If your business operates online — for example, as an online marketplace, a social media platform, an online dating website, or really just a business with a website — then you already know just how big a problem fraud can be.
With just a few clicks, bad actors can open fake accounts (or hack into and take over legitimate accounts) and use those profiles to conduct all kinds of fraudulent activity, including money laundering and other financial crimes.
Identity verification and authentication are all about collecting information from the user. Some of this information, such as the individual’s Social Security number or driver’s license, must be requested from the user. But users also automatically provide you with a wealth of information that you can use to identify and deter fraud — as long as you know what to look for. A device fingerprint is one such piece of data.
Below, we take a closer look at device fingerprinting, walk through how it works, and explain the different ways it can help online businesses detect and deter fraud.
What is device fingerprinting?
Device fingerprinting is the process of collecting information about a device, like a smartphone or desktop computer, which can then be used to identify the device and differentiate it from other devices, and re-identify it later.
Device fingerprinting can be an incredibly powerful tool in identifying and preventing fraud, as it helps businesses understand when a single device is tied to multiple accounts, when a single device is used to open a suspiciously large number of accounts, or when a single device is being used to attempt to log into multiple accounts, etc.
What specific information goes into generating a device fingerprint? While this can vary, it typically includes data about the device’s hardware and software, including (but not limited to):
- IP address
- VPN and browser information
- Operating system
- Time zone
- Language settings
- HTTP request headers
- Installed plugins/fonts
- Battery information
- Screen resolution
- Flash data
It’s important to note that while each of these data points can in and of itself serve as a fraud signal, none of them individually are a device fingerprint. It is only when this information is combined that it becomes unique enough to serve as an identifier for a user’s device.
How does device fingerprinting work?
Whenever a user visits your website, they open a connection between your business and their device. As soon as this connection is made, you can begin collecting a wealth of information about that user’s device and browser — so long as you have a tool in place that is capable of doing so.
Device fingerprinting typically happens automatically in the background whenever a user interacts with your business through your website. Some of the most important “moments” or interactions include when a new user opens an account, when an existing user logs into their account, or during other high-risk activities (such as when a user completes a purchase in an online marketplace).
As this data is collected, it is combined to form a fingerprint, which is unique to a given device/browser combination.
Does device fingerprinting work with app-based applications?
Device fingerprinting requires the collection of data about a user’s hardware (their device) and their software (the browser they use to access your site). This means that it can really only be leveraged for websites or browser-based applications.
That said, there are other methods of re-identifying users on mobile apps. For example, here at Persona, our customers can collect a piece of data known as IDFV (iOS) or App Set ID (Android) when a user interacts with their mobile application. This piece of information serves much the same role as a device fingerprint plays for web-based applications.
Why you should consider adding device fingerprinting to your IDV processes
Most forms of identity verification require you to request information from the user. This allows them to attempt to circumvent your defenses in a variety of ways — for example, by entering false information, using stolen credentials, or uploading forged documents.
Device fingerprinting, by comparison, happens automatically in the background whenever a user interacts with your website. Because it happens automatically and without input from the user, it can serve as a strong second layer of defense on top of your other identity verification (IDV) and authentication processes.
Does this mean that it’s foolproof? Of course not. There are steps that bad actors can take to try to prevent accurate device fingerprinting. For example, they might use a VPN to change their IP address when creating new accounts on your website. Or, they might clear their cache between login attempts when trying to perform an attack takeover. Emulators, virtual machines, and anti-fingerprinting tools can all also be used to try and avoid fingerprinting.
But the good news is that many of these activities and tools can be detected. And because most of your everyday users are unlikely to want to try and obscure their device fingerprint (because many likely don’t even know what it is), when you do detect suspicious activity like the use of these tools, it can be a strong risk signal that prompts followup, manual review, or another form of enhanced due diligence.
Device fingerprinting and your business
Device fingerprinting can be an incredibly powerful tool at your disposal in the fight against online fraud. But generally speaking, it isn’t meant to be your own line of defense. Device fingerprinting is best used in correlation with other verification and authentication techniques, which, when used together, form a layer of redundancy and real, comprehensive coverage.
Which other verification techniques you leverage will of course depend on your business, your service, the expectations of your customers, and any regulatory requirements that you may be subject to. That being said, options include:
- Document verification
- Selfie verification
- Database verification
- Two-factor authentication
- Link analysis
- and more
Here at Persona, we understand the fact that identity verification, reverification, and fraud prevention all go hand in hand. That’s why we’ve developed a variety of IDV solutions and tools that you can leverage at multiple stages in your fight against fraud.
Our Verifications solution empowers you to craft the ideal verification flow for your business, whether that includes device fingerprinting or not, while Reports allows you to augment your verifications with trusted data for a more comprehensive understanding of who your users are. Spot something suspicious? Cases empowers you to review and investigate suspicious activity before making a final decision. Meanwhile, our link analysis tool Graph allows you to quickly and easily spot connections between user accounts — including those that might indicate fraud or other suspicious activity.