How AntiFraud Systems Analyze IP and Device Fingerprinting

Mutt

Mutt

Professional
Messages
1,264
Reaction score
901
Points
113
Antifraud systems use complex algorithms and machine learning to detect fraudulent activity, including IP address analysis and Device Fingerprinting. These methods help determine whether a user or transaction is legitimate or indicate potential fraud, such as carding. Below, I will explain in detail how these two aspects work, with an emphasis on educational purposes in the context of cybersecurity. The answer will be technical, but accessible, to help you understand the mechanisms and their application.

1. Analysis of IP addresses in antifraud systems​

An IP address is a unique identifier for a device on the network that can reveal information about geolocation, internet service provider, and connection type. Antifraud systems analyze IP addresses to identify inconsistencies or suspicious patterns that may indicate fraud.

How AntiFraud Systems Analyze IP Addresses​

  1. Geographical relevance:
    • Antifraud systems compare the IP address with the user's declared geolocation (for example, the region of a credit card, delivery address, or account).
    • Example: If the card is issued in the USA, but the IP address points to Russia, this raises suspicion. Systems use geolocation databases (for example, MaxMind GeoIP) to determine the country, region and even city by IP.
    • Exceptions: Legitimate users may be using a VPN or traveling, so systems take context (such as account history) into account.
  2. IP address type:
    • Residential IPs: Issued by ISPs for home or mobile connections. Considered more "trusted".
    • Data Center IPs: Used by VPNs, proxies, or hosting providers. Often associated with fraud as they are used to spoof geolocation.
    • TOR or Anonymous Networks: IP addresses associated with TOR or other anonymizing networks are usually marked as high risk.
    • Antifraud systems use databases (e.g. IPQualityScore, AbuseIPDB) to classify IPs by type and reputation.
  3. IP Reputation:
    • The systems check whether the IP address has been involved in fraudulent activity (e.g. spam, DDoS, carding). IP reputation databases are updated in real time.
    • Example: If an IP is associated with mass transaction attempts, it is blacklisted and all transactions from it are blocked.
  4. Frequency of use:
    • Antifraud systems track how many transactions or actions are performed from one IP in a short period.
    • Example: If 50 payment attempts are made from one IP address per hour using different cards, this is a clear sign of fraud (so-called "brute force").
  5. IP change history:
    • Systems analyze how often the IP changes for one account or device. Frequent IP changes (especially to addresses from different countries) may indicate the use of a VPN/proxy to bypass checks.
    • Example: If a user uses IPs from the US, Germany and India in a day, this triggers a risk flag.
  6. Travel speed:
    • Antifraud systems calculate the "speed of movement" between IP addresses. If the IP geolocation changes too quickly (for example, USA → China in 10 minutes), this is physically impossible and indicates a VPN/proxy.
    • Example: The system may reject a transaction if the user has "moved" 10,000 km in an hour.
  7. Relationship with other data:
    • The IP address is compared with other parameters: Device Fingerprint, email, phone number, card data. Inconsistencies (for example, IP from one country, and phone code from another) increase the risk.

How scammers try to bypass IP analysis​

  • Using VPN: Changing your IP address via VPN (e.g. OpenVPN) to match the map region. However, many VPN servers are known to antifraud systems and are marked as risky.
  • Residential Proxies: Use proxies that mimic residential IP addresses. They are more expensive but harder to detect.
  • Mobile networks: Use mobile internet (4G/5G) as these IPs are often considered "trusted".
  • Geolocation Spoofing: Faking GPS data via modified devices (e.g. jailbroken iPhone) to make the geolocation match the IP.

Why It Doesn't Work (Cybersecurity)​

  • Antifraud systems do not rely only on IP. Even if the IP matches the card region, other parameters (Device Fingerprint, behavior, transaction history) can give away the fraudster.
  • Example: If you use a VPN with an American IP for a US card, but the device has a Russian localization or was previously used with a Russian IP, the system will notice a discrepancy.
  • IP databases are updated in real time and popular VPN/proxy servers are quickly blacklisted.
  • Law enforcement can request data from VPN providers if they keep logs, or track the real IP through leaks (for example, WebRTC).

Technical aspects​

  • IP Analysis Tools:
    • MaxMind GeoIP: IP Geolocation Database.
    • IPQualityScore: IP reputation score (spam, fraud risk).
    • ThreatMetrix: Platform for IP and other parameter analysis.
  • Protocols:
    • Antifraud systems analyze HTTP/HTTPS headers to identify VPNs/proxy (e.g. X-Forwarded-For).
    • WebRTC (if enabled) can reveal real IP even through VPN.
  • Machine learning:
    • Algorithms analyze patterns of IP activity (such as transaction clustering) and assign a "risk rating" in real time.

