Thursday, June 16, 2016

What is Device Fingerprinting ?

Device Fingerprinting is a technology using which information can be collected from a remote device so that the device can be identified uniquely. This technology is used to determine whether a computer being communicated is a trusted one. It does so by measuring various parameters like browsing data, Operating Systems, connection attributes etc and then by determining a risk profile of the device using which the trust factor of the device can be determined.

Why do we need Device Fingerprinting ?

Using a fake account, username, email address or IP address for each fraud attack is easy for a cyber criminal. But, using different devices each time is not so simple. And, that is the main motivation behind Device Fingerprinting.

Using Device Fingerprinting, a service provider can uniquely identify and track the device that accesses the service. It can determine the trust factor of the device, based upon which it can determine fraudulent activities and blacklist a fraudulent device once detected.

Device Fingerprinting is a powerful tool which can recognise returning criminals, even if he changes his name, IP address or browser cookies.

How does Device Fingerprinting detect fraudulent activities ?

Device Fingerprinting can detect a fraudulent device in a number of ways :

  • It can detect anomaly in a device based on factors like – whether the real IP address and location of the device are hidden, whether the device is a part of a botnet (What is a botnet ? ) etc.
  • It can fingerprint a device based upon whether the connected device is trying to exfiltrate a large amount of data over a short period of time and take decision based on that.
  • It can determine whether any fraudulent activities were done previously from the same device, ISP or location and determine trust factor of the device based on that.
  • It can determine whether accounts or subscripions from the connected device are being accessed or shared illegally.
  • It can even blacklist a device based on whether the device was previously found to be involved in any fraudulent activities.

Characteristics of Device Fingerprinting

A Device Fingerprinting solution should have the following characteristics :

  • Uniqueness – The device should be well differentiated from other devices based on the factors on which fingerprinting is done. In other words, the fingerprint should contain enough entropy.
  • Persistence – The fingerprint should be able to be used for a considerablt long amount of time. For example, fingerprints based on Operating Systems data is more persistent than that on browser data.
  • Resistance – The fingerprints should be resistent, i.e. it should not be able to be tampered easily by the fraudsters. For example, fingerprints based on cookies are not much resistant, as it can easily be deleted or copied.
  • Integration – Device Fingerprinting technology used should be easily integrated with the business requirements. For example, it is good if a set of web-APIs enable integration of Device Fingerprinting into the existing business.
  • Zero Impact – Device Fingerprinting solution should have no significant impact on customer experience and IT infrastructure. Customers should not need to install some additional software or use some hardware token.
  • No Delay – There should be no signifacnt delay in the Device Fingerprinting solution. It should be able to calculate device risk in real time.
  • First-time Fraud Detection – Device Fingerprinting solution should be able to effectiuvely protect against first-time fraud attempts. It can be done by looking at a number of factors like whether the device is hiding its IP, location or Geo, whether the device is compromised by malware or part of a botnet etc.

Various methods of Device Fingerprinting

There are two types of Device Fingerprinting :

  • Active Fingerprinting
  • Passive Fingerprinting

Active Fingerprinting

Active Fingerprinting is invasive and it requires the device to be fingerprinted to install additional software. It can access unique parameters of the device like drive serial number, device MAC address etc, based on which it can calculate the risk profile of the device. This method is more accurate, but as it requires end users to install additional software and give permissions, it may not be feasible always.

Passive Fingerprinting

Passive Fingerprinting is done without any obvious query to the client machine and hence, it is less invasive. It mainly uses information on TCP connection, Operating Systems, browser settings etc to profile the device. These attributes are mostly anonymous and has relatively less impact on the customer's privacy. As a result, this method is quite feasible for ecommerce, online media or retail financial businesses.

Passive Fingerprinting can be done using a number of methods :

  1. Browser TaggingIt uses information like cookies etc to identify a returning user.
  2. Browser FingerprintingIt uses information on HTML, Javascript, Flash etc available in the browser to profile the device. It may also use a combination of information like screen resolution, browser type, clock time, timezone, language etc to create a fingerprint.
  3. HTTP FingerprintingIt uses information available while communicating to the device using an HTTP connection. The information may include HTTP compression type, proxy support, language etc.
  4. Operating Systems FingerprintingThis method mainly makes use of Operating Systems data to profile the device.
  5. TCP FingerprintingIt uses information available on a TCP connection with the device, like connection speed etc.

Where is Device Fingerprinting used ?

Device Fingerprinting is used for fraud detection, protection against account hijacking, anti-bot and anti-scraping services, enterprise security management, protection against DDoS attacks etc. Bank or financial transactional websites can use Device Fingerprinting to isolate fraudulent patterns and stop them before causing any damage.

Device Fingerprinting can also be used for real-time targeted marketing, campaign measurement, profiling customers, limiting devices for accessing specific services etc, though the use of Device Fingerprinting for certain purposes raise the question of privacy.

Device Fingerprinting and Privacy

Use of Device Fingerprinting in certain cases does raise a concern for privacy advocates. Though this technology is mainly used for online fraud detection, it can pose a potential privacy concern for users if used otherwise.

For example, device profile obtained through Device Fingerprinting can be used for :

  • identify a user
  • track and analyse a user's browsing activity
  • collect enough information about the user to draw inferences about him or her

And, this can lead to a number of privacy concerns.

For example :

  • There can be a number of reasons a user would want to remain anonymous online. The reasons may include concerns about surveillance, personal safety, concerns about discrimination etc. Using Device Fingerprinting, an application or service provider may be able to identify a user, by looking at the fingerprint of the device. And, this may lead to serious privacy concern, as the information collected can be used by an adversary for causing harm or damages.
  • Device Fingerprinting can be used to track and analyze a user's browsing activities for the purpose of online marketing and advertising. This is no doubt a privacy concern if it is done without the knowledge of the user.
  • Using Device Fingerprinting, a service provider can draw inferences about a user. For example, information on device CPU and Operating Systems may reveal information about the user's purchasing capability and proclivity. And, this information can be exploited to discriminate a person from others, which is no doubt an invasion of privacy.

Ideally, if a service provider wants to implement Device Fingerprinting for a purpose other than online fraud detection, it should do the following :

  • The service provider should get explicit consent from the user, if the technology is used for the purpose of any advertising, marketing research or website analytics
  • The service provider should give detailed information about the fingerprinting, like how the data will be collected, used or the purpose of the data collection.

So, Device Fingerprinting is a technology which is a boon to us for the detection and prevention of online fraud, and rather a bane of us if used otherwise. This article just gave an introductory information about Device Fingerprinting. Hope it helped.

No comments:

Post a Comment