from the balancing-convenience-and-risk dept.
Banks and payment services are in a constant fight to detect account fraud, employing sophisticated ways to detect abnormal activities. One of those ways is "fingerprinting" a Web browser, or analyzing its relatively unique software stamp.
Web browsers relay a variety of data to websites, including a computer's operating system, its time zone, language preference and version numbers for software plug-ins. When those parameters change, along with others such as an IP address, it may mean an account is being fraudulently accessed.
Called FraudFox VM, the software is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware's Workstation for Windows or VMware Fusion on OSX. It's for sale on Evolution, the successor to the Silk Road online contraband market, for 1.8 bitcoins, which is about US$390.
What FraudFox aims to do is make it faster and easier to change a browser's fingerprint to one that matches that of the victim whose account they're going to exploit, or simply mix up their own digital crumbs when browsing. It's not a new tool per se, and more advanced cybercriminals may already know the techniques, but FraudFox consolidates the functions.
(Score: 2, Interesting) by Anonymous Coward on Wednesday January 21 2015, @07:32PM
I've been thinking about how to implement a firefox extension that keeps unique fingerprinting "profiles" and turns them on based on the URL in the address bar. That way when you hit facebook you have one set of fingerprints and when you hit espn.com you have a different set of fingerprints - and because it is tied to the main URL all of the embedded objects get the fingerprint for that site. So even if espn.com has those embedded facebook "like" buttons the tracking behind them sees the espn.com fingerprints, not the facebook fingerprints.
If you have a whole bunch of proxy servers available to you then even the proxy could be part of the fingerprint which would neuter tracking that depends on your IP address. I'm thinking that providing the proxies would be the point to make money, a service that gives you access to a thousand IP addresses and mixes your traffic in with everybody else could probably sell for $20-$30/year and still be profitable. The VPN guys sell for $40/yr and they cater to bandwidth hogs like foreign netflix users and people using bittorrent.
(Score: -1) by Anonymous Coward on Wednesday January 21 2015, @07:56PM
So what is the news part of this? Is it "news" because it is now being sold?
TFA says
(Score: 4, Insightful) by janrinok on Thursday January 22 2015, @09:38AM
(Score: 3, Interesting) by ikanreed on Wednesday January 21 2015, @08:10PM
It's a simple fact that if someone knows well enough how to act like you, they can.
(Score: 3, Insightful) by buswolley on Wednesday January 21 2015, @09:49PM
meh. Most of us aren't doing anything worthy of that kind of inspection. A little investment can give a reasonable expectation of privacy.
subicular junctures
(Score: 0) by Anonymous Coward on Wednesday January 21 2015, @10:33PM
I agree. Security is not binary. If you treat it as binary then you are guaranteeing failure. Good security takes into account the kind of threat you need to defend against. If the NSA focuses their $40B/yr budget on you, you have no hope. But your new girlfriend's psycho-ex, that's an adversary you can defend against with a just a few basic precautions. Know thy self, Know thy enemy. A thousand battles, a thousand victories. - Sun Tzu.
(Score: 2) by buswolley on Wednesday January 21 2015, @10:38PM
I wonder whether efforts to give oneself a reasonable expectation of privacy can invoke our constitutional right to a reasonable expectation of privacy?
subicular junctures
(Score: 2) by c0lo on Thursday January 22 2015, @02:42AM
Against your ex? Are you kidding?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 5, Interesting) by keplr on Wednesday January 21 2015, @08:33PM
Browser fingerprinting has been an annoyance to me for a while. I recommend everyone take a look at the EFF's wonderful tool/demonstration Panopticlick [eff.org], which shows you how much data your browser is leaking all the time.
There is no reason for this information to be accessible. A website should not be able to ask my browser for a list of fonts, or installed browser extensions, or virtually anything else. It should send me text, markup, and media data and my browser can handle the rest. These abilities should never have been included in the browser, or in scripting languages supported by the browser. At the very least it should be possible to disable this.