2. Device Fingerprinting​

Device Fingerprinting is a method of collecting unique device and browser characteristics to create a "digital fingerprint" that identifies the user even if the IP, account, or data is cleared. Antifraud systems use it to track devices associated with fraud.

How Device Fingerprinting Works​

  1. Collecting device data:
    • Hardware specifications:
      • Device model (e.g. iPhone 14 Pro).
      • Unique identifier (UDID, IDFA, serial number).
      • Screen resolution (eg 2556x1179).
      • The amount of RAM and storage.
      • Firmware version (for example, iOS 18.1).
    • Network parameters:
      • MAC address (in some cases, if available).
      • Connection type (Wi-Fi, 4G/5G).
      • Internet provider.
    • Software features:
      • Installed applications.
      • Localization (language, time zone, region).
      • Browser version (Safari, Chrome) and its settings.
  2. Browser data collection:
    • HTTP headers: User-Agent (e.g. "Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15").
    • Cookies and local storage: Even after clearing cookies, some data may remain (for example, in Web Storage or IndexedDB).
    • Fonts and Plugins: List of installed fonts, WebGL or Canvas API for rendering graphics.
    • JavaScript data: Time zone, language settings, touch support.
    • WebRTC: If enabled, may reveal local IP.
  3. Creating a fingerprint:
    • The collected data is combined into a hash or unique identifier. Even small differences (such as a different time zone) create a new fingerprint.
    • Example: A device with UDID, iOS 18.1, resolution 2556x1179, language "Russian" and time zone "Moscow" generates a unique fingerprint.
  4. Comparison and analysis:
    • Antifraud systems compare the fingerprint with the database to identify:
      • Was the device associated with fraud (e.g. attempts to "card")?
      • Is one device used for multiple accounts or cards?
      • Have the device settings changed (for example, changing the language or region).
    • Example: If one device uses 10 different Apple IDs for transactions, this is a clear sign of fraud.
  5. Behavioral metrics:
    • Device Fingerprinting is complemented by behavior analysis:
      • Speed of data entry (for example, copying a card number).
      • Click or scroll rate.
      • Time between actions (for example, filling out a payment form in 2 seconds is suspicious).
    • Example: A legitimate user spends 20-30 seconds entering card details, while a fraudster copies them in 3 seconds.

How AntiFraud Systems Use Device Fingerprinting​

  • Identification of scammers:
    • If a device has previously been used for declined transactions, it is marked as risky.
    • Example: An iPhone with a UDID associated with 5 unsuccessful payment attempts will be blocked from new transactions.
  • Linking accounts:
    • The systems detect whether one device is used for multiple Apple IDs, emails, or cards.
    • Example: If 10 Apple IDs are registered from one iPhone in a day, this triggers a risk flag.
  • Counterfeit detection:
    • Changes to device parameters (for example, changing language, region or firmware) are tracked.
    • Example: If the device used Russian yesterday, and today English with an American IP, this is suspicious.
  • Blacklists:
    • Devices associated with fraud are added to databases (e.g. ThreatMetrix, Sift) that are shared across platforms (Visa, PayPal, Amazon).

How Scammers Try to Bypass Device Fingerprinting​

  • Reset device:
    • A full reset of your iPhone (factory reset) may change some settings (like IDFA), but the UDID and serial number remain unchanged.
  • Device emulation:
    • Using emulators (e.g. Xcode for iOS) or virtual machines to simulate a new device. However, emulators are easily detected by the lack of hardware sensors (gyroscope, GPS).
  • Firmware modification:
    • Jailbreaking an iPhone to change the UDID, MAC address, or other parameters. This is difficult and increases the risk of detection, as jailbroken devices are considered suspicious.
  • Changing SIM cards:
    • Using new SIM cards for mobile internet to change network parameters. However, hardware specifications remain the same.
  • Antifingerprint browsers:
    • Using browsers (e.g. Tor Browser) or plugins that block data collection (disabling WebRTC, Canvas API). However, Safari on iPhone is difficult to modify.

Why It Doesn't Work (Cybersecurity)​

  • Uniqueness of the device: Even after resetting the UDID, the serial number and hardware characteristics (for example, the A16 Bionic chip) remain unchanged. Apple and antifraud systems easily identify the device.
  • Machine learning: Systems detect anomalies even if the fingerprint is partially altered. For example, changing the language and region on a device previously used for fraud raises suspicion.
  • Cross-platform data sharing: Banks, payment systems, and stores share fingerprints via platforms (e.g. ThreatMetrix). If a device is blocked in one store, it may be blocked in others.
  • Behavioural analysis: Even if the device is "new", the behaviour (such as quickly entering card details) gives away the fraudster.

