Fingerprinting

Why cashiers ask for your postal code when you pay using a credit card

Rafał Rybnik
Oct 4, 2020 · 8 min read
Image for post
Image for post
(Fig. by Author)

Why not only storage-based

However, these methods sometimes do not affect. Users can easily turn off or clear up browser storages. Browsers also develop methods to restrict the possibility of tracking.

Why the cashier needs my postal code

Do you know why cashiers often ask for postal code, when you pay using a credit card?

  • in a combination with digits of credit card is unique enough,
  • customers generally don’t mind sharing it.
Image for post
Image for post
Just two characteristics are enough to identify consumer between her/his visits. (Fig. by Author)

What is fingerprinting?

Websites can adopt a similar strategy.

  • track users in cross-domain context,
  • identify pseudonymous users (when browser fingerprint is correlated with email or other identifying information),
  • fraud detection.
Image for post
Image for post
Maybe digital fingerprints are not as permanent as this woman’s ID tattoo, but they can still be used to effectively identify users. (Pic. by thephuketnews)

Passive fingerprinting

Every request contains many characteristics that could be used to differentiate users. These properties can be discovered passively, without code execution on the user device.

Active fingerprinting

Active fingerprinting requires techniques where a website runs JavaScript client-side script to observe additional properties about the browser, device, user, or another context.

  • installed fonts and plug-ins,
  • enabled plug-ins,
  • performance,
  • data from device sensors,
  • timezone,
  • supported MIME types,
  • enabled storage mechanisms,
  • rendering graphical patterns.
Image for post
Image for post
(Pic. from movie Superbad)

The big picture

The easiest way you can obtain some intuition about fingerprinting is to test your browser for its uniqueness.

Image for post
Image for post
(Screenshot by Author)

Browser fingerprinting

User-agent

The user-agent request header is a characteristic string that lets servers identify the application, operating system, vendor, and/or version of the requesting browser.

User-agent fingerprinting
  • supported formats of images and media files,
  • preferred and accepted languages,
  • CPU platform,
  • enabled storages.
Image for post
(Screenshot by Author)

Canvas fingerprinting

HTML5 introduced an area of the screen — Canvas, which can be used to draw text or images with JavaScript.

Image for post
Image for post
(Fig. by Author)
Canvas fingerprinting

Network and location fingerprinting

IP address

As I mentioned before, the IP address is an important characteristic in fingerprinting. It is probably one of the easiest characteristics to obtain, from incoming HTTP requests.

GPS

Mobile devices can determine their location by using GPS, WiFi or cellular towers. Many websites use this to display personalized information relevant to the current location of the user. Websites can access this data through the Geolocation API.

Image for post
Image for post
(Fig. from the article by Brandon Morelli, )
Geolocation fingerprinting

Operating System fingerprinting

Date and timezone

JavaScript also facilitates recognizing the system local timezone and the local datetime up to 1 millisecond.

Time zone and datetime fingerprinting

Graphics

The colour depth, screen resolution and other display parameters can be detected by JavaScript by using window.screen global variable.

Image for post
Image for post
Screenshot by Author

Font list

The list of installed fonts can be detected by JavaScript. One of the techniques is to set up two hidden texts.

Font check demonstration

Fingerprinting libraries

fingerprintJS

Most of the methods described above are implemented in the free JavaScript library fingerprintJS.

  • screen resolution,
  • colour depth,
  • installed plugins with supported mime types,
  • time zone offset,
  • local storage,
  • session storage.

ClientJS

ClientJS is a JavaScript library that makes digital fingerprinting easy, while also exposing all the browser data-points used in generating fingerprints.

  • screenprint,
  • colour depth,
  • current resolution,
  • available resolution,
  • device XDPI,
  • device YDPI,
  • plugin list,
  • font list,
  • local storage,
  • session storage,
  • timezone,
  • language,
  • system language,
  • cookies,
  • canvas print.

Takeaways and future directions

In this part, you have familiarized yourself with some fingerprinting methods.

Image for post
Image for post

Check also

References

W3C. “Mitigating Browser Fingerprinting in Web Specifications.

Gain Access to Expert View — Subscribe to DDI Intel

Data Driven Investor

empower you with data, knowledge, and expertise

Sign up for DDIntel

By Data Driven Investor

In each issue we share the best stories from the Data-Driven Investor's expert community. Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Rafał Rybnik

Written by

I am a tech lead and senior software developer. I write articles on data science, programming and online industry. • Reach me at rafalrybnik@yahoo.com

Data Driven Investor

empower you with data, knowledge, and expertise

Rafał Rybnik

Written by

I am a tech lead and senior software developer. I write articles on data science, programming and online industry. • Reach me at rafalrybnik@yahoo.com

Data Driven Investor

empower you with data, knowledge, and expertise

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store