Why Do Fraudsters Use Synthetic & Fake Browser Fingerprints?
Oxford Biochronometrics
Intersecting e-commerce & cybersecurity to optimize customer acquisition costs
Device and/or browser fingerprinting. Big Tech prohibits it [4][5][6][7][8]. The EU ePrivacy directive [11][12][13] requires unambiguous consent of the user. The reason: Cookies and fingerprinting are regarded as similar tracking mechanisms. Let’s take a look at fingerprinting. Why it exists. How it works and most importantly: Does fingerprinting in order to detect recurring fraud will meet your expectations?
Why fingerprinting?
Fingerprinting is to track users across multiple websites or applications. This information can be used to build a profile and based on that profile show specific advertisements fitting that profile.
In fraud detection fingerprints can be associated to fraudulent behavior. The moment a previously flagged or known bad fingerprint appears you can ignore or park generated leads, reviews, or digital sales.
That’s the theory, more on that later.
What is fingerprinting?
Fingerprinting is a form of tracking an individual across multiple websites or applications. These websites and applications have no relation to each other and share no data a 3rd party JavaScript would be able to associate activities to an individual.
The most easy and prevalent method of tracking is by using the IP address as an unique identifier. It is easy to collect (server side), highly unique, and relatively stable. The browser’s user agent would be another method, though the user agent will change roughly once a month when a new browser version is released.
Fingerprints are obtained by combining multiple settings and properties of resp. the device and browser. Fingerprints are broken in multiple parts. A static part based on hardware and a more volatile part based on the browser configuration. Device fingerprints are based on hardware, e.g. number of screens, screen resolution, color depth, graphics card, audio card, number of CPU cores, etc. Browser fingerprints are based on the attributes of the browser, e.g. language settings, plugins, content encoding, timezone, fonts, browser version aka user agent, etc.
How do regulators look at fingerprinting?
Websites running code that collects device and browser fingerprints must comply with the GDPR in the EU and also comply with the CCPA in California, US. In the EU device fingerprinting falls under European data protection laws and therefore requires consent similar to cookies. To track website visitors using device fingerprints you need unambiguous consent of the user. An exception can be found in article 29 [14]:
(29) The service provider may process traffic data relating to subscribers and users where necessary in individual cases in order to detect technical failure or errors in the transmission of communications. Traffic data necessary for billing purposes may also be processed by the provider in order to detect and stop fraud consisting of unpaid use of the electronic communications service.
GDPR protects consumers. Individuals. Not publishers nor advertisers. So, the question is: Does this exception permit browser and/or device fingerprinting to collect fingerprints on behalf of publishers and advertisers without unambiguous user consent? Can browser and device fingerprinting in such a case be seen as an exception under article 29? I’m not so sure. Anyone?
How does big tech look at fingerprinting?
Both Google and Apple prohibit fingerprinting. Apple prohibits fingerprinting in native iOS Apps [5][6] and has implemented anti-fingerprint mechanisms in Safari [7]. Google prohibits fingerprinting in combination with Google Analytics, see figure 2 [4] or GDN see figure 3 [8] unless the user has knowingly and expressly opted in. I couldn’t find the definition of ‘has knowingly and expressly opted in’.
What do fraudsters think about fingerprinting?
About one and a half year ago I wrote a deep dive into fingerprinting [9] and how JavaScript is used to flag outliers, lies, wrong answers, poorly implemented tricks, etc. The outcome of the fraud detection enables you to flag the visit and/or its fingerprint as malicious.
Fraudsters using browser automation to control a Chromium based browser will typically use special software to patch the browser. Once the browser is invoked and patched in order to prevent being detected by anti-bot vendors they’re good to go! Having a fully fledged undetected browser enables them to go through the entire journey: Load pages with an advertisement, click on the advertisement, load the landing page and fill out lead generation forms at scale. They’ll be using residential proxy servers to circumvent IP blocks, rate limiting, etc. the IP address to location will correspond with the contact address in the lead generation form.
Patchright, made publicly available on Nov 03 2024, is the perfect package to achieve these goals [10]. Figure 4 shows that it is available as Python package and NodeJS package. They claim that its stealth mode is able to bypass many anti-bot vendors as can be seen in figure 5. You might wonder: How on earth is it possible that an open-source package is able to bypass detection of all those vendors? The simple answer: Most bot detection vendors do more or less the same: They read the same properties, look for the same signatures and traces of JavaScript patching, look for CDP runtime enabled, etc. Although each vendor has implemented it differently: A browser is still a browser and there is only so much relevant information available in a browser that can be collected. Once patched within the browser, there’s not much that can be done about it.
In order to prevent a stealth browser to appear exactly the same over multiple requests it will load its settings, attributes and properties of the browser (and cookies, local storage, etc) prior to requesting a web page and executing JavaScripts. This prevents creating a single easy-to-flag fingerprint and that means fraudsters are able to scale.
Where do these settings, attributes and properties come from? They can be bought online (based on real people fingerprints collected at shady websites, pr*n sites, pirated content sites, etc.), or synthetically created by recombining fingerprint data from existing fingerprints.
So, in theory you can flag fraudulent fingerprints. But, be prepared to be disappointed because device and browser fingerprints are disposed after being used once. Just like OTPs (one time passwords) these visitors ues OTFs (one time fingerprints). You’ll never see them again. Except if the fingerprint was illegally obtained from someone using a real legitimate device, then you’re blocking this innocent individual.
领英推荐
Human operated fraud
Human operated fraud is more costly than browser automation, even in low wage countries. Though humans don’t scale like spinning up thousands of bots, from an anti-fraud detection view they need similar protection. They need to refresh their browser fingerprints, change their IP address, stuff the browser cookies and purge and reload local storage, and once they’ve taken a new ‘browser identity with history’ they can do their work.
The details of human operated fraud works, its operation, why use humans at all, will be described in a future article.
Now what? You’re saying that fingerprint doesn’t work?
Collecting fingerprints without any guarantees that a fingerprint is genuine is like accepting passport scans without validating and checking the physical passport. Without the look and feel of the paper, looking at the watermark, using UV light, checking the picture, etc. how do you know it is real?
The rule of thumb is that 99% of the online users will cause less than 1% of the fraud problems, but the remaining 1% will cause more than 99% of the fraud problems. Fingerprinting will not help to improve these ratios. On the contrary, browser automation using synthetic fingerprints or stolen fingerprints from real users are the problem. Human operated fraudsters will use special anti-detect browsers again loading synthetic or stolen fingerprints. They are the problem, flagging these will not stop fraudsters; Only amateurs.
Why would you use fingerprints to catch recurring fraud? If you can detect it the first time, you surely can detect it independently the next time? In the EU having JavaScript code on your website that collects and conveys the device and/or browser fingerprints means the website including the code needs to be compliant with the GDPR, ie. the user needs to provide consent to be fingerprinted [11][12][13][14]. So, why do vendors use device and browser fingerprinting? Because everybody else is doing it, see Patchright above.
Update: Does Google use fingerprinting? And if not, what do they use? AFAIK, They don’t use device fingerprinting to target audiences. They use the Protected Audience API available in Chrome, which uses “on-device ad auctions to serve remarketing and custom audiences, without cross-site third-party tracking.” [15].
To conclude and to confirm. Does Oxford BioChronometrics:
Questions? Corrections? Suggestions? Feel free to connect, comment or DM
#frauddetection #browserautomation #fingerprint #CMO #gdpr #digitalmarketing #adfraud
[7] https://www.apple.com/newsroom/2023/06/apple-announces-powerful-new-privacy-and-security-features/