Earlier this year, there were a lot of reports about FraudFox, a piece of software developed to allow criminals to avoid browser fingerprinting without having to manually make any fundamental changes to their actual browser. FraudFox has since been joined by Antidetect, which does a fairly sophisticated job of quickly and easily altering numerous components usually used in browser fingerprinting.
The rationale behind these tools is that one of the ways fraudsters attempting online fraud can be recognized – and blocked – is by their browser configurations. If the same browser is coming back again and again, with a different card each time, to purchase item after item, the system is going to smell a rat.
But change the browser, avoid fingerprinting and detection, and keep coming back for more. There’s a video of one fraudster smugly showing exactly how successful a trick this can be – getting set up to have a second try takes him only about five minutes, and that’s including totally changing his browser appearance, finding and using an appropriate proxy, and buying a fresh credit card on a carder forum. You can see how fast and simple the process has become, using software like Antidetect and FraudFox.
The Bigger Picture
Tools to avoid browser fingerprinting are by no means an aberration in the world of online crime. In fact, crooks make use of Crime as a Service, in much the same way as businesses all over the world have come to rely on Software as a Service.
Fraudsters don’t need to be technically competent themselves; they can purchase tools that take care of everything they need. There’s an entire section of the internet underworld whose function is simply catering to these criminals, enabling online fraud.
[bctt tweet="Fraudsters don't need tech know-how. They can just download the app."]
It’s a great mistake to forget that the dark net is a highly sophisticated marketplace and ecosystem, because what this means is that when you’re defending your business against fraud, you’re combating professional criminals who lean on a support network of experts.
What This Means For Fraud Prevention
Essentially, fraud prevention systems have to be built with this in mind. The old model of fraud, where it took time for new methods or software to enter the environment and it was often a case of fraudsters operating alone with variable levels of ability and knowledge, are long gone.
[bctt tweet="Modern fraud prevention has to stay ahead of criminals who are fast, organized and part of a sophisticated community."]
Modern fraud prevention has to stay ahead of criminals who are fast, organized and part of a community which can attack numerous areas at once, until they find a weakness. To be effective, anti-fraud must be:
- Agile. Bearing in mind everything we’ve just said, it’s pretty clear that a system of rigid rules just isn’t going to be able to keep up with the challenges posed by contemporary fraudsters. These criminals change their methods all the time, adding new skills and software to their arsenal, and fraud prevention must be able to do the same.
- Adaptable. A system built with a fixed idea of how fraud and fraudsters function will get left behind when these things change. Keeping track of the developments in the world of modern fraud, and ensuring the anti-fraud system is equipped to block the latest tricks, is necessary to remain relevant.
- Layered. One of the things the FraudFox/Antidetect stories show is that you can never rely on a limited range of techniques to spot and stop criminals from stealing from your website. If you’d depending heavily on browser fingerprinting, and this software suddenly appeared, you’d be in trouble. Fraud prevention systems much include a wide range of methods and sources of information, each one continually updated, so that they’re never caught out by whatever the fraudsters come up with next.
Choose your fraud prevention as carefully as fraudsters choose their tools. They might have technologies on their side – but you can beat them with the right Technology on yours.