By Online fraud has reached unprecedented levels of sophistication, with bad actors leveraging artificial intelligence (AI) and agentic technologies to bypass traditional security measures. In a recent interview, Dan Pinto, CEO and Co-Founder of Fingerprint, shared insights into how device fingerprinting technology is evolving to meet these new challenges while maintaining seamless user experiences.
The Arms Race Between Fraudsters and Security
Traditional fraud detection methods that relied on cookies, IP addresses, and basic device identifiers are no longer sufficient. VPN usage has become mainstream, making IP-based detection unreliable. Meanwhile, fraudsters are employing advanced techniques including AI-generated masks for video verification, deepfake technology for social engineering, and agentic AI systems that can integrate complex fraud operations without human coding expertise.
Beyond Traditional Fingerprinting
Device fingerprinting represents a significant evolution in fraud detection. Unlike basic identification methods, it analyzes dozens of device parameters to create unique digital signatures that persist across sessions, even when users employ privacy tools like VPNs or incognito browsing.
Fingerprint’s approach goes beyond simple identification to provide device intelligence – detecting whether devices are running on VPNs, using Tor networks, employing automation tools, or presenting false information about their configuration. This comprehensive analysis enables businesses to make nuanced decisions about user trust levels.
Real-World Applications Across Industries
The technology’s versatility spans multiple sectors. Financial technology companies use it to prevent payment fraud and account takeovers. E-commerce platforms leverage it to distinguish between legitimate new customers and potential fraudsters. Cryptocurrency operations rely on it to secure accounts before irreversible transactions occur.
File hosting platforms represent another interesting use case, where the technology prevents abuse of free tiers and unauthorized account access. The common thread across these applications is the need to balance security with user experience – catching bad actors without creating friction for legitimate users.
The Future of Fraud Prevention
Perhaps most concerning is the emergence of agentic AI in fraud operations. Pinto shared an example of a non-technical team member successfully integrating Fingerprint’s technology using only AI assistance – a capability that extends equally to fraudsters planning sophisticated attacks.
The response to this escalating threat requires a partnership approach. Fingerprint focuses on providing high-quality signals rather than making blocking decisions, allowing businesses to tailor their responses to specific industry needs and risk profiles. This flexibility enables companies to reduce false positives while maintaining strong security postures.
Conclusion
As fraud techniques continue evolving, the security industry must adapt with equally sophisticated countermeasures. Device intelligence represents a critical component of modern fraud prevention, offering the granular insights needed to distinguish between legitimate users seeking privacy and bad actors attempting to hide their tracks. The key lies not in creating impenetrable barriers, but in making fraud attempts sufficiently difficult and resource-intensive to deter most attackers while preserving the seamless experiences that legitimate users expect.
Edited Transcript
Swapnil Bhartiya: Online fraud, as we all know, is getting harder to catch, especially with even more sophisticated technologies – agentic AI, LLMs. Attackers are really getting very, very smart. And as I say, the bad actors have to be right only once; the good guys have to be right 101% of the time. As attackers are using stolen identities, spoofed devices, and fake traffic at scale, it is becoming increasingly challenging for businesses, because the cost is not just financial – it’s also their image and trust. So how do you stop bad actors without slowing down real users?
Today, we have with us Dan Pinto, CEO and Co-Founder of Fingerprint, to talk about just this topic. Fingerprint tracks digital fingerprints to help enterprises verify identities in real time, flagging fraud without adding friction or without affecting user experience for genuine users. Dan, it’s great to have you back on the show.
Dan Pinto: Yeah, thanks so much for having me.
Swapnil Bhartiya: I would love to know a bit about the history and story of the company. When did you find it? What led to the creation of this company? So just talk about Fingerprint.
Dan Pinto: The company actually started as an open source hobby project by my other co-founder, Valentin. He created it back in 2013 – it was the best browser fingerprinting library at the time, so it had a lot of adoption. Then we started the business around 2020, and things have gone really, really well for us as we’ve focused on being the highest accuracy device fingerprinting solution, and now the best accuracy device intelligence solution as well.
Swapnil Bhartiya: Also explain for viewers who may not know: what is device fingerprinting? And then, of course, you’ll talk about device intelligence – just to get the context of what areas, when we talk about the whole security space, you folks operate in.
Dan Pinto: Sure. So we basically have two products. The first one is device fingerprinting, which essentially means that we pull as many signals from devices as we can from web and mobile operating systems, process all of those signals, and then generate an identifier that’s extremely accurate across different interactions. So a fraudster may try to use a VPN, incognito mode, etc., clear their cookies, change their IP address in order to try to evade detection from typical methods, and we are still able to link those sessions based on all the parameters that we pull, and we provide that back to the business.
