What is Device Fingerprinting? (How is it used to detect fraud)

[Student]

Device fingerprinting, in the context of anti-carding, is a technology used to identify devices that commit fraudulent bank card transactions (for example, using stolen card details for purchases or withdrawals). Carding is a form of cyber fraud in which attackers use compromised credit or debit card details for unauthorized transactions. Device fingerprinting plays a key role in preventing such attacks, allowing security systems to track and block suspicious devices. Let's explore this topic in detail for educational purposes.

What are device fingerprints?​

A device fingerprint is a unique digital identifier created based on a variety of device characteristics and behavior. These characteristics are collected automatically, often without the user's knowledge, through a browser, app, or network interactions. The main categories of data used to create a fingerprint include:

1. Hardware parameters:
   • Device model (e.g. iPhone 13, Dell XPS).
   • Hardware identifiers (serial numbers, if available).
   • Screen resolution, color depth, pixel density.
   • Specifications of the processor, graphics chip, or amount of RAM.
2. Software parameters:
   • Operating system type and version (e.g. Windows 11, iOS 18).
   • Browser (Chrome, Firefox) and its version.
   • Installed plugins, fonts, browser extensions.
   • Language settings, time zone, regional options.
3. Network parameters:
   • IP address and associated geolocation.
   • MAC address (if available).
   • Information about your internet service provider or Wi-Fi network.
4. Behavioral characteristics:
   • Input speed and style (e.g. how the user types or interacts with the mouse).
   • Browsing history, if cookies or other trackers are enabled.
   • Device activity time and usage patterns.
5. Additional options:
   • WebGL and Canvas settings (graphics APIs that can generate unique "fingerprints" based on rendering).
   • Audio fingerprints (based on browser audio processing).
   • Analysis of HTTP headers that reveal information about the client.

This data is collected using JavaScript, server requests, or specialized libraries like FingerprintJS, and processed to create a unique hash or identifier. Even if some parameters vary, the data set is usually unique enough to distinguish one device from another with high accuracy.

How is device fingerprinting used to combat carding?​

Carding is a sophisticated form of fraud where criminals use stolen card details (number, CVV, expiration date) to make purchases, withdraw money, or other transactions. Device fingerprinting helps banks, payment systems, and online stores detect and prevent such activity. Here's a detailed breakdown of how it works:

1. Identification of suspicious devices:
   • Fraudsters often use a single device to test or conduct multiple transactions with different stolen cards. Device fingerprinting allows these transactions to be linked to a single source, even if different IP addresses, proxies, VPNs, or fake accounts are used.
   • Example: If a device with a specific fingerprint (such as a unique combination of browser, screen resolution, and time zone) attempts to conduct a transaction with multiple cards, the system marks it as suspicious.
2. Detecting behavioral anomalies:
   • Security systems compare the device fingerprint with the transaction history associated with a specific card. If a card previously used on a device with fingerprint A (e.g., an iPhone with a certain version of iOS) is suddenly used on a device with fingerprint B (e.g., an Android emulator running a virtual machine), this raises an alarm.
   • Anomalies may include:
     • A sudden change in geolocation (for example, a transaction from another country a few hours after the last one).
     • Use of suspicious tools such as emulators, Tor, or virtual machines, which are often used by carders.
     • Discrepancy between the declared operating system and the device characteristics (e.g. fake User-Agent headers).
3. Countering automated attacks:
   • Carders often use bots or scripts to conduct mass testing of stolen cards (known as "card testing" or "carding attacks"). These bots typically have limited or generic characteristics that are easily identified through device fingerprinting.
   • For example, if multiple transactions come from devices with the same characteristics (such as the same browser version and Canvas settings), the system may suspect an automated attack and block the device.
4. Multiple Account Control:
   • Carders often create multiple accounts at online stores or payment systems to use stolen cards for purchases or bonuses. Device fingerprinting allows one to identify that multiple accounts belong to the same device.
   • Example: If a fraudster creates 10 accounts at an online store to receive registration discounts, the device fingerprint will show that all accounts are linked to one device, which will raise suspicion.
5. Strengthening authentication:
   • In banking systems, device fingerprints are used as part of multi-factor authentication. If a transaction is made from a new or suspicious device, the system may request additional confirmation (an SMS code, biometrics, or an answer to a security question).
   • Example: If a user typically makes purchases from an iPhone with fingerprint A, and a new transaction comes from an unknown device B, the bank may temporarily freeze the transaction and request confirmation.
6. Blacklist tracking:
   • Devices associated with previous fraudulent activity are added to databases (blacklists). If a device fingerprint matches such a list, any transaction from that device may be automatically rejected or flagged for review.
   • Payment systems such as Visa or Mastercard often share device fingerprint data between banks and merchants to improve detection efficiency.

