Websites today collect troves of information about visitors, not only for advertising, business optimization and user experience, but also for security purposes.
In addition to cookies, websites use ‘fingerprinting’ to collect information about a user’s web browser, hardware, device configuration, time zone, and even behavioral patterns, to authorize a legitimate user or de-authorize an impostor.
While ‘fingerprints’ are useful in various ways, they’re crucial in detecting and preventing identity theft and fraud.
A browser fingerprint is a collection of information that a website gathers about a user's web browser – i.e. Chrome, Firefox, Safari, Edge – as well as other data at the time they visit the site. This includes (but is not limited to):
· Browser type and version
· Screen resolution
· Time zone
· Language setting
· Browser plugins/add-ons/extensions and their versions
· The fonts installed on the user's device
· IP address…
...etc.
A device fingerprint is similar to a browser fingerprint, but it goes deeper into the device hardware – whether it’s a workstation, laptop, tablet, or even a phone – rather than just the browser. A device fingerprint typically includes:
· Operating system type and version (Windows, macOS, Ubuntu, etc.)
· Processor type and speed, amount of memory, and storage capacity
· Network information, such as the device's IP address, MAC address, and network type
· The current level of charge in the device's battery
… and the list goes on.
Both types of fingerprints are used simultaneously, with some websites collecting more data than others.
Websites use this information to create a unique identifier, or “fingerprint,” that can be used to track a person’s online activity even if they switch to a different IP addresses or clear their cookies. More importantly, fingerprints are also used as a key fraud detection method.
While fingerprinting helps create a lean user experience with fewer logins, it also combats malice. This strength, though, can also be turned on itself if found in the wrong hands.
If hackers manage to infect your device with data-stealing malware, they can snag your fingerprints and use them to impersonate you and evade second-layer security mechanisms such as CAPTCHA or 2FA.
Imagine your bank letting an impersonator waltz into your account simply because the web portal thinks it’s you.
In fact, selling fingerprints was the core business of the Genesis Market, which met its demise last week in Operation Cookie Monster. The marketplace would sell “bots” – essentially impersonation kits – that criminals could use to mimic the victim’s “fingerprint,” browser cookies, saved logins and autofill form data, and pass for the real account owner.
Europol is now advising everyone everywhere to deploy an antivirus on their devices, saying “chances are that your credentials have already ended up for sale on this criminal marketplace.”
The takedown of Genesis was barely a speed bump for criminal minds, as similar marketplaces will rise to fill the gap it left behind.
Threat actors are increasingly findings ways to systematically collect and enforce user profiles (credentials, cookies, fingerprints and other metadata) to circumvent security systems and bypass multi-factor authentication mechanisms, in what has been dubbed Impersonation-as-a-Service (IMPaaS).
Bitdefender Digital Identity Protection scans the web for unauthorized leaks of your personal data, monitoring whether your accounts are exposed and making it easy to take action before disaster strikes.
Bitdefender all-in-one plans include complete malware protection, digital identity protection, phishing protection, VPN, and password management, both on desktop and on mobile. Learn more at bitdefender.com/solutions.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsNovember 14, 2024
September 06, 2024