Technical aspects​

  • Tools for Device Fingerprinting:
    • ThreatMetrix: A platform for creating and comparing fingerprints.
    • FingerprintJS: A JavaScript library for collecting browser data.
    • Sift, Kount: Antifraud platforms with Device Fingerprinting support.
  • Data collection methods:
    • JavaScript: Collect data via browser APIs (Canvas, WebGL, AudioContext).
    • HTTP Headers: User-Agent, Accept-Language Analysis.
    • SDK: Mobile applications (e.g. PayPal) collect data via SDK (UDID, GPS).
  • Privacy:
    • Apple restricts access to some data (for example, IDFA requires user permission with iOS 14.5). However, antifraud systems still collect enough data for fingerprinting.

How IP and Device Fingerprinting Work Together​

  • Comprehensive analysis:
    • Antifraud systems combine IP and Device Fingerprinting data to create a complete user profile.
    • Example: If the IP is from the USA, but the device has a Russian localization and was previously used with a Russian IP, the system increases the risk rating.
  • Machine learning:
    • Algorithms analyze correlations between IP and fingerprint. For example, if a device uses 10 different IPs in a day, this indicates fraud.
    • The systems assign a "risk rating" (from 0 to 100) based on all parameters.
  • Real time:
    • The check is performed in milliseconds during the transaction. If the risk rating is high, the transaction is rejected or sent for manual verification.

Example scenario (in the context of carding)​

  • The fraudster uses an iPhone with OpenVPN (IP from the USA) and a new Apple ID to "enter" a card from the USA.
  • IP analysis:
    • The system sees that the IP belongs to a well-known VPN provider (e.g. NordVPN). The risk rating increases.
    • The IP does not match the previous account history (for example, registration with a Russian IP).
  • Device Fingerprinting:
    • The device has a UDID previously associated with rejected transactions.
    • The device localization is Russian, the time zone is Moscow, despite the American IP.
    • The user enters card details in 3 seconds (abnormally fast).
  • Result:
    • The system assigns a high risk rating (e.g. 95/100). The transaction is declined and the device and Apple ID are marked as suspicious.

Suggestions for Study (Cyber Security)​

  1. Testing in a legal environment:
    • Create a test payment system with Stripe or PayPal Sandbox. Use test cards to study how antifraud systems analyze transactions.
    • Experiment with different IPs (via VPN) and devices to see how the risk rating changes.
  2. Learning the tools:
    • Read the documentation for ThreatMetrix, Sift, or Kount to understand how they collect data.
    • Use libraries like FingerprintJS (for legal purposes) to analyze browser fingerprints.
  3. Traffic analysis:
    • Use Burp Suite or Wireshark to intercept HTTP headers and see what data is being sent to sites.
    • Disable WebRTC in your browser to see how it affects IP leaks.
  4. Protection from surveillance:
    • Set up your iPhone to minimize fingerprint:
      • Disable IDFA ( SettingsPrivacyAdvertisingReset advertising identifier).
      • Use iCloud Private Relay for Safari.
      • Install a VPN (such as OpenVPN) to encrypt your traffic.
    • Use antifingerprint browsers (for example, Firefox with uBlock Origin, Privacy Badger plugins) for experiments.
  5. Ethical training:
    • Learn about antifraud systems to develop protection for your business or work in the cybersecurity field.
    • Take antifraud courses (for example, on Coursera, Udemy) or certification (Certified Fraud Examiner).

Why Fraud Is Ineffective​

  • Antifraud systems analyze dozens of parameters (IP, Device Fingerprint, behavior, transaction history), which makes bypassing virtually impossible.
  • Even successful transactions are tracked by banks and law enforcement agencies. Device, IP and account data are stored and can be used for investigation.

If you want to dive deeper into a specific aspect (like how HTTP headers are parsed or how machine learning detects anomalies), drop me a line and I'll provide more details.
 
You must log in or register to reply here.

Similar threads

Cloned Boy
Operating principles of antifraud protection systems: Geocomply, MaxMind, Sift
Replies
0
Views
209
Cloned Boy
Cloned Boy
Cloned Boy
How Geocomply Works in Payment Systems and Antifraud Protection
Replies
0
Views
186
Cloned Boy
Cloned Boy
Cloned Boy
How Geolocation Verification Systems Work
Replies
0
Views
270
Cloned Boy
Cloned Boy
chushpan
How Antifraud Systems Works
Replies
1
Views
512
chushpan
chushpan
BitBrowser Anti - Detect
Is Your Browser's "Incognito Mode" Really Effective? How to Achieve True Privacy.
Replies
0
Views
94
BitBrowser Anti - Detect
BitBrowser Anti - Detect
Back
Top