Canvas Fingerprinting:
The browser fingerprinting technique uses the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card.
Steps-
- First, the script draws an image, often overlaid with text.
- Then, the script captures how the user’s web browser has rendered the image and text. Naturally, every device with different hardware and drivers will render the image slightly differently, distorting its colour and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint.”
- The scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is accurate and not too processing-intensive, making it one of the most commonly employed script techniques.
- The visitor’s specific browser and device render images, which can be narrowed down to a pool of fewer than 0.01% of total visitors.
WebGL Fingerprinting:
- WebGL fingerprinting is very similar to Canvas fingerprinting, as they both use the browser to render images off-screen.
- The WebGL API can be used to render 3D forms in the browser. With the help of the three.js JavaScript library, many 3D forms can be rendered, such as
- Sphere
- Cube
- Precomposed geometric shapes
- The test is not that reliable because it is too sensitive to changes in the environment, such as the size of the browser window or the use of the browser console.
- These changes caused the dimensions of the rendering context to be updated, which resulted in different rendering results when the page was reloaded.
- The methodology is still to use images to distinguish users based on their graphics drivers and device hardware.
Media Device Fingerprinting:
- This technique uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards and audio cards, as well as all connected or linked devices like headphones.
- Media device fingerprinting is not widely used for fingerprinting functions. This is because it requires the user to grant access to their microphone and camera to get a complete list of connected devices.
Audio Fingerprinting:
- While other fingerprinting techniques force browsers to render a text or image, this technique checks how their devices play sound.
- The browser vendor and version used impact minute differences in sound waves generated by a digital oscillator and differences in CPU architecture.
Clock Skew:
- Clock skew is a measure that can be used to identify the hardware specifications of a machine by analyzing the uneven arrival of electrical signals from a clock generator at different components.
- These differences can be affected by temperature variations in the hardware and can be analyzed with sufficient data and numerical analysis.
- This is considered an extreme measure in the field of fingerprinting.
Browser fingerprinting workflow:
Utilizing browser fingerprinting for authentication during payments as an additional layer of security and protection against fraud is helpful, but it has to be coupled with a two-factor authentication process. Two-factor authentication involves verifying a user’s identity using two different methods, such as a password and a fingerprint or a code sent to their mobile device.
By adding browser fingerprinting as a third factor, Wibmo’s Trident FRM solution uses canvas fingerprinting and creates a more secure and reliable payment authentication process.
It is important to ensure that proper privacy protections and data security measures are in place, as browser fingerprinting data is unique to each user and can be used to track and identify individuals across different websites and devices. Additionally, it’s important to comply with data privacy regulations such as GDPR, CCPA, and the upcoming Digital Personal Data Protection Bill when collecting and storing browser fingerprint data.
Fingerprinting and Online Fraud Detection:
Browser fingerprinting techniques can be useful for identifying and targeting visitors with a pattern of fraudulent behaviour on a website.
These techniques can be particularly effective in identifying users who use identity concealing techniques such as disabling cookies, using a VPN, or browsing in incognito mode.
1.In cases of account takeover, where malicious users try to hack a legitimate user’s account, fingerprinting and other user identification technologies can be used to add additional security measures to the login process for suspicious traffic only.
2.To prevent brute force or bot attacks, it is best practice to require users to solve a CAPTCHA after a certain number of failed login attempts and to lock out the user for a set time after a certain number of attempts, as such attacks often rely on automation and thus may not have the unique browser configurations of genuine users.
a. Browser fingerprinting can detect bots through their unusual browser configurations.
b. Multiple login attempts with the same fingerprint can signal a brute-force attack.
c. Bots that either lack a unique fingerprint or use identical fingerprints can be spotted and investigated.
d. It can improve CAPTCHA systems by triggering a CAPTCHA when a fingerprint is linked to suspicious activity.
3.For phishing scams, requiring email or two-factor authentication for new fingerprints attempting to log in and blocking repeatedly visited fingerprints can also be effective measures.
Conclusion: Limitations and current scenario of browser fingerprinting:
