Modern digital fraud has evolved to such an extent that it’s easier than ever for online scams or cybercrimes to bypass common filters. This means that e-commerce scams, spam, or ad fraud need more sophisticated anti-fraud methods to stop them from being a regular occurrence.
And that’s where device fingerprinting comes in.
Many fraud detection and prevention services now provide device fingerprinting, including us here at ClickCease.
But what is device fingerprinting, how does it work, and is it enough to stop fraud in its tracks?
What is device fingerprinting?
Device fingerprinting is the identification of a device by readily accessible data such as the operating system, browser in use, and even some of the hardware on the device. It is also sometimes referred to as machine fingerprinting.
The process of device fingerprinting is usually performed by software to track whether a device is genuine or not.
However, it can also be performed by apps and some websites with the necessary software installed.
Data included in device fingerprinting will usually include:
- IP address
- Device model and other hardware information such as processor chip and number of cores
- Display information, including the screen resolution or graphics card used
- Font information
- Operating system version
- Browser used and version
- Battery information
- System language settings
- System time zone
- Browser cookies
- Information about any VPNs or other software used
- The user agent or UA string
- SSL/TLS information
- Other network information
This information is conveyed using the device hash, also called the hardware hash. This information can be requested by the software in question and is used to create a unique profile of a device: the device fingerprint or device ID.
The importance of the device hash
This device hash is perhaps the most important element in identifying a device’s fingerprint. With this unique form of machine identification, services such as ClickCease can be used to understand online activity types.
The term hash refers to the string of information. There are other forms of hash, including:
Browser hash – The data relating to the browser used, the machine, and the OS it’s running on. The browser hash remains the same even if the user uses a VPN or clears their cookies. Browser fingerprinting is another way to identify fraudulent behavior, which we’ll look at shortly…
Cookie hash – Nope, not those snacks you had at that music festival last year. This relates to the data within a browser session, such as sites visited and other activities performed within the browser. This information is stored in the web cookies and is reset after every session – so a cookie hash will change
Device hash – The unique verifying data used to identify the device in question and a key element of device fingerprinting
These other forms of hashing are also used in fraud detection but are unique elements that do not have a bearing on the action of device fingerprinting.
How does device fingerprinting work?
Building a clear picture of which devices are interacting with your website, app, or service can help you identify who is doing what on your site. For example, a common way for ad fraud or click fraud to bypass filters is to change their IP address.
If a platform such as Google Ads sees that a specific IP address is clicking multiple times on an ad, it can add that IP address to an exclusion list so that it doesn’t see that ad anymore. This is one of the main methods of click fraud prevention used by ad platforms.
But by changing the IP address every time, the same device can continue to perform the same fraudulent activity. As far as Google is concerned, this is a new device every time.
Other ways to hide include user agent spoofing, or UA spoofing, which is when the device provides fake system information to the platform making the request.
But with a device fingerprint, there is, in theory, nowhere to hide.
Once that hardware and the corresponding system have been identified, it’s very hard to change that information.
What is device spoofing?
One of the main ways that fraudsters bypass device fingerprinting is to use device spoofing. This is a process where the machine will present inaccurate information about the device being used so that, for example, a server tower in Pakistan can appear to be a laptop running Chrome from the USA, or an Android phone in Kazakhstan can appear to be an iPhone in Australia.
Spoofing a device is also not that complicated. There are commonly used browsers, browser extensions, and easily accessible developer tools which make device spoofing relatively simple.
With the rise in awareness around data privacy, more people than ever are using privacy tools. Although this usually means ad blockers or tools for blocking ad trackers, device spoofing tools are also a popular way for more advanced users to be anonymous online.
What is device or machine fingerprinting used for?
There are several fraudulent activities that rely on changing the device identity or device spoofing.
- Payment or credit card fraud – also known as carding
- Advertising click fraud – read more in our complete guide to click fraud
- Account takeover or brute force attacks
- Spam attacks such as spam injection
Often these cybercrimes rely on switching between multiple (virtual) devices to successfully carry out their aims. By switching IP addresses or spoofing their device ID, they can usually slide past the off-the-shelf fraud protection used by many platforms.