Technical aspects and implementation methods​

1. Data collection:
   • JavaScript libraries: Tools like FingerprintJS are used that collect data through the browser (e.g. Canvas fingerprinting, WebGL, fonts, plugins).
   • Server methods: HTTP header analysis, TCP/IP stacks, TLS fingerprints.
   • Mobile applications: Collect data via SDKs that analyze device parameters (IMEI, OS version, unique identifiers).
2. Analysis and hashing:
   • The collected data is converted into a unique hash using algorithms such as SHA-256. This hash becomes the device identifier.
   • To improve accuracy, machine learning algorithms are used that analyze a set of parameters and identify anomalies.
3. Integration with security systems:
   • Device fingerprints are integrated with risk management systems and anti-fraud platforms such as Sift, Kount, or Forter.
   • These platforms use fingerprints in combination with other signals (geolocation, transaction history, behavioral analysis) to make decisions about blocking or approving transactions.

Real-life application examples​

1. Online stores:
   • Carders can use stolen cards to purchase goods, which they then resell. Device fingerprinting helps stores detect when a single device is used to make purchases using multiple cards or accounts. For example, Amazon uses sophisticated device fingerprinting systems to prevent fraudulent returns and fraudulent purchases.
2. Payment systems:
   • PayPal, Stripe, and other services use device fingerprints to analyze transactions. If a device with a specific fingerprint is associated with previous payment declines or fraud, the transaction is rejected.
3. Banking apps:
   • Mobile banking apps (e.g., Sberbank, Tinkoff) collect device fingerprints to verify the legitimacy of logins and transactions. If the device doesn't match those previously used, the user may be prompted for additional authentication.

Problems and limitations​

1. Privacy:
   • The collection of device fingerprinting data can raise concerns among users because it occurs without explicit consent. In some countries (such as the EU), this is regulated by laws such as the GDPR, which require transparency in data processing.
2. Bypass by scammers:
   • Carders use advanced techniques to fake fingerprints, such as:
     • Virtual machines or emulators: Create "clean" devices with new characteristics.
     • Anti-detect browsers: Tools such as Multilogin or FraudFox allow you to fake browser parameters, IP addresses, and other characteristics.
     • Canvas/WebGL Manipulation: Modifying graphic fingerprints to create a new identifier.
3. False positives:
   • Updating the operating system, changing the browser, or even using a new Wi-Fi network can change the device fingerprint, which could be mistaken for fraud.
4. Technical limitations:
   • In mobile apps, data collection may be limited due to strict Apple and Google policies (for example, restrictions on access to IMEI or other unique identifiers).

How do carders bypass device fingerprinting?​

Carders use the following methods to make their devices difficult to identify:

• VPN and Proxy: Hide your real IP address and geolocation.
• Anti-detect browsers: Substitution of browser characteristics such as User-Agent, Canvas, fonts and plugins.
• Emulators and Virtual Machines: Creating a "new" device with clean specs.
• Reset cookies and local storage: Remove traces of previous fingerprints.
• Time and geolocation manipulation: Changing the time zone or spoofing GPS data.

However, modern anti-fraud systems are becoming increasingly sophisticated, using machine learning and behavioral analysis to detect such evasion attempts.

The future of device fingerprinting in the fight against carding​

1. AI Integration:
   • Machine learning algorithms can analyze large volumes of data and identify complex fraud patterns, even if the device fingerprint is partially tampered with.
2. Biometric fingerprints:
   • In addition to hardware and software characteristics, systems are beginning to take into account biometric data (such as typing patterns or mouse movements), making counterfeiting even more difficult.
3. Cross-platform tracking:
   • Data exchange between banks, stores, and payment systems enables the creation of global device fingerprint databases, which increases the effectiveness of carder detection.
4. Improving privacy:
   • Methods are being developed that minimize the collection of personal data while maintaining the effectiveness of fingerprints (e.g., anonymized hashes).

Conclusion​

Device fingerprinting is a powerful anti-carding tool that allows for the identification and blocking of fraudulent devices with high accuracy. It is effective due to its ability to collect and analyze numerous unique characteristics that are difficult to counterfeit. However, success depends on integration with other anti-fraud mechanisms, such as behavioral analysis, geolocation, and risk management systems. Despite carders' attempts to circumvent this technology, the constant advancement of data collection and analysis methods makes device fingerprinting an essential element of cybersecurity in the financial and commercial sectors.