What is Device Fingerprinting?

What Is Device Fingerprinting?

Device fingerprinting is a technique that identifies a specific device -- a computer, smartphone, or tablet -- based on its unique combination of technical characteristics. Just as a human fingerprint is a unique pattern that identifies an individual, a device fingerprint is a unique profile created from the hardware and software attributes of a device.

When you visit a website or use an app, your device shares a surprising amount of technical information: your browser type and version, your operating system, your screen resolution, your time zone, your language settings, your installed fonts, your graphics card capabilities, and much more. Individually, none of these details is unique to you. But when you combine them all together, the resulting profile is remarkably distinctive. Research has shown that the combination of these attributes can uniquely identify a device with over 90% accuracy, even without using cookies or other tracking technologies.

In the context of payment security, device fingerprinting is used to recognise devices that have been previously associated with fraudulent activity and to detect when something about a device does not match expected patterns.

How Device Fingerprinting Works

When a customer initiates a transaction (typically an online or in-app payment), the payment system collects a range of technical data points from their device. These data points are processed to create a unique identifier -- the device fingerprint. This fingerprint is then compared against databases of known devices, including devices previously linked to fraudulent transactions.

What Data Is Collected?

The specific data points vary between providers, but commonly include:

• Browser information -- the browser name, version, rendering engine, and supported features
• Operating system -- the OS name, version, and architecture (32-bit or 64-bit)
• Screen and display -- screen resolution, colour depth, and pixel ratio
• Language and locale -- the language setting, character encoding, and time zone
• Installed plugins and fonts -- the list of browser plugins and system fonts, which varies significantly between devices
• Hardware characteristics -- the number of CPU cores, available memory, graphics card (via WebGL rendering), and audio processing characteristics
• Network information -- the IP address, connection type, and whether a VPN or proxy is being used
• Canvas and WebGL fingerprinting -- the device is asked to render specific graphics, and the subtle differences in how different hardware and software combinations render these graphics create a unique signature

Creating the Fingerprint

All of these data points are combined (often using a hashing algorithm) to produce a single identifier. This identifier is not tied to the user's name or personal information -- it simply represents a specific combination of device attributes. If any of these attributes change (for example, the user updates their browser or installs new fonts), the fingerprint may change, but typically the system is designed to tolerate minor variations and still recognise the device.

How Device Fingerprinting Prevents Fraud

Device fingerprinting is used in several ways to detect and prevent payment fraud:

Known Fraudulent Devices

When a device is identified as having been used for fraudulent transactions, its fingerprint is added to a blacklist. If the same device attempts another transaction -- even using a different card, a different account, or a different IP address -- the fingerprint match alerts the system. This is particularly effective against repeat fraudsters who use the same device for multiple attacks.

Device-Account Mismatch

If a legitimate customer always makes purchases from the same laptop and smartphone, the system learns to associate those device fingerprints with their account. If a transaction suddenly comes from a completely different device, it raises a flag. This could indicate that the customer's account has been compromised and someone else is using it.

Multiple Accounts, One Device

Fraudsters sometimes create multiple accounts to circumvent velocity checks or abuse promotional offers. Device fingerprinting can detect when multiple supposedly separate accounts are all being used from the same device, which is a strong indicator of fraudulent activity.

Detecting Automation and Bots

Automated fraud tools (bots) often have distinctive device fingerprints. They may report unusual screen resolutions, lack certain browser features, or exhibit other technical anomalies that distinguish them from real user devices. Device fingerprinting can identify these bot signatures and block automated attacks.

Proxy and VPN Detection

As part of the fingerprinting process, the system can detect when a user is routing their connection through a VPN or proxy server to disguise their true location. While using a VPN is not inherently suspicious, it can be a risk factor when combined with other indicators -- especially if the VPN exit point is in a different country from the card's billing address.

Device Fingerprinting and Telephone Payments

Device fingerprinting is primarily an online fraud prevention tool. In a traditional telephone payment, where a customer calls and provides their card details to an agent, there is no device to fingerprint in the conventional sense -- the customer is using a telephone, not a web browser.

However, there are parallels in the telephone world. The calling device (phone number, carrier, whether it is a mobile or landline, VoIP detection) can provide some of the same fraud intelligence. A call from a known VoIP service associated with fraud, or from a phone number that has been used in previous fraudulent transactions, serves a similar purpose to a flagged device fingerprint in the online world.

For businesses that operate both online and telephone payment channels, device fingerprinting provides valuable cross-channel intelligence. If a device has been flagged for online fraud, and the same individual then attempts to make a purchase by phone (perhaps because they know the online channel is better protected), the fraud intelligence from the device fingerprint can inform the risk assessment of the telephone transaction.

Additionally, for businesses that offer IVR-based telephone payments or use apps and web portals alongside their phone channel, device fingerprinting can be applied to the digital touchpoints in the customer journey, even if the final payment is completed by phone.

Privacy Considerations

Device fingerprinting raises legitimate privacy concerns, and businesses need to approach it responsibly. Unlike cookies, which can be cleared by the user, device fingerprinting is largely invisible and difficult for users to prevent. This has led to regulatory scrutiny in some jurisdictions.

Under GDPR and the UK Data Protection Act 2018, device fingerprinting that identifies or could identify an individual is subject to data protection rules. The ePrivacy Directive (and its eventual successor, the ePrivacy Regulation) also addresses device fingerprinting, generally requiring user consent for non-essential tracking.

When used specifically for fraud prevention, there are stronger legal grounds for device fingerprinting -- the "legitimate interest" basis under GDPR is often applicable, as preventing fraud is widely recognised as a legitimate interest that can justify processing certain data without explicit consent. However, businesses should still be transparent about their use of device fingerprinting, explain it in their privacy policy, and ensure they are not using the data for purposes beyond fraud prevention without appropriate consent.

Practical Considerations

If you are implementing or evaluating device fingerprinting as part of your fraud prevention strategy, here are some key points:

• It is one layer, not a complete solution -- device fingerprinting works best alongside other fraud prevention tools like AVS, CVV checks, velocity monitoring, and risk scoring
• Accuracy degrades over time -- as users update software, change settings, or replace devices, fingerprints change. The system needs to handle this gracefully without treating every browser update as a new suspicious device
• Sophisticated fraudsters can spoof fingerprints -- advanced fraud tools can manipulate device attributes to create false fingerprints or mimic legitimate devices. Device fingerprinting is an arms race, and the technology needs to keep evolving
• Balance security with privacy -- collect only the data points you need for fraud prevention, be transparent about what you collect, and ensure your practices comply with applicable data protection laws
• Consider your provider carefully -- device fingerprinting capabilities vary significantly between providers. Evaluate accuracy, false positive rates, privacy compliance, and integration complexity