Online Fraud Prevention - Browser Fingerprinting
Last time we talked about how it is easy for scammers to defeat fraud prevention techniques based upon IP address, because it is easy to move internet packets in ways that hide their true origin. Since our IP address doesn't reliably identify us, other techniques were developed that were independent of IP address. The one we are going to talk about today is called browser fingerprinting.
Browser fingerprinting attempts to mimic the basic concept behind human fingerprints, but instead of ridges on your fingers, it is tied to unique characteristics of your browser. It turns out that your browser can communicate a lot of things in order to help the web server figure out how show you the best looking web page. For example, the server might want to know which fonts you have installed. Seems innocent, right? Well, the fonts you have, and especially the order in which they are installed creates a type of unique signature. This can be exploited in order to identify a unique browser. It is important to note that the server doesn't know who you are (unless you tell it), but it may know that you are a user with a unique set of characteristics.
You can see your own browser fingerprint by going to our friends at the Electronic Fingerprint Foundation's panopticlick site. You will see something like this:
This basically says that my browser is completely unique in their data set; they have never seen a browser configured like mine. If I change my IP address and come back, they will still know it is me. Most of this is due to my fonts and the order they are in. Fraud prevention companies try to build databases of "good" and "bad" browser fingerprints.
Browser fingerprints are a fascinating, complex subject. However, like anything presented by a client, they can be circumvented. The simplest way to defeat browser fingerprinting is to use a "clean" machine - one that has just had the operating system installed and has not been configured. This can easily be done with a virtual machine - a fraudster can do a few "units" of fraud and reset the machine back to its original state. There are also browser plug-ins that change what your browser does to try to prevent effective fingerprinting.
Interestingly, Blue Cava, the company that originated the concept was involved in fraud detection, but has long since shifted to advertising. I think this is telling, because the two industries are very different. In advertising, if you can identify a unique browser 60% of the time, that may be quite valuable. If you are wrong, you just show someone an ad that isn't optimized for them. But if you misidentify a good guy as a fraudster, you lose a customer. Or you don't detect a fraudster and have problems from that.
Like the other techniques we have discussed, browser fingerprints work well with compliant subjects who aren't trying to defeat it. I am sure it works really well for advertising and most people won't ever bother trying to defeat it. But if your livelihood depends on defeating it, it doesn't take much time. It has a high false positive and false negative rate, so you have to deal with both sides of that equation.
As an aside, browser fingerprinting has a number of troubling privacy implications, but that is a topic for another blog.
Next time we are going to talk about a totally different tool in the bag - behavioral detection. Can we catch bad guys just by watching what they do?