Vaibhav Chandel, Author at Digital Payments, Payment Security and Lending

Browser Fingerprinting- Part 2

June 16, 2023 / Vaibhav Chandel

Are you all set to find out more about browser fingerprinting? We bring you Part 2 of this series. Types of Fingerprinting Techniques: Canvas Fingerprinting: The browser fingerprinting technique uses the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card. Steps- First, the script draws an image, often overlaid with text. Then, the script captures how the user’s web browser has rendered the image and text. Naturally, every device with different hardware and drivers will render the image slightly differently, distorting its colour and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint.” The scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is accurate and not too processing-intensive, making it one of the most commonly employed script techniques. The visitor’s specific browser and device render images, which can be narrowed down to a pool of fewer than 0.01% of total visitors. WebGL Fingerprinting: WebGL fingerprinting is very similar to Canvas fingerprinting, as they both use the browser to render images off-screen. The WebGL API can be used to render 3D forms in the browser. With the help of the three.js JavaScript library, many 3D forms can be rendered, such as Sphere Cube Precomposed geometric shapes The test is not that reliable because it is too sensitive to changes in the environment, such as the size of the browser window or the use of the browser console. These changes caused the dimensions of the rendering context to be updated, which resulted in different rendering results when the page was reloaded. The methodology is still to use images to distinguish users based on their graphics drivers and device hardware. Media Device Fingerprinting: This technique uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards and audio cards, as well as all connected or linked devices like headphones. Media device fingerprinting is not widely used for fingerprinting functions. This is because it requires the user to grant access to their microphone and camera to get a complete list of connected devices. Audio Fingerprinting: While other fingerprinting techniques force browsers to render a text or image, this technique checks how their devices play sound. The browser vendor and version used impact minute differences in sound waves generated by a digital oscillator and differences in CPU architecture. Clock Skew: Clock skew is a measure that can be used to identify the hardware specifications of a machine by analyzing the uneven arrival of electrical signals from a clock generator at different components. These differences can be affected by temperature variations in the hardware and can be analyzed with sufficient data and numerical analysis. This is considered an extreme measure in the field of fingerprinting. Browser fingerprinting workflow: Utilizing browser fingerprinting for authentication during payments as an additional layer of security and protection against fraud is helpful, but it has to be coupled with a two-factor authentication process. Two-factor authentication involves verifying a user’s identity using two different methods, such as a password and a fingerprint or a code sent to their mobile device. By adding browser fingerprinting as a third factor, Wibmo’s Trident FRM solution uses canvas fingerprinting and creates a more secure and reliable payment authentication process. It is important to ensure that proper privacy protections and data security measures are in place, as browser fingerprinting data is unique to each user and can be used to track and identify individuals across different websites and devices. Additionally, it’s important to comply with data privacy regulations such as GDPR, CCPA, and the upcoming Digital Personal Data Protection Bill when collecting and storing browser fingerprint data. Fingerprinting and Online Fraud Detection: Browser fingerprinting techniques can be useful for identifying and targeting visitors with a pattern of fraudulent behaviour on a website. These techniques can be particularly effective in identifying users who use identity concealing techniques such as disabling cookies, using a VPN, or browsing in incognito mode. 1.In cases of account takeover, where malicious users try to hack a legitimate user’s account, fingerprinting and other user identification technologies can be used to add additional security measures to the login process for suspicious traffic only. 2.To prevent brute force or bot attacks, it is best practice to require users to solve a CAPTCHA after a certain number of failed login attempts and to lock out the user for a set time after a certain number of attempts, as such attacks often rely on automation and thus may not have the unique browser configurations of genuine users. a. Browser fingerprinting can detect bots through their unusual browser configurations. b. Multiple login attempts with the same fingerprint can signal a brute-force attack. c. Bots that either lack a unique fingerprint or use identical fingerprints can be spotted and investigated. d. It can improve CAPTCHA systems by triggering a CAPTCHA when a fingerprint is linked to suspicious activity. 3.For phishing scams, requiring email or two-factor authentication for new fingerprints attempting to log in and blocking repeatedly visited fingerprints can also be effective measures. Conclusion: Limitations and current scenario of browser fingerprinting: Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS

Browser Fingerprinting- Part 2 Read More »

Browser Fingerprinting- Part 1

Overview: 1. A user’s device’s hardware, operating system, browser, and configuration are all included in a set of data called a “browser fingerprint.” 2. Via a simple script running inside a browser, a server can collect a wide variety of information from public interfaces called application programming interfaces (APIs), HTTP headers, device information, etc. 3. The method of gathering data from a web browser to create a device fingerprint is known as “browser fingerprinting.” Cookies vs Browser Fingerprinting: Cookies Fingerprinting: Small pieces of data are stored on a user’s computer by a web browser when they visit a website. They are used to store information about the user, such as preferences and browsing history, and to track user behaviour on the website. They are typically used to improve the user experience by remembering information about the user and their preferences, but they can also be deleted, blocked, or turned off entirely. Cookie tracking involves placing a unique identifier on a person’s web browser, and fingerprinting occurs when a company (the website owner) creates a profile of the device’s unique characteristics. The General Data Protection Regulation (GDPR) regulates the rules for covert data collection, which is why websites often ask users to approve or disapprove of cookies. Browser Fingerprinting: Information includes details about the browser, network, and device, such as the language used, keyboard layout, time zone, cookie settings, operating system version, etc. By combining all this information into a fingerprint, advertisers can recognise a user as they move from one website to another. Studies have shown that around 80–90% of browser fingerprints are unique. This is done by advertising technology companies that insert their code onto websites and collect data about online activity. Once established, a fingerprint can potentially be linked with other personal information, such as data held by brokers. GDPR: Browser fingerprinting also falls under the purview of the GDPR to protect user privacy. However, nothing has been explicitly mentioned about it. The GDPR establishes six legal grounds that enable the processing of data, including user consent and the “legitimate interest” or consent of the person doing the tracking: In the context of browser fingerprinting, these general rules apply as follows: Companies using fingerprinting must ensure that their interests in tracking user information do not override the user’s fundamental rights and freedoms, including their privacy. The website must also provide detailed information to the user about the scope, purposes, and legal basis of the data processing. Fingerprinting should be transparent when using and processing data about anonymous visitors. *Browser fingerprint technology has enabled marketers to run targeted campaigns on the internet at any stage of the marketing funnel. Parameters and the Math: Uniqueness: It means to provide enough ground for identification; the more unique a fingerprint, the more identifiable it is. When the fingerprint has an attribute, whose value is only present once in the whole dataset or when the combination of all its attributes is unique in the whole dataset. Stability: This links the browser fingerprints that belong to the same device. For stability, the quantity of modified information (each time the user’s fingerprint is obtained) should be as small as possible. Entropy: Defines the amount of uniqueness that a specific property exposed by the browser (such as the User-Agent header) introduces into a browser fingerprint. Usually expressed in bits, the higher the entropy, the more unique and identifiable a fingerprint will be. After the new dataset is tested repeatedly, giving similar correlated probability outputs, we can say that a technique is effective in terms of its ability to say that a fingerprint is unique! Blueprint: Using Browser Fingerprinting for Authentication Information gathered: Browser fingerprinting can gather a lot of information (more than 100 data attributes) from a browser, for example: Device model Operating system Browser version User time zone Preferred language settings Keyboard layout Ad blocker used Screen resolution Tech specs of the CPU graphics card, etc. The logic is to have enough specifics about a user’s device and settings to pinpoint them in a sea of internet users. A specific fingerprinting technology employs several cutting-edge browser identification methods to gather over 100 individual signals. These signals are combined with server-side analysis and deduplication to generate a visitor ID, providing a persistent and valuable abstraction of a browser fingerprint, which can be volatile if a user changes settings or updates software on their device. Watch out this space for Part 2! Author: Vaibhav Chandel, Product Manager Wibmo A PayU/Naspers FinTech Company BaaS