[lkoolma]

There are a few comments about the fear that many of the top websites of the world get/use this data. I understand that people would be scared about this.

However, fraud is big problem, and any site that is dealing with anything precious is (hopefully) doing whatever they can to prevent fraud to protect their and your resources/data. From what I can tell from the JavaScript from some of the top 100 sites, it looks like many are using this data, and if the data is not what they expect, the transaction can be rejected. I do not like when a company like Facebook would use this data, but it is a tradeoff for allowing other companies to use it.

Not sure if someone from CloudFlare, Akamai, or another company (Coinbase?) can publicly comment on what they do.

Would be nice if the browsers would at least notify of its use.

[Nextgrid]

Fraud can be solved by having proper authentication solutions in place. We shouldn't leave fingerprinting vulnerabilities open just because the banking industry can't be bothered to come up with something better than a static card number & expiry date for authentication.

[lkoolma]

I agree that just using a credit card number and the expiry date is definitely bad, but I am not aware of any authentication solution that fully solves this problem (but please enlighten me if there is). We know passwords have many problems. Two factor authentication with SMS has problems with SIM hijacks. Physical tokens (e.g. RSA tokens) have problems when users lose them.

Feel free to enlighten me if someone has a better solution for all of this.

[pjc50]

Ironically, both iOS and Android have payment solutions built in, and on Apple devices this uses the secure enclave. Fingerprinting a phone is a vastly inferior solution to that.

[kristianc]

Which is useful if you happen to live in an Apple Pay / Android Pay supported country with contactless payment widely rolled out.

However, considering contactless was pretty rare even in the US until recently, it’s wise to have other solutions - and cover other use cases like online banking, loan applications etc etc.

[Nextgrid]

In the real world people seem to hold onto their cards pretty well - why not just use that? The majority of phones nowadays has an NFC chip capable of talking to contactless-enabled cards (most of them), and for those that don't, smartcard readers are pretty cheap (banks give out those calculator-like things for logins, why not add an USB port to them or Bluetooth capability for mobile devices).

2-factor authentication doesn't necessarily imply SMS. TOTP apps like Google Authenticator are reasonably secure.

Finally auth doesn't have to be 100% bulletproof (in fact, fingerprinting isn't either), it just has to solve the majority of problems. There's always someone that's going to be stupid enough to get compromised despite all the security solutions, but as long as the majority of users is safe then all is good.

[manigandham]

They are entirely separate layers. Not every service that wants to prevent fraud involves a payment transaction.

[baybal2]

> can publicly comment on what they do.

I can. During a short stint in an ad tech company in Shanghai in 2016 (my second time in ad tech after running an ad farm myself in my teen years), I noticed that Samsung Internet (a browser) does not require permission for sensor data. Then, just few month later, Chrome team put sensors live without them too.

> https://news.ycombinator.com/item?id=18247690

I remembered reading about Kalman techniques used in radionav in high school, and it instantly came into my head that you can as easily reverse the process to substract clean, kalman filtered, signal from noisy one to get an "anti-pattern."

And with it you can easily do whatever you want from FFT, to reverse manchester coding, to more esoteric techniques to quantitise it.

Everybody in the collective got quite fired up with it, thinking about it being a "that's it" moment for us to do some sweet arbitrage on ad exchanges with it. We were few weeks from filling a patent, but it was decided to keep it hidden after all with logic that: 1. big ads will shoot us down, 2. botters will get whiff of it, 3. patents don't work for "small" companies

I got symbolic premium, arbitrage results were far from super good as originally expected. At that point we found a silly thing: 20 to 30% of MoPub traffic had accelerometers and gyros playing same data in a 5 second loop!

Later after I left the company, I learned of ours sales people finally managing to sell it under wraps to "somebody big" , whose identity I was not told

I do remember right around that time flaming on bugzilla with either google or mozilla employees who claimed that you can't extract fingerprint from 60 hz data, and me claiming otherwise to no avail.

My point was to put mandatory permission prompt on it, and I remember being turned down.

[idlewords]

"Fraud" presupposes a surveillance advertising ecosystem. The data is not being used to verify transactions, but to figure out if your ad impression should count as bogus or real. Change the business model and a lot of incentive for this highly invasive tracking goes away.