A fingerprint is a user-specific set of data downloaded from a browser, which can be used to confirm with a high probability the user's identity between visits to a website. The equivalent of a cookie (i.e., storing information in the browser) in the real world would be the license plate of a car. The equivalent of a fingerprint is an even richer description: "red Volkswagen Passat with a broken mirror, green spoiler, and bead seat covers."
With a web application, we want to remember the users' settings and identity between visits to the site. To do this, we need to save some information in the user's browser. The mechanism that was introduced for this purpose is an HTTP cookie. It is simply a small piece of text that the website sends to your browser and that your browser sends back on the next visit to the site. This simple trick allows for user identification. But what if a malicious user deletes this information from the browser? At this moment, fingerprinting comes to the rescue.
Contrary to appearances, such systems do not care about surveillance of Internet users or finding out who they really are; rather, it is more about blocking only those scammers who try to make payments with stolen cards. A common manoeuvre used by carders is to test which cards from the package/leakage they have purchased are no longer blocked and are thus fit to continue committing crimes. Usually this is done by looking for a less secure site that offers the possibility of paying with a card or setting up a subscription (also based on the card).
In the first case, charity websites are very popular. They allow you to donate any amount of money. The small amount increases the chance that the legitimate owner of the card will not notice the fact of an unauthorized payment and will not report the theft to the appropriate authority, thereby blocking the card.
To understand the second case, you need to delve into the way in which card payments are processed in the subscription model. In a very simplified way, it works as follows:
- The user is offered a trial period of the service in which they pay nothing (usually a month); however, they must provide card details in order to calculate payments in the future
- On the side of the service provider and the bank, there is an operation of an authorization (i.e., determining whether the card is active and whether it contains any money) which is practically carried out by means of collecting from the funds assigned to the card a symbolic amount (e.g., $1.00). This amount is returned to your account later; the delay it goes through results from the characteristics of card payments. If the authorization operation is successful, the user gains immediate access to the service.
- After the trial period, money is withdrawn cyclically from the user account assigned to the card As with the correct authorization, you can access the service almost instantly; it allows you to immediately confirm that the card has not yet been blocked.
Of course, in most cases of this type, carders check several or several dozen cards. Activities of this type are, of course, masked, whether by removing cookies or by more sophisticated methods. Carder activities can be very painful for the owner of the website where such "testing" took place. They will be held accountable -- whether through fines imposed on them by the payment system provider or in extreme cases by disconnecting from the payment network.
What can these types of proven cards be used for? It depends on the experience and inventiveness of the criminal. It can be money laundering in much more secure websites where you can buy, for example, luxury goods and electronics (the more expensive, the better!) or airline tickets. But how carders work is a topic for a completely different article...
Of course, fingerprinting is not the only way to stop the attacks described above, but rather one of many elements of anti-fraud systems. The well-known principle of defense in depth applies here.