Device Fingerprinting
What is a Device Fingerprint?
Identification of visitors crucial to most web sites, either to provide content or track miscreants. The most common mechanism to track users is a simple cookie file. As browsers have evolved many have made tracking with this method problematic (e.g. by activating the “incognito” mode in web browsers). Cookies also fail to identify a user who uses several different web browsers on the same device. This led to the development of the device fingerprint — a unique user identifier which does not change between successive sessions and which does not depend on the selected web browser.
A device fingerprint is known by many names including a machine fingerprint, browser fingerprint, device print, user fingerprint and others. It is composed of information collected about an online computing device for the purpose of unique identification of the device on subsequent visits. A device fingerprint can fully or partially identify individual users or devices even when cookies and other tracking data is turned off.
Basic web browser information has long been collected by web analytics services in an effort to accurately measure real human web traffic and discount various forms of click fraud. With the assistance of client-side scripting languages, the collection of much more esoteric parameters is possible. Device fingerprints have proven useful in the detection and prevention of online identity theft and credit card fraud.
The Darkwave Technologies device fingerprint project was created to develop highly reliable code to make it simpler for developers to create a device fingerprint system for use in online fraud prevention and the prevention of general malicious behavior.
There are four common techniques for acquireing a device fingerprint. They are Network-Based Web Browser, Flash, JavaScript, network and SDK fingerprints. The fingerprinting functions the same for desktop/laptop PCs and mobile devices and smart phones that run full-function browsers.
Network-Based Web Browser Fingerprinting
Network-based web browser fingerprinting is useful in a pure web environment. It requires no client software, this makes deployment of the solution to large and diverse user populations manageable. Additionally this technique does not place any logic on the client side where it may be vulnerable to exploit.
When a client is accessing a protected application via a web browser the system utilizes all information in the header of the browser. As seen below, a large amount of information is available to the server to determine the unique device accessing the resources.
GET /scripts/login/ HTTP/1.1
Host: www.mybank.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t32vgf4932r6q9ij3kfeu140
Pragma: no-cache
Cache-Control: no-cache
Flash Fingerprinting
Flash fingerprint data is only available if Adobe Flash is present on the device. During the login process, fingerprint data is gathered from the user's Adobe Flash installation. The Flash system capability data is used as the Flash fingerprint. This technique has been losing favor over time as it does not work on all systems, especially mobile, and Adobe has announced they are retiring Flash.
JavaScript Fingerprinting
JavaScript fingerprinting, which is widely used by sites, can be used as the primary digital fingerprint or co-exist with Flash fingerprinting. Many sites utilize both Javascript and Flash fingerprinting, when Flash is available it used as the primary method and defaults to JavaScript only when Flash is not present.
SDK-based Device Fingerprinting
SDK-based device fingerprinting is the most powerful form of fingerprinting as as piece of code is running local to the device. This typically expands the number of attributes available, and in many case access to unique hardware based identifiers (IMEI, MAC address, etc.). Mobile application developers will usually integrate an off the shelf library into their apps. Mobile specific data such as application ID, GPS/triangulation location and IMEI (International Mobile Equipment Identity)/MAC address (Media Access Control address) can be collected and communicated along with other device data. SDK integration can provide a more comprehensive fingerprint than other methods. In addition by utilizing an SDK fingerprinting, identifying and tracking mobile devices is possible even when access is not via a browser.