Cybercriminals and cybersecurity experts have long been battling against each, often described as playing an indefinite game of cat-and-mouse, but now the two are locked in an arms race.
This is distinctly noticeable with web browsers spoofing and detection; the security experts have browser fingerprinting technology, and fraudsters have browser spoofing tools.
Therefore, with the rise of privacy first browsers, what impact will this have on cyber security measures?
Search Engine Landscape
In previous years, someone’s choice of browser revolved around user experience metrics but with society’s increasing knowledge of the digital space, including ad tracking and data mismanagement, the browser market has never been so competitive.
For example, over the past year, Brave Browser claims to have more than doubled the number of its users, from 11.6 to 25.4 million monthly active users as well as over 8 million daily active users.
The firm details explicitly that their servers have no ability to hold data that can be potentially used to analyze user intent.
Instead, Brave’s open-source browser code protects this intent data on the given device, providing details to maximize user, publisher and advertiser value.
Their explainer details: “Each ad request is anonymous, and exposes only a small subset of the user’s preferences and intent signals to prevent “fingerprinting” the user by a possibly unique set of tags.”
Device Fingerprinting
Device / browser fingerprinting is an effective solution to identify basic fraudsters as well as block transactions from browsers that have been previously identified as insecure or directly involved in fraudulent activity.
Yet, recent demand for more consumer data control has led to tighter restrictions on tracking cookies with ‘typical modern browsers’ therefore turning browser fingerprinting into a tool for tracking as well as fraud prevention.
As an example of, AmIUnique.org reveals just how quickly your fingerprint can be traced including your operating system, browser name and version, time zone and more.
However, users that turn to alternative browsers for more privacy could inflict more with malware attacks employed by criminals to create fingerprints that meet the specific requirements of the user that the attackers wish to impersonate.
On one dark web marketplace, Genesis Market, there are said to be over 350,000 stolen identities available for purchase, including digital fingerprints, cookies, saved logins, and autofill form data.
When this data is purchased and imported into certain anti-fingerprinting browsers, the criminal is able to assume the digital identity of the user who has had the information stolen – thus providing access to any systems or sites that user was logged into.
Spoofing
Spoofing is the act of impersonating a reliable source of information and this technique can be used to access personal information, impose malware onto a system, bypass network access controls or conduct a denial-of-service (DDoS) attack.
A browser’s connection with a site browser per se, it’s in the connection with the site. So the site can learn about the browser from how it connects with it.browsers hold onto information that can be exploited, or collected by third parties.
If a criminal was to access the correct information, they can cripple an organization’s entire computer network and incur heavy revenue losses.
Looking Ahead
As the battle continues back and forth, some argue that fraudsters are more adaptable to the problems faced in front of them.
As time goes on, will anti-fingerprinting browsers make things harder for security experts? That remains to be seen.
One company trying to help distinguish a private user and a phony user is Google who have developed a new detection technique dubbed Picasso.
In short, this is a lightweight tool that operates off the assumption that every device has unique traits which cannot be cloned or simulated and can be identified by how it renders graphics.
The solution builds on “unpredictable yet stable noise” from the browser when loading canvases, viewing the graphic rendering system of a device as a quantity that cannot be changed or manipulated.
However, cybersecurity experts have more at their disposal than just online browser fingerprinting and for the most effective protection are beginning to realise the power in combining solutions.
New API-based solutions are being developed and released more frequently by firms which can provide a more well-rounded approach to fraud prevention.
Single solutions such as fingerprinting are good and will stop many bad actors but to ensure protection, it needs to be part of a larger ecosystem.
Interesting Related Article: “Why you need a password manager for your browser“