In February 2019, Kaspersky Lab researchers discovered the Genesis marketplace, an e-store that trades in digital fingerprints.
As with most online bazaars dealing in illegal items, Genesis is on the dark web. Its patrons are attackers seeking an effective and discreet way to steal without interference. And with each fingerprint profile selling for US$5 to $200, it’s an affordable choice considering the potential gains.
Whereas websites and advertisers employ digital fingerprinting to target potential customers, financial institutions implement it as an anti-fraud measure. As cybercriminals continue to resort to identity theft and imposter scams to make a profit, organizations strive to make it more difficult to impersonate individuals in online transactions.
Digital fingerprints consist of data that various institutions use to collect and track online activity to form a unique, comprehensive user profile. There are two categories of digital fingerprint: device fingerprint (information gathered from a smartphone or laptop) and behavior fingerprint.
The first includes items such as your IP address, cookies, timezone, operating system, device ID, battery, and more. The second component concerns your online behavior, mouse and touchscreen habits, bounce rates, preferred apps, or how long you stay on specific online store pages.
Each time you share personal, sensitive data online to complete a transaction, the system scrutinizes and compares your digital fingerprints to your record. From there, the transaction is either completed, sent to the organization’s security team for further scrutiny, or rejected as suspicious.
A thorough assessment is why certain purchases, such as those made from a new device or in an unfamiliar timezone, are flagged by your bank or credit card company and may be blocked. If the system cannot match you to your digital fingerprints, it errs on the side of caution and assumes further investigation is required.
Digital fingerprints sold on Genesis are existing profiles that have been stolen or created anew to mimic an authentic user profile, making these digital doppelgängers credible enough to bypass fraud detection measures.
The latter is the product of Linken Sphere, a browser capable of generating an unlimited number of web browser configurations. Although it was originally developed by Tenebris for legitimate purposes, it is also a prime tool for criminals to exploit. Unfortunately, a rogue member of the Tenebris team shared news of the software on an underground forum.
Linken Sphere grants Internet marauders a substantial advantage, in that they can create digital fingerprints from scratch. The browser also eliminates the chance of highly developed anti-fraud systems identifying a suspicious IP address or virtual machine; as each generated configuration is new. Lastly, accounts users create via Linken Sphere can be compatible with numerous operating systems.
The theft and sale of digital fingerprints enable cybercriminals to conduct illegal online transactions with little risk of the activity being identified as fraudulent. They log on through proxy connections and browsers that mirror the actual user’s for an added layer of legitimacy.
As the anti-fraud systems are likely to confirm the imposter’s data as a match, the thief has unfettered access online accounts and performing transactions. Fortunately, we can take action to combat the threat of these sophisticated digital doubles.
Each time attackers scale up their tactics to commit fraud, so must we do the same to prevent it. Enabling notification alerts on all accounts is also a useful tactic to catch unlawful transactions as soon as they occur.
Kaspersky Labs strongly recommends businesses increase their verification requirements, such as biometrics and multi-factor authentification at each stage of the transaction process. Admittedly, these precautions may amount to less convenience during online transactions. However, a little hassle is worth lowering your chances of impersonation.
Of course, standard defensive tactics are vital. Use a VPN to prevent snooping and choose strong passwords to shield all your personal accounts.