Fraud detection systems’ use of device fingerprinting could be a toothless device as cyber criminal have a manual out on how to bypass the feature, researchers said.
The manual describes how to bypass the layered protection found in several fingerprinting systems, said researchers at Trusteer.
“This approach collects a myriad of session attributes to ‘fingerprint’ the endpoint device, including IP address and type and version of browser and operating system. Using this information, fraud detection systems can, for example, detect when a single device is being used to place multiple orders with different user credentials – a practice typically indicative of fraud,” the researcher said.
The tutorial explains the usage of commercial VPNs, and proxy services will work to defeat the IP protections within the fingerprinting systems, and adds information on how to make sessions from a single system appear as if they originate from different computers, operating systems, and browsers by altering the user agent headers.
“This tutorial demonstrates that cybercriminals have achieved a sophisticated level of understanding of device fingerprinting techniques and are exploiting this knowledge to evade fraud prevention systems that rely on the browser’s User-Agent header to detect cybercrime,” Trusteer said.
“Because fraudsters can easily manipulate the browser’s User-Agent header information, device fingerprinting solutions that rely solely on User-Agent data should be considered unreliable.”