But by using device fingerprinting to verify the device, fraudsters find it much harder to pull the virtual wool over the digital eyes of the specific platform.
For example, with ad fraud, fraudsters will use bots to try and process multiple clicks on a display ad. The same might also happen with a business competitor who has hired a click farm to click your search ads multiple times until it disappears from the search results.
This activity can happen usually thanks to either the use of VPNs or proxy servers – in effect, the user string changes each time, so the platform thinks someone new is clicking.
But when using device fingerprinting, suspicious behavior from a specific laptop, phone, or tablet can be flagged and, if necessary, blocked.
By tracking the activity from a user’s device or tracking device info, you can ensure this kind of malicious activity is blocked.
How ClickCease uses the device fingerprint to spot fraud
Although device fingerprinting is a key element in the fight against click fraud and ad fraud, it isn’t the only tool in the kit. But by understanding how device fingerprinting helps to identify users’ behavior, you can start to see its relevance.
IP addresses
Shared IP addresses are not always a surefire sign of fraud. For example, you might be working in a cafe or airport lounge with tens, hundreds, or even thousands of other people, all using the same WiFi connection. In this instance, multiple clicks from the same IP address are unlikely to be fraudulent.
However, there are other instances where multiple fraudulent devices might be using the same IP address or hiding behind a VPN to perform their fraud. Talking of which…
VPNs and Proxies
Many people use VPNs and proxy servers for legitimate use – for example, if they want to access data from other countries or simply don’t want people to track them online.
But by contrast, click farms will also use VPNs and proxy servers to switch their IP addresses regularly or even appear as if they are somewhere else. By using methods to identify the devices, it’s clearer that some form of fraud is occurring.
Data mismatch
One of our metrics for fraudulent ad traffic at ClickCease is the out-of-geo click. Advertisers targeting a specific area or region might get ad traffic from areas outside their target zone. This is often a result of bot traffic routing through data centers or click farms using VPNs and proxies to hide their true location.
This can also happen with devices claiming to be an iPhone or laptop but are actually those data center servers or click farm devices.
Of course, with machine fingerprinting, you have access to the data which reveals the true location and identity of the user device. If there is a data mismatch, then we have good reason to block it due to fraud, especially if there are other fraudulent actions taking place.
Is device fingerprinting effective in preventing fraud?
Although device fingerprinting is an effective tracking method to monitor a visitor’s device, it isn’t totally effective on its own. Most fraud prevention tools, including ClickCease, will use other tracking methods and data points such as cookie data, device information, click frequency, and other custom rules.
And because device fingerprinting is not a new technology, fraudsters are aware of it and have techniques to get around this form of tracking.
One typical way to avoid device fingerprinting is to use private or incognito mode on a browser. There are also specific web browsers that hide the user’s fingerprint data. More advanced users might try disabling Javascript on their devices, as this is one of the main methods of conveying information.
Fraud and digital advertising
Click fraud or ad fraud is currently the biggest and most lucrative form of online fraud. It’s often seen as a victimless crime by the perpetrators, as stealing from the ad platforms is viewed more as a Robin Hood-style stealing from the rich rather than defrauding advertisers.
In addition to this, advertisers are often focused on the metrics of getting the most impressions and clicks on their ads.
Against this backdrop, the challenge of advertising click fraud cost the marketing industry over $41 billion in 2021 alone. And this number has been steadily increasing year on year since, well… Since the start of digital advertising.
Marketers are more aware than ever of the problem of click fraud and ad fraud and taking steps to ensure they target legitimate users with their ad campaigns. Using fraud detection and blocking tools to track users and stop fake clicks has become a cost-effective way to reduce click wastage and improve return on ad spend.
And by combining device fingerprinting and other methods to verify legitimate users, ClickCease has become the industry choice for click fraud prevention.
If you run PPC ads on Google Ads, Meta for Business ads, or Microsoft Ads, you should run a traffic audit to check your exposure to fraud. With a free trial of ClickCease, you can monitor the clicks you get for yourself and see.
Get your FREE 7-day trial today and see who really clicks your ads!