You might not be aware of it, but the web browser you’re using to read the words on this page is a treasure trove of data.

In fact, a single click on the website AmIUnique.org, for instance, can reveal how easy it is to learn your operating system, browser name and version, time zone and preferred language, amongst others. This means your visits across numerous sites can be tracked.

These tracked data points, and many more, are what constitute browser fingerprinting. As we’ll see in this post, fraud prevention tools can use the process to detect suspicious users in seconds — but you have to know when to deploy it, and how.

A browser fingerprint tool gathers user data relating to their software and hardware configuration. These browser fingerprints points include details such as browser name, operating system, timezone, and much more. In fraud prevention, it can be used to detect suspicious connections, for instance from an emulator.

When you connect to a website, your browser needs to send information in order to access data. By installing a JavaScript snippet on your web app, for instance, you can capture that browser fingerprint and use it for your analytics or for fraud detection.

It turns out, the browser fingerprint holds a lot of hidden data. At SEON, we were very lucky to develop our tool to browser fingerprint module with Gábor Gulyás, a pioneer of device fingerprinting. His expertise helped us create browser fingerprinting based on hundreds of parameters, such as:

His internet research website lets you test the efficiency of privacy add-ons by performing thorough browser fingerprinting, and it’s a great place to learn more about the technologies used for that analysis in the context of security and website protection.

Sophisticated fraudsters tend to operate on a large scale, by acquiring long lists of logins or credit card numbers for example on the dark web or other websites. This usually means hundreds of possible attempts before they can enter a platform or process a transaction.

Because it’s a repetitive process, they can’t change their smartphone and laptop or browser with every attempt. Even if they try to spoof devices, there will be red flags. This is where identifying a unique configuration can help spot them — especially if one of their failed attempts puts them on a blacklist. Their only remaining options are to:

But here again, the game of cat and mouse continues: fraud detection tools equipped with the right modules should be able to detect these uses, which are even clearer signs pointing towards a fraudulent user.

If you can see which browser and hardware configurations are unique, it’s then easy to create a unique ID for each of them. The challenge, however, is to ensure these IDs are static, so they can remain the same even after changes in the data-set.

The solution is to group collected data points in the right sets, so they don’t completely change with every new update. At SEON, we work with three different sets, which are:

This generates an ID by looking at all browser fingerprint data points such as the user agent, operating system, windows, screen, font settings and all feature statuses, which are collectible.

A new ID is created with each browser session.

The ID is created based on hardware data such as the HTML5 canvas, GPU, audio fingerprinting, whether it allows touch support and more.

As you can see, it’s always better to combine all three hashes in order to get a better picture of who your users are. Legacy fraud detection methods used to look at the cookie hash or user agent, but fraudsters are now too savvy to be caught that way.

Which neatly brings us to the following idea: when browser fingerprinting isn’t enough.

Yes, as all the information collected is considered public. However, note that the fraud solution that collects the data should be compliant. For instance, SEON is fully GDPR compliant and ISO-270001 certified.

By now, it should be evident that the biggest problem with browser fingerprinting is that it’s not a foolproof method to protect your website. But just to recap, here’s why:

This is an area we recommend fraud managers pay specific attention to. A lot of fraud companies pride themselves on gathering hundreds or thousands of data points for browser fingerprinting.

But even if these data points aren’t permanent, they’re not good for much. While they can help identify fraud, it’s much better to incorporate and enrich them with other fraud prevention modules in order to create a multi layered fraud prevention solution to protect your business and users.

The very fact that specific software is designed to spoof devices, browsers and operating systems clearly shows that fraudsters know what’s going on. They will try their best to manipulate the data points manually.

Of course, for the good guys the fight is all about identifying these spoofing methods. One good example in recent years was to understand that the size of the canvas could indicate fraud, as bad users tend to resize their browsers to work on multiple platforms at once.

The rise of privacy-centered browsers such as Brave or Firefox shows that general users don’t enjoy being tracked. These browsers and others, such as the latest version of Microsoft Edge, build privacy features into their code, for example by disabling JavaScript, blocking tracking pixels and tracking cookies by default, or only allowing HTTPS.

There is also no shortage of anti-tracking options for general users, such as the Tor browser, NoScript (which blocks javaScript everywhere), Ghostery, which lets you block and audit your web fingerprint, or the dozens of ad blocking tools which regularly top the list of the most downloaded extensions on any app store.

And while the general public isn’t necessarily tech-savvy enough to deploy the right tools, there is a general sense that data privacy is important, and that tracking poses a threat. As reported by the Pew Research Center, 81% of US citizens believe they do not have enough power over how their data is tracked by companies. The same amount believes that the risks outweigh the benefits, which could see a rise in consumer tech designed to address these concerns.

In short, it is a fantastic method for identifying suspicious users. But it’s by no means sufficient by itself. This is why at SEON, we recommend combining our module with others such as:

All the modules are accessible as part of our SENSE platform, designed by anti-fraud experts for businesses in any vertical. To see how we help reduce the costs and resources lost to fraud by 70–80% in a few months only, don’t hesitate to contact us for a free trial.

This article first appeared on SEON’s blog here.