February 02, 2021

Fingerprinting 101

by Marcin Mostek | Security R&D Team Leader | Nethone

Who needs fingerprinting and why?

A fingerprint is commonly used in anti-fraud payment systems of the "card not present" type (i.e., all those where we pay by card on the Internet). Have you ever wondered why the spinning circle appears when you attempt to pay by card? User fingerprinting is one of the reasons for this popular feature (in addition to sending data to the payment system itself and a multitude of other operations happening at the same time).

What is a fingerprint?

A fingerprint is a user-specific set of data downloaded from a browser, which can be used to confirm with a high probability the user's identity between visits to a website. The equivalent of a cookie (i.e., storing information in the browser) in the real world would be the license plate of a car. The equivalent of a fingerprint is an even richer description: "red Volkswagen Passat with a broken mirror, green spoiler, and bead seat covers."

With a web application, we want to remember the users' settings and identity between visits to the site. To do this, we need to save some information in the user's browser. The mechanism that was introduced for this purpose is an HTTP cookie. It is simply a small piece of text that the website sends to your browser and that your browser sends back on the next visit to the site. This simple trick allows for user identification. But what if a malicious user deletes this information from the browser? At this moment, fingerprinting comes to the rescue.

Contrary to appearances, such systems do not care about surveillance of Internet users or finding out who they really are; rather, it is more about blocking only those scammers who try to make payments with stolen cards. A common maneuver used by carders is to test which cards from the package/leakage they have purchased are no longer blocked and are thus fit to continue committing crimes. Usually this is done by looking for a less secure site that offers the possibility of paying with a card or setting up a subscription (also based on the card).

In the first case, charity websites are very popular. They allow you to donate any amount of money. The small amount increases the chance that the legitimate owner of the card will not notice the fact of an unauthorized payment and will not report the theft to the appropriate authority, thereby blocking the card.

To understand the second case, you need to delve into the way in which card payments are processed in the subscription model. In a very simplified way, it works as follows:

  • The user is offered a trial period of the service in which they pay nothing (usually a month); however, they must provide card details in order to calculate payments in the future
  • On the side of the service provider and the bank, there is an operation of an authorization (i.e., determining whether the card is active and whether it contains any money) which is practically carried out by means of collecting from the funds assigned to the card a symbolic amount (e.g., $1.00). This amount is returned to your account later; the delay it goes through results from the characteristics of card payments. If the authorization operation is successful, the user gains immediate access to the service.
  • After the trial period, money is withdrawn cyclically from the user account assigned to the card
As with the correct authorization, you can access the service almost instantly; it allows you to immediately confirm that the card has not yet been blocked.

Of course, in most cases of this type, carders check several or several dozen cards. Activities of this type are, of course, masked, whether by removing cookies or by more sophisticated methods. Carder activities can be very painful for the owner of the website where such "testing" took place. They will be held accountable -- whether through fines imposed on them by the payment system provider or in extreme cases by disconnecting from the payment network.

What can these types of proven cards be used for? It depends on the experience and inventiveness of the criminal. It can be money laundering in much more secure websites where you can buy, for example, luxury goods and electronics (the more expensive, the better!) or airline tickets. But how carders work is a topic for a completely different article...

Of course, fingerprinting is not the only way to stop the attacks described above, but rather one of many elements of anti-fraud systems. The well-known principle of defense in depth applies here.

How do you make fingerprints?

To begin, you have to select technologies/fields with information that can:

  • Relate to things that the user can configure/install in the system or browser

  • Pass through many layers of the system, where each layer modifies the output
While the first part seems quite intuitive (e.g., collecting plugins or fonts from the browser should do the trick), what is the second option about?

An example of a second approach to fingerprinting can be rendering an image in a browser using WebGL (a technology used for 3D graphics in browsers). If we dynamically create an identical image in the browser of each user, we go through the following layers:

  • The browser, or rather how the browser implemented WebGL
  • A specific version of the graphics card driver and its implementation (the drivers have a lot of 'dedicated solutions'),
  • Differences in the implementation of system functions in various operating systems,
  • Differences in the accuracy of floating-point calculations (try to calculate the cosine of the same value in JavaScript on different browsers and systems),
  • Graphics card alone
Each of the above-mentioned layers affects the final shape of the image. This causes the same image rendered on two different computers to look almost identical, but in practice, it is not exactly the same (difference of several pixels). It is this detail that allows users to be identified or distinguished.

The disadvantages of fingerprinting

Like all technologies, fingerprinting is not perfect and has its drawbacks. Each existing fingerprint lies somewhere on the following scale...

Stability <--------------------> Granularity

...where stability means how long a given fingerprint works -- how long it can identify a given user before it changes -- and granularity -- how many different users can have the same fingerprint (the fewer, the better).

Unfortunately these values in the vast majority of cases are mutually exclusive. A very granular fingerprint will work for a really short time, while an extremely stable fingerprint will have the same values for different users. For example, if we use the user's IP address for fingerprinting, this fingerprint will gain granularity, although its working time will be very short. A malicious carder will change his IP address in a few hours or days.

However, if we only use information about technologies that are supported by the browser, the fingerprint will be very stable over time, but its value will be the same for all users with the same browser. Of course, as the volume of traffic increases, the chance that even a granular fingerprint will have the same value for different users increases.

As you can see, fingerprinting is a powerful tool for preventing online fraud, but it is not without its shortcomings. In the next post, I will show you how to shore up its weaknesses and provide examples of types of fingerprints.

Nethone is a global provider of AI-driven KYU (Know Your Users) solutions that allows online merchants to understand their end-users and prevent online fraud. By using machine learning technology, Nethone is able to detect and prevent card-not-present fraud as well as account takeover. Founded in 2016 by data scientists and security experts, Nethone serves eCommerce, digital goods, travel, and financial industries on a global scale.