Our smartphones may have no shoulders, but they all have ARMs. They may have lost Palm in 2014, and they have no fingers, but they do have fingerprints. Digital fingerprints. Device fingerprinting is now an entire industry that prevents fraud for millions of merchants and customers.
What Is Device Fingerprinting?
To prevent misunderstanding: it has nothing to do with fingerprint sensors you can see on your phones, tablets, or laptops (gee, I even have one on my flash drive!) The mission of device fingerprinting, though, is the same as that of human biometrics: to identify devices by something unique about them. When it comes to personal computers, in whichever cases they come, there’s a whole lot of data that forms device fingerprints.
Any computer consists of hardware and software, and, as it connects to other devices, the network transfers metadata about both components. It’s based on the fact that connection protocols require a lot of identifiers, like the current OS version, the browser (or another client app that connects), its version, IP address, display parameters, device ID, network ID, location, and so on. Data points for advanced device fingerprinting are in hundreds.
One of the ways this data can be used is advertising and marketing. With device fingerprinting, sites can identify new visitors and feed them some introduction. It can also help in collecting stats about new visitors that have not saved cookies.
When it comes to authentication, device fingerprint data is used to compare the device fingerprints the user leaves at the current login with those recorded before. According to the results of the comparison, the authentication system may require an extra identity confirmation to prove the person or decline access at all. The latter may result in long procedures of access recovery or even in an investigation.
How Device Fingerprinting Prevents Fraud
When it comes to fraud prevention, what comes to mind first is connecting device fingerprinting to credit cards or other payment methods. Yes, it is exactly so. Merchants can connect protecting systems to special services that check device fingerprinting of transactions almost in real time.
If the device is different from the one used before, it’s already a danger sign. But the user could have just bought a new phone and reinstalled the app. But if the location has also changed, as well as the Wi-Fi network and time of the transaction, it can be interpreted as a sign of fraud. That’s why users that go out on vacation or business need to inform their banks about it to prevent false alarms.
For example, if you run an online store and accept online payments, you may become a victim of chargeback if the purchase was made with a stolen credit card. But digital fingerprint analysis can rate a transaction as dangerous and recommend it to be declined. It can sometimes misfire.
For example, the author of this once tried to fool Spotify, installing it in a country where it did not operate yet, pretending to be a Dutch national. Later, when it went official, I attempted to subscribe to it with my credit card. But it was declined, as it was not issued in the Netherlands. That’s how I was punished for my innocent trick (luckily, I didn’t do the same to Apple, so now I can enjoy Apple Music, but it lacks some of my favorite tracks Spotify has).
Is Device Fingerprinting 100% Accurate?
No, alas, it isn’t. First, some loops on these fingerprints are subject to change. People travel, people change their mobile numbers, people buy new smartphones, lose them, and return to old ones. Some even experiment with various platforms or have entire digital weaponries. So there are changes that cannot be sorted as significant or insignificant.
Second, hi-tech fraudsters invent methods to protect their business. There are remote access trojans and other methods used to bypass security measures based on device fingerprinting (like stealing device IDs and recording activity history). So, the accuracy does not matter if the device is actually the same one as the last time. It’s similar to a situation when a robber leaves bogus fingerprints at the scene of the crime.
Despite these instances of imperfection, though, device fingerprinting remains a sure method of fraud prevention. It does not require 100% precision: it utilizes probabilities. Chances that fraudsters get past it are quite minor, and specialists constantly perfect their anti-fraud techniques (like GPS spoof or identity emulator detection). The overall positive effect of using device fingerprinting counts in billions for e-commerce alone, and in more sensitive industries, it’s unmeasurable.
Observe and Protect
Though device fingerprinting may get you thinking about Big Brother, in fact, this technology does more to protect lawful business from fraudsters. No matter if you are a merchant or a customer, you benefit from it in the end.
If you find it useful, you can share the link on your Facebook or Twitter, so your friends and subscribers can read it too. Or leave a comment down here to add something we did not know or ask a question.