I'm probably a lot safer than most people, as I disable javascript and Flash by default and only selectively enable as needed. I don't let random websites run code on my computer, that's insane, and the fact that it's taken for granted by the masses is the source of most security/privacy issues. But I know I'm not completely safe either. There's nothing stopping someone from maliciously injecting code into any site. Or a site I trust could go rogue one day and start putting tracking code into the page hosted from their own domain (which I've whitelisted).
The web is a mess right now, and what's even more aggravating is how many companies think it's their right to carry on like this. But worst of all, so few people care that they're being tracked all the time and that this information leakage is routinely being used to fuck them in every way the tracking companies can figure out how--and they come up with new ways all the time.
I guess you could hop on a VPN and use Tor, but then you're actively pursued by Nation States and labeled a terrorist without due process. We live in interesting times.
I don't respond to ACs.
(Score: 3, Insightful) by maxwell demon on Wednesday January 21 2015, @08:39PM
I get: "Within our dataset of several million visitors, only one in 183,604 browsers have the same fingerprint as yours."
I think that should be sufficient for most purposes.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by acharax on Wednesday January 21 2015, @09:00PM
"Within our dataset of several million visitors, only one in 1,652,463 browsers have the same fingerprint as yours." here.
This kind of stuff is only as powerful as you permit it to be.
(Score: 1) by acharax on Wednesday January 21 2015, @09:09PM
I wanted to expand on that and post a comparison with slightly different permissions on data exposure but the page doesn't appear to load now. Oh well.
(Score: 2) by buswolley on Wednesday January 21 2015, @10:00PM
yeah javascript diabled killed it. So what seeable then?
subicular junctures
(Score: 1) by acharax on Wednesday January 21 2015, @11:18PM
Finally got it to load again. With a small tweak to the user agent (now reports a popular browser and OS combination) I've got "Within our dataset of several million visitors, only one in 115,296 browsers have the same fingerprint as yours." this time around. Small things can make a truly huge difference as far as this identification technique is concerned.
(Score: 2) by maxwell demon on Wednesday January 21 2015, @09:50PM
I guess the difference is that I'm using Linux (and my User Agent reflects that).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by acharax on Wednesday January 21 2015, @10:39PM
Your results were much better than mine as far as the purpose of that panopticlick site goes, the less unique the better; using a (rather) uncommon browser (and allowing it to know that) likely played a major role as to why mine were so bad.
(Score: 2) by maxwell demon on Thursday January 22 2015, @06:57AM
You're right; I temporarily got confused about the meaning of the number.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by mtrycz on Wednesday January 21 2015, @09:51PM
With NoScript, mine was "1 in 2,5M"
Without Noscript i was unique, even if I didn't allow Java. Sigh. Must be the fonts, and some of the Illustrator work I do sometimes.
In capitalist America, ads view YOU!
(Score: 1) by Jesus_666 on Wednesday January 21 2015, @11:53PM
Unfortunately both Java and Flash apparently break a number of websites when they aren't enumerable due to badly-coded checks for them being common.
(Score: 2) by buswolley on Wednesday January 21 2015, @09:53PM
There are a lot of people, but that is still a pretty powerful filter when applied with other methods.
subicular junctures
(Score: 1) by fido_dogstoyevsky on Wednesday January 21 2015, @11:44PM
"Your browser fingerprint appears to be unique among the 4,957,524 tested so far."
Is this worth bragging about?
It's NOT a conspiracy... it's a plot.
(Score: 0) by Anonymous Coward on Thursday January 22 2015, @07:04AM
Only if you think it's good everybody can instantly recognize you online and track your every move...
(Score: 0) by Anonymous Coward on Wednesday January 21 2015, @11:49PM
> I get: "Within our dataset of several million visitors, only one in 183,604 browsers have the same fingerprint as yours."
I get: "Within our dataset of several million visitors, only one in 8,998 browsers have the same fingerprint as yours."
