Preventing Fraud and Chargebacks with Device Fingerprinting
Table of Contents
- What Is Device Fingerprinting?
- How Does Device Fingerprinting Work?
- How Can Device Fingerprinting Prevent Fraud?
- Can Device Fingerprinting Be Circumvented?
- The Future of Device Fingerprinting
- Prevent Chargebacks by Preventing Fraud
Back in the days of check fraud, brick-and-mortar stores used to post mugshots behind the cash register that said, “Do not accept checks from this person!” Not a very sophisticated anti-fraud solution, but it worked. In the era of e-commerce fraud and cybercrime, things aren’t quite that simple.
Online anonymity is a fraudster’s best weapon, and customer demands for stricter privacy regulations have the side effect of making it even easier for fraudsters to mask themselves. For now, however, device fingerprinting remains an effective and hard to evade method of identification. How can device fingerprinting be used to stop fraudsters and prevent chargebacks?
What Is Device Fingerprinting?
Device fingerprinting arose as an alternative to cookies. Not every internet user can tell you exactly what a cookie is, but most of them know what you’re supposed to do with them—delete them regularly. The old methods of tracking identities online have fallen by the wayside as customers are increasingly alienated by invasive online marketing techniques and governments enact stronger laws to protect privacy, like the GDPR.
Unfortunately, what’s good for the customer who doesn’t want to be micro-targeted by personalized ads on every website they visit is also good for the fraudster who flits from site to site, testing stolen cards and engaging in fraudulent transactions.
For merchants, it's hugely important to be able to detect and identify fraudsters before they make an illicit purchase. Chargeback rights can make customers whole when online fraud occurs, but merchants are left bearing the brunt of the consequences: lost revenue, fees, and a dangerous uptick to the chargeback rate that their acquirers are closely monitoring.
Device fingerprinting is a reliable and non-invasive way to assign persistent identities to the users who visit your website, making it possible to spot fraudsters ahead of time and stop them from coming back.
How Does Device Fingerprinting Work?
A browser cookie is a bit like a name tag—you can give one to a visitor when they first come to your site, and when they come back later, you can look at it and recognize them. Likewise, deleting a cookie is as easy as peeling off a name tag.
Device fingerprinting is more like that mugshot behind the counter. It takes a snapshot of all the information it can access about the user's device and records it. While each individual piece of information might be shared by many other users, the combination of all the available information can often be used to identify a single device.
When you drill down to the specific versions, configurations, and optional settings that each visitor is using, device fingerprinting becomes a very effective means of identifying customers.
And unlike cookies, you don’t have to ask your visitors to store and present their device fingerprinting data to you—it’s automatically sent by the hardware and software they use to browse the web.
How Can Device Fingerprinting Prevent Fraud?
For example, consider account takeover fraud. This refers to attacks where the fraudster obtains a user’s login credentials for an e-commerce site. They can then log in and take over that user’s account, making purchases, transferring funds out, and otherwise exploiting their access for all it’s worth.
With device fingerprinting, the site can tell when the account is being accessed from a new and unfamiliar device and can alert the account owner, require two-factor authentication, or place temporary restrictions on the account.
Device fingerprinting is also very effective at stopping card testing fraud. Fraudsters often obtain large numbers of stolen credit card numbers in bulk, many of which will have been reported lost or stolen by the time they change hands. To find out which cards are still usable, they attempt to make small purchases with each one. Once a small purchase goes through, they know that card is safe to use for a larger fraudulent transaction.
With device fingerprinting active, a merchant can see when the same device has attempted several declined transactions, and can safely infer they are engaging in card testing and block them from future purchases.
Can Device Fingerprinting Be Circumvented?
The most effective way for users to get around device fingerprinting is to switch the device they’re using. This will make them appear to be a different user, as each device will have its own fingerprint. However, most people don’t have an endless supply of internet-capable devices to rotate through. At most, they might be able to swap between two or three different options, but if they engage in fraud or other harmful actions, those alternate devices won’t remain useful for very long.
More troubling is the use of user agent spoofing, which can alter the data that the user’s device presents to websites. A fraudster might be running Safari on an iPhone, for example, but with user agent spoofing activated, the website they’re visiting thinks they’re using Chrome on an Android.
These tools can even be set to automatically rotate through a nearly endless array of options, never showing the same identity twice.
Fortunately, internet companies like Google are working on technology that can see through user agent spoofing attempts.
In some cases, device fingerprinting can be fully or partially blocked by certain browsers and extensions. The latest version of Firefox, for example, automatically blocks requests from a list of well-known device fingerprinting providers. These blockers often aren't as effective as user agent spoofing, but they also come with few downsides, making them more likely to be used by privacy-conscious customers in addition to fraudsters.
The Future of Device Fingerprinting
If the use of device fingerprinting in targeted advertising continues to raise privacy concerns, we may see fingerprinting blockers become more popular, which would make it a less reliable tool for fraud prevention.
There aren't currently very many laws or regulations regarding device fingerprinting. It isn’t something users have the right to opt out of the way they do with cookies under the GDPR. While some jurisdictions may place limits on what websites can do with device fingerprinting data, fraud and abuse prevention is generally considered to be a lawfully permissible use. At the moment, there's no indication that that will be changing in the near future.
Prevent Chargebacks by Preventing Fraud
When a merchant receives a true fraud chargeback, it’s already too late to do anything about it. Friendly fraud can be fought and beaten, but true fraud is what chargebacks were made for—merchants have no choice but to take the loss.
Online fraud is a difficult and ever-evolving problem, and merchants need every resource at their disposal to protect themselves—and their customers—from cybercriminals. Anti-fraud tools that rely on device fingerprinting to identify and block suspected fraudsters can help merchants avoid fraud attempts before they have the chance to turn into chargebacks.