Why Browser Fingerprinting Has to Evolve to Support Financial Institutions & Online Marketplaces

Browser fingerprinting to recognize returning users is nothing new, but what is new is the fraud threats and privacy regulations that define today’s Internet. Online financial services and marketplaces are just two market verticals impacted by stagnating browser fingerprinting solutions, but they both stand to take serious damage from the lack of a persistent fingerprint for Web users.

What is browser fingerprinting? 

A browser fingerprint is a collection of attributes collected from a user’s browser for identification and tracking purposes. These attributes might include things like the type of browser, the software version of the browser, the user’s location, operating system, screen resolution, language, keyboard layout, and more. 

While two users might have some of these attributes in common, it’s highly unlikely that two different users on two different devices will have all of the same attributes. This makes browser fingerprinting unique enough to be used as an identifier, which makes it useful for security and fraud prevention purposes.

The problems facing online banking and marketplace platforms 

As we put more and more of our lives and commerce online, we need stronger and stronger solutions against bad actors looking to take advantage of this shift. There are numerous fraud concerns facing online platforms today, but account takeover attacks and bot attacks emerge as two threats with massive destructive potential.

Account takeover (ATO) 

Fifty years ago, if someone wanted to steal money from your bank account, they might have to commit check fraud or even rob a physical bank location. Today, you could empty someone’s account without even leaving your house. 

For online banking, device and browser fingerprints are a line of defense against account takeover attacks, one of the worst cyberattacks a financial services account can suffer. If a bad actor can take over an account, they can transfer funds out to a mule account, making recovery difficult if not impossible. The average cost of a successful ATO attempt is $12,000—the incentive for both committing and stopping account takeover is sky-high. 

While financial services accounts are arguably the worst affected by account takeovers, they represent a persistent threat for any online platform with user accounts, including online marketplaces. Everywhere users have accounts, there will be cybercriminals looking to break into those accounts. 

A fraudster who takes over a marketplace account can use it to phish from buyers or sellers, create fake listings, make purchases with on-file credit cards, or hold the account for ransom. These types of experiences with fraud suffered on a platform can turn a loyal, repeat customer into someone with a negative opinion of the brand for life.

Bot attacks

Bots are an excellent time and effort-saving tool for fraudsters and cybercriminals alike. Bots automate a lot of the tedious elements of fraud—for instance, credential stuffing a stolen password across hundreds of websites or messaging thousands of potential phishing victims. 

On online peer-to-peer marketplaces, bots can be used to automate fake account creation, fake listing creation, and phishing or data harvesting messages sent to buyers and sellers alike. The saturation of bots on a marketplace damages the user experience even if they aren’t actively victimized; no one likes having every other response to their listing being a bot asking for their phone number, for instance. 

But bots also increase the likelihood of fraudsters successfully victimizing someone in a phishing attempt or fake listing scam, because they expand the number of people that fraudsters can reach.

The problems with standard browser fingerprinting

Browser fingerprints help guard against these types of threats by recognizing the browser that an account holder usually logs in from—using attributes like screen resolution, browser type, browser version, cookies, you can make a “fingerprint” identifying a specific user. If a different browser than normal logs in, that could be a risk indicator triggering multi-factor authentication or another protection. Some fingerprinting solutions can also recognize VPNs and “incognito” mode windows, which are tools fraudsters might use to try and obfuscate their fingerprint. 

Unfortunately, as time goes on, these “static” browser fingerprints are becoming less effective for a few reasons. 

For one, browser developers and consumers alike are becoming increasingly conscious about personal data privacy, meaning that the types and amounts of data that fingerprinting solutions are allowed to collect is changing all of the time. With less information to go off of, it’s harder for fingerprints to reach the strict level of uniqueness that stands to make them an effective risk-assessment tool. 

Bad actors themselves are also adapting all the time, and browser fingerprinting developers aren’t necessarily keeping up. Many web platform administrators and fingerprinting solutions providers still think a static fingerprint is enough, but fraudsters are getting smart about how browser fingerprints work and how they can be outfoxed.

The next evolution of browser fingerprints for fraud prevention

Browser fingerprinting doesn’t have to go out to pasture as a fraud prevention measure, but it’s clear that it needs to evolve if it’s going to stand up to today’s threats.

Using machine learning for more than just risk assessment

Machine learning in browser fingerprinting solutions is nothing new, but it’s often only used in the risk assessment portion of the solution—not the actual fingerprinting. Typically, these solutions have a static fingerprint for a user, much like a still photograph, and their machine learning algorithms use that static fingerprint to assess the risk level of logins and transactions on that account. 

But because the landscape around fingerprinting is changing all of the time, it only makes sense that browser fingerprints themselves should also be dynamic. 

Incognia has recently upgraded our own web-based solution to incorporate machine learning into the fingerprinting process itself, not just the risk assessment portion. This keeps fingerprints dynamic and ready to adapt to changing fraudster tactics, user behaviors, and privacy measures.

Bot detection features 

Bots can often mimic normal user behavior—like using a browser—decently enough that typical browser fingerprinting solutions won’t immediately detect them. Including checks for common indicators of bot activity in browser fingerprinting solutions can help platforms assess the risk of widespread bot activity on their platforms and take action against affected accounts.

Managing friction and false positives 

When friction and fraud prevention aren’t balanced properly, good users become collateral damage. High friction can cause users to abandon an online transaction, and false positives are an incredibly frustrating experience that can put users off of a platform altogether. Focusing on passive fraud prevention solutions like tamper-resistant browser fingerprinting helps maintain the integrity and comfort of the user experience. 

No solution is a forever solution in fraud prevention. Bad actors evolve their tactics and technologies constantly, meaning that if fraud prevention wants to keep up, we also need to have a keen eye for innovation in our solutions. Keeping up to date with the latest, more accurate browser fingerprinting solutions is just one way to protect the user experience from fraudsters and other bad actors.