That's because I set my user-agent to MSIE 10 on Win7 and have noscript enabled.
(Score: 2) by maxwell demon on Thursday January 22 2015, @07:13PM
I also have NoScript enabled, so I guess the difference is the user agent. But I think it's good to let the visited sites know that a Linux user is visiting them.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday January 22 2015, @04:58PM
Your browser fingerprint appears to be unique among the 4,959,901 tested so far
(Score: 4, Interesting) by edIII on Wednesday January 21 2015, @09:31PM
This is why my first thought was that FraudFox will become my new browser of choice. Unique profiles remembered for every bank or financial institution I visit, etc. Randomized profiles for everything else. Then hook the whole thing in to TOR running on a separate box so the websites and tracking companies have zero hope of somehow establishing a non-TOR connection. At most they can probe the exit node looking for clues and get that IP address.
Every time I visit a site, new TOR circuit and new fingerprints. Sounds good to me.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by gnuman on Wednesday January 21 2015, @10:00PM
A website should not be able to ask my browser for a list of fonts, or installed browser extensions, or virtually anything else.
Website does not do this. Javascript does this and Javascript needs this information if it were to make proper selection of font, use of extension or virtually anything else. If you run panopticlick with no javascript (eg. NoScript), you'll be leaking a lot less information.
Your browser fingerprint appears to be unique among the 4,957,540 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 22.24 bits of identifying information.
And most of it is via User Agent. HTTP_ACCEPT is another. The rest, no javascript. And first two things I can randomize if I want to.
(Score: 0) by Anonymous Coward on Wednesday January 21 2015, @10:36PM
> Panopticlick
As far as I can tell they do not age out old data.
A user-agent of Firefox 25 is a lot more unique today than it was a year ago. And conversely a user-agent of Firefox 35.0 didn't even exist until a few weeks ago but because of auto-upgrades it is a lot more common than nearly all other firefox versions.
(Score: 2) by timbim on Wednesday January 21 2015, @11:24PM
Support the Free Software Foundation and protect your rights. http://www.fsf.org/ [fsf.org]
(Score: 0) by Anonymous Coward on Thursday January 22 2015, @01:42AM
Doesn't all the money donated to the FSF go into boondoggles like HURD?
(Score: 2) by shortscreen on Thursday January 22 2015, @05:35AM
the fact that it's taken for granted by the masses is the source of most security/privacy issues.
Can't blame the masses for this. Browser developers and web developers, together, created that which suited themselves. Users had no part in it. And when users complain about something they don't want, they are generally told to STFU. Remember "fuck beta?" Same thing with Firefox's UI meddling, and Opera... Opera is now a sick joke compared to what it used to be.
(Score: 1, Insightful) by Anonymous Coward on Thursday January 22 2015, @07:16AM
This Tool May Make it Easier for Thieves to Empty Bank Accounts. Find out why!
Three things you're doing wrong when exercising!
Statement intended to clickbait.
(Score: 1) by zraith on Thursday January 22 2015, @01:05PM
I for one also hate this new trend of click-bait headlines. Could we please not stoop to this level?
(Score: 2) by Gaaark on Thursday January 22 2015, @01:35PM
Yes, please. Make the headline interesting so i want to read more of the article: give me 'Elvis is dead' (or Elvis is not dead, whatever), don't give me 'Elvis died on the toilet: exclusive pics!
My brain wants info, not excitement (at least from THIS fine institution).
Other than that, keep up the good work! :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Interesting) by Anonymous Coward on Thursday January 22 2015, @08:24AM
So, pretending that you have the same version of Flash (and several other things of the same importance) helps empty his bank accounts?
From the summary, I'd say only if the bank is using obscurity, rather than real security. Tools like PGP cannot be fooled by making your PC look like the victims PC, either you have the key or you don't.
Banks should be using tamper proof digital signatures (e.g. ChipTan), not browser fingerprinting.