Device fingerprinting

Devices are the conduit that allow people to connect to the Internet—everything we do on the Internet starts with the device that we power on to get there.

Whether it’s a phone, tablet, laptop, or desktop computer, device fingerprinting helps websites and apps identify individual devices and, by extension, individual users, businesses, and households. This data can be an incredibly powerful tool for fraud detection and prevention, but traditional device fingerprinting hasn’t kept up with the advancement of new device technology and fraudster tactics. 

Like the name “fingerprinting” suggests, device fingerprints are meant to be unique and unchanging the same way human fingerprints are. But device fingerprinting faces some challenges that are unique to the technological world.

We’ve established that traditional device fingerprinting (DF) isn’t as strong as it could be, but to understand why, it’s important to first understand how DF works. 

Similarly to how human fingerprint analysis looks at the individual whorls and patterns on a person’s fingertips, device fingerprinting looks at different device attributes that can be combined into a unique image of that device—in essence, a fingerprint. This combination is also called a device hash and is stored server-side, unlike web cookies, which are stored client-side. 

Some examples of the device attributes used in DF include screen size and resolution, operating system, apps present on the device, IP address, browser and browser version, and time zone.

Multiple devices will have one or two of these attributes in common, but it’s highly unlikely that two devices will ever share every attribute in common. This is what makes device fingerprinting effective for uniquely identifying devices. 

Device fingerprinting is primarily used for data gathering, advertising, and fraud prevention and detection. Unfortunately, in the case of fraud prevention and detection, device fingerprinting isn’t as effective as it once was.

Today’s Internet users are much more concerned about their online privacy, and web browsers are reflecting this change in user priorities with policies that make it more difficult to collect data about certain device attributes. 

In the same vein, privacy tools like VPNs (which mask some user information, such as IP addresses) are growing more common among individual users as well as at the organization level. According to a Forbes Advisor survey, two-thirds of Americans and one-third of people globally have used a VPN at some point. In the same survey, 47% of respondents said that they use a VPN to enhance their data privacy. 

Another factor that makes fingerprinting more complex today is the constant release of new device models and operating systems. There’s also the fact that people today simply use more devices per person than in years past. Parks Associates research from 2022 showed that US households now own an average of sixteen connected devices each. When a single household is using that many devices, it becomes a lot harder than it used to be to identify a rogue device.

Lastly, fraudsters themselves have grown more sophisticated and organized as they’ve devised workarounds for online fraud prevention tactics and tools, including device fingerprinting. Bad actors can manipulate and mask their device fingerprint with little technical skill by using techniques like factory resetting a device, changing OS or screen resolution, using multiple devices, or using app cloners to run multiple instances of an app on a single device. 

All of these factors combined mean that the device fingerprinting solutions of yesterday are no longer resilient enough to accurately identify and re-identify bad actors. However, that doesn’t mean that fraud prevention using device recognition is impossible. It just means that, in the same way that fraudsters and their methods have evolved over time, device fingerprinting technology also needs to be re-imagined.

Traditional DF may be struggling to keep up, but when combined with other identification signals, it can come back stronger than ever. Location is one of those signals. 

The locations that a person frequently visits and the locations from which they conduct their online transactions can be incredibly strong indicators of their true identity. The pattern of movement that they take from their home, to their work, to their favorite coffee shop, to other places of interest is a highly unique one. When this location behavior pattern is combined with device intelligence, it’s unique enough to use as a new, stronger fingerprinting method. 

Bringing location into the mix fills in the gaps left by traditional device fingerprinting and creates something much stronger. For example, location fingerprinting is capable of re-identifying the same device even after it’s been factory reset, a longstanding vulnerability with traditional DF. 

Location fingerprinting is also unaffected by other types of device attribute manipulation like changing the screen resolution, updating the operating system, adding or deleting apps, changing the browser, and so on. Where a user lives and works is much harder to change than their device's attributes, making location fingerprinting much more resilient or ‘stickier’ than DF. 

As powerful a signal as location is, it still has to be configured properly to work at its strongest. Tamper-resistance is a must-have when using location for fraud detection and prevention or for authentication. Without tamper-resistant location technology, fraudsters can use widely available GPS spoofing apps or VPNs to mask and manipulate their true location. Using multiple location signals, such WiFi, Bluetooth, and GPS combined, can help create a comprehensive picture of a device’s location that’s impossible to spoof without detection.

It’s been mentioned a few times in this article, but risk and detection signals are often at their strongest when combined with other powerful signals. With device fingerprinting and location fingerprinting combined, fraud prevention stakeholders get a comprehensive picture of unique devices without the limitations that come from leveraging DF alone.

Incognia’s Location Fingerprint uses the best of both worlds to detect & defend against fraud

At Incognia, we’ve forged a dynamic duo: ultra-precise location paired with a proprietary device fingerprint. This combination of location and device intelligence allows Incognia to accurately identify over 99.9% of users, making it an incredibly powerful account security and fraud prevention tool. 

The added context that location intelligence provides allows platforms to take a proactive approach to fraud prevention rather than a reactive one. This in turn can lead to less resources being spent on manual review and improved downstream outcomes. 

For example, Incognia’s Suspicious Locations feature uses the data we already have about devices, fraudsters, and locations to identify locations where a high number of risky devices are grouped together. These locations can be blocked preemptively to stop fraud farming and other organized fraud attacks. That’s just one example of how Incognia’s location fingerprinting proves the best offense is a good defense. 

In the world of device fingerprinting, traditional methods are facing challenges from evolving technology and cunning fraudster tactics. Combining device and location intelligence creates the opportunity for more comprehensive fraud prevention strategies going forward. By leveraging these signals together, organizations can identify users with remarkable accuracy, enable proactive fraud prevention, and reduce the need for resource-intensive manual reviews, ultimately leading to improved outcomes in the ongoing battle against fraud.