Device Fingerprinting

Prerequisites

Before implementing device fingerprinting, ensure you understand:

Risk scoring concepts (fingerprinting feeds into scores)
Velocity rules (fingerprinting enables device-based velocity)
Privacy compliance requirements (GDPR, CCPA)
Account takeover patterns you're trying to detect

TL;DR

Device fingerprinting = Collecting device/browser attributes to create unique identifiers
Use cases: multi-account detection, fraud linkage, velocity rules, ATO detection
High-risk signals: device on 3+ fraud accounts, emulator/spoofing detected, Tor exit node
Build vs. buy: vendors have consortium data but require data sharing
Privacy: GDPR/CCPA may require disclosure and consent—consult legal

Identifying and tracking devices for fraud detection.

What is Device Fingerprinting?

Device fingerprinting collects attributes about a user's device and browser to create a unique identifier, enabling:

Account linking (detecting multi-accounting)
Known bad device blocking
Anomaly detection (supporting risk scoring)
Session continuity (for ATO detection)

How It Works

Collected Attributes

Category	Examples
Browser	User agent, plugins, timezone, language
Screen	Resolution, color depth, pixel ratio
Hardware	CPU cores, memory, GPU renderer
Canvas	Rendering patterns (creates hash)
Audio	Audio processing fingerprint
Fonts	Installed font list
WebGL	GPU vendor, renderer string
Behavior	Touch support, DNT setting

Fingerprint Types

Type	Persistence	Accuracy
Cookie-based	Low (cleared easily)	High when present
Browser fingerprint	Medium (changes with updates)	Medium
Device fingerprint	High (hardware-based)	High
Behavioral	Medium (learned over time)	Medium-High

Use Cases

Fraud Detection

Use Case	Application
Multi-accounting	Same device, different accounts (see promo abuse)
Fraud linkage	Connect fraud cases across accounts
Velocity rules	Transactions per device
Risk scoring	Device reputation input

Account Security

Use Case	Application
ATO detection	New device accessing account
Step-up auth	Trigger MFA on unknown device (see 3DS)
Session management	Limit active devices
Trust building	Recognize returning devices for compelling evidence

Signals for Fraud

High-Risk Device Indicators

Use these as Tier 1 and Tier 2 indicators in your fraud decisions:

Signal	Risk Level
Device seen on 3+ fraud accounts	🔴 High (Tier 1)
Device spoofing detected	🔴 High (Tier 1)
Emulator detected	🔴 High
VPN/proxy detected	⚠️ Medium
Device age < 1 hour	⚠️ Medium
Tor exit node	🔴 High

Device Anomalies

Signal	Description
Impossible combinations	iOS user agent + Windows fonts
Timezone mismatch	Browser TZ ≠ IP geolocation TZ
Language mismatch	System language ≠ expected for location
Automation indicators	Headless browser, automation flags

Implementation Approaches

Build vs. Buy

See vendor selection guide for evaluation criteria.

Approach	Pros	Cons
In-house	Full control, no data sharing	Engineering cost, maintenance
Vendor	Quick deployment, consortium data	Cost, dependency, data sharing
Hybrid	Balance of control and capability	Complexity

Popular Vendors

Fingerprint.js (open source and pro)
Iovation
ThreatMetrix (LexisNexis)
Device Authority
Castle

In-House Considerations

// Basic fingerprinting signals
const fingerprint = {
  userAgent: navigator.userAgent,
  language: navigator.language,
  screenResolution: `${screen.width}x${screen.height}`,
  timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
  cookiesEnabled: navigator.cookieEnabled,
  // ... more attributes
};

Privacy Considerations

Compliance Required

Device fingerprinting may be subject to:

GDPR (consent requirements)
CCPA (disclosure requirements)
ePrivacy Directive
Local regulations

Consult legal before implementation. See compliance overview for related requirements.

Best Practices

Transparency – Disclose in privacy policy
Purpose limitation – Use only for fraud/security
Data minimization – Collect only what's needed
Retention limits – Don't keep forever
Consent where required – Cookie banners, etc.

Next Steps

Implementing device fingerprinting?

Evaluate build vs. buy - Vendor vs. in-house
Review privacy requirements - GDPR, CCPA compliance
Integrate with risk scoring - Combine signals

Already have fingerprinting?

Build velocity rules - Device-based limits
Enhance ATO detection - New device alerts
Prepare for CE 3.0 - Chargeback evidence

Detecting fraud with device data?

Check high-risk signals - What to flag
Review evidence framework - Tier 1/Tier 2 indicators
Manual review - Link fraud cases

Account Takeover - ATO detection with device data
Velocity Rules - Device-based velocity limits
Promo Abuse - Multi-account detection
Risk Scoring - Incorporating device signals
Behavioral Analytics - Complementary detection method
Evidence Framework - How device data fits Tier 1/Tier 2
Compelling Evidence - Using device data in representment
Manual Review - When device signals trigger review
Fraud Vendors - Device fingerprinting vendors
Card Testing - Bot detection patterns
3D Secure - Authentication integration

What is Device Fingerprinting?​

How It Works​

Collected Attributes​

Fingerprint Types​

Use Cases​

Fraud Detection​

Account Security​

Signals for Fraud​

High-Risk Device Indicators​

Device Anomalies​

Implementation Approaches​

Build vs. Buy​

Popular Vendors​

In-House Considerations​

Privacy Considerations​

Best Practices​

Next Steps​

Related Topics​