Fingerprinting in Web and Mobile Applications
Fingerprinting or digital fingerprint is a technology for identifying users by gathering data about their device (such as a smartphone or computer), browser characteristics, and system information.
A digital fingerprint is an effective tool for data collection and user identification. It is anonymous and doesn't require any particular actions from the user. For example, it makes it possible to get the necessary data and recognize a user in the system without them having to enter a username or password.
How does it work?
The user's browser provides some data to the web server, for example, when the user types in the website address. To display the site correctly, it requires information about the screen resolution, operating system, location, language, and other settings.
Meanwhile, fingerprinting scripts like FingerprintJS can gather data about the user's browser, obtaining information about the browser and computer's characteristics.
When this data is processed, users are assigned a unique identifier (code), which becomes their fingerprint.
Fingerprint is an anonymous identifier that contains information about users' browser settings and capabilities. It is obtained based on various open data, for example:
- Browser type and version
- Type of operating system
- Time zone
- Browser interface language
- Fonts set
- User`s preferences for non-tracking (Do not Track)
- List of installed plugins
- Geolocation access settings
- Screen resolution
- Battery level
- Alerts and push notifications settings
- Touch input support
- Enabled browser Cookies
- IP addresses and other types of data
What can fingerprinting be used for?
- Personal data or credit cards fraud detection and prevention.
For example, a fingerprint can help identify if a mobile or web banking session has been intercepted, track the origin of transactions, and compare them with previous purchases. It can also provide protection against bots that gain access to user accounts using stolen credentials.
- Prevention of multiple accounts being registered by the same user on devices exhibiting suspicious activity.
- Protection against password and username hacking attacks.
For example, if suspicious activity is detected, such as an unsuccessful attempt to log in from a new device, the user may be prompted to complete two-factor authentication or verify their email address. Additionally, a captcha or account block may be applied after several failed login attempts.
- Checking if a request is originating from a device or system that has been previously identified in fraudulent activities. A vivid example is a bot attempting to hack into a user's bank account.
- Setting up personalized targeted advertising campaigns based on the data collected by the server. In this case, targeting accuracy is higher compared to using only IP addresses.
- Performing internal analytics, which lets developers gather data on user actions (viewed pages, clicks, mouse movements, etc.). This allows them to gain insight into what catches the user's attention, what they find interesting, and what they like or dislike. By analyzing this information, we can improve our web and mobile applications.
Fingerprinting implementation cases from our experience
In the Miloan.ua microloan service project, we incorporated an attribute that identified if another user had previously requested a loan from this device. If the attribute returned a positive result, we checked whether the users were connected or related. If so – say these were a husband and wife – the same scoring rules were applied to them. If the users were unrelated, they increased the user risk score.
In the credit service project Cashpoint.ua, we utilized a feature that determined if there was already an active loan application from the user's current device. If so, the submission of any further credit requests was restricted.
When developing a project, it's crucial to ensure the reliability of processing and storing customers' personal data.
Thus, by implementing fingerprinting technology on your project, you will not only enhance data protection but also gain a powerful tool for combating fraud.