerprint will have the same values for different users. For example, if we use the user's IP address for fingerprinting, this fingerprint will gain granularity, although its working time will be very short. A malicious carder will change his IP address in a few hours or days.
However, if we only use information about technologies that are supported by the browser, the fingerprint will be very stable over time, but its value will be the same for all users with the same browser. Of course, as the volume of traffic increases, the chance that even a granular fingerprint will have the same value for different users increases.
As you can see, fingerprinting is a powerful tool for preventing online fraud, but it is not without its shortcomings. In the next post, I will show you how to shore up its weaknesses and provide examples of types of fingerprints.
If you wish to detect and protect your business from fraudsters spoofing their digital fingerprints, get in touch with us.