Then the second product is that in the process of generating that identifier, we can also detect unusual things about the device. So is the device on a VPN? Is it using Tor? Has it changed any of the values that are normal on the device to something unnatural? For example, is it pretending to be Googlebot when it’s actually a Chrome headless browser? Is it a bot where it’s trying to pretend to be a human? So all of those things are things that we process, collect, and then provide to the business in order to mostly prevent fraud, but also to reduce friction for good customers as well.
Swapnil Bhartiya: And when we are talking about devices, are we talking about the devices that employees are using, or are we talking about the devices that somebody may be using to access a company’s services remotely? So I just want to have a distinction there as well.
Dan Pinto: We can help with both, but generally, employee devices are not our focus because it’s usually a safer environment – you can lock it down more. Our main focus is more on consumer devices. So imagine you have an e-commerce platform, and you want to find the right balance between preventing fraud and reducing friction. You don’t want to lock the system down too much. You want to allow new customers to come to the website, put in their credit card for the first time, and they’ve never been detected before. So that’s where we can come in. We can detect: is it a returning visitor that you’ve had before, so you can trust it more? Is there something wrong with the device – like is it on a VPN so that you can trust it less? And then, using all those signals, you can make better decisions that can reduce your fraud and also potentially increase your revenue.
Swapnil Bhartiya: So basically, it’s not just the traffic that is coming to your server – it’s also where it’s coming from, what devices they’re coming from, and as you also earlier mentioned, whether the devices are claiming to be who they are. Is it mostly fraud in the financial space, like e-commerce sites? You know, whenever a new device is released, whether it’s Nintendo Switch or Windows, scalpers go and create a lot of fake accounts. I just also want to understand the scope of fingerprinting and what kind of industries and markets you cater to.
Dan Pinto: One thing that we decided very early on in the business is that we were going to be agnostic across different industries. So what we offer is a very open, broad API that can be used in many different ways. And one of the characteristics of our business is that we don’t make decisions for the business, right? So we don’t go deep into actually preventing fraud. We collect signals, provide those signals, and then every business and every industry is going to be slightly different, but they can take our signals, process them intelligently for their business, and use them.
So I’ll give a couple of different examples. We have large file hosting platforms using us to prevent account takeovers because people are trying to break into those file hosting platforms to either abuse free tiers or get into other people’s accounts. We have large fintechs using us to prevent payment fraud, or again, people trying to break into accounts to move money around. Cryptocurrency operations also need to use us because once you get access to an account, you can move the crypto around and it becomes anonymous, right? So there are a bunch of different use cases there.
We actually serve a very wide range of industries. For example, if you visit our website, you can see a number of case studies. But it’s because we’ve made our business agnostic from the beginning, and it’s also helped us achieve higher scale than otherwise, because of that open source focus and that API focus.
Swapnil Bhartiya: So basically, as you said, you provide them with signals, but they use their own tools or other tools and technologies to actually take action to prevent fraud, right?
Dan Pinto: Yes, that’s right. So typically, what companies would do is they would have an in-house decision engine, or they might use another decision engine – like one of our partners. We partner with a number of different decision engines, and they would take the signals that we provide to them, set the rules in the decision engine, and then allow it to produce whatever outcome, either blocking sign-ups, blocking payments, or limiting the sign-ups or payments or the account logins.
Swapnil Bhartiya: Security is becoming a very important topic these days. In the past – even when you mentioned when the company was created in 2013 – I think after the whole arrival of open source and cloud and Kubernetes, security has become a priority. It’s no longer an afterthought, because you’re not shipping something that somebody else is installing – you are running everything for them. So can you also talk about what kind of market has evolved around the market that Fingerprint operates in – fraud prevention – and what unique advantages you folks have compared to some of the incumbents or other competitors?
Dan Pinto: Yeah. So the main trend that’s happened over the entire history of the internet, but especially since 2013, has been the democratization of access to tools, right? So as more time passes, both good actors and bad actors have better access to tools that allow them to do things that weren’t possible before.
For example, back in 2013, it was possible to prevent some kinds of fraud by looking at the cookie or the IP address or any of the typical identifiers that you would use back then. But since then, VPN usage has become very broadly adopted, right? Back then, it might have been either very sophisticated corporate users or very sophisticated fraudsters who would use VPNs. But now even regular consumers are able to use VPNs. It’s very accessible, so that means you have to look deeper into the signals, and you need more information than you ever needed before in order to prevent fraud.
Another example – a recent trend that’s super interesting to me – is agentic AIs. We had one of our people on our team test out using an agentic AI to try the entire Fingerprint process. He was able to create an account on our website, create a website, and fully integrate Fingerprint just by having the agentic AI read our documentation and do everything. And he has never coded in his life before, so that gives you a sense of what’s coming next.
There’s going to be a lot more agentic AI usage – both regular usage, like in his case where he was trying to build a website using our technology and integrating it (so it’s great for junior developers that have never used it before), and also fraudsters being able to do very sophisticated things on websites. It’s going to look like a normal agentic junior developer trying to do something on your website self-service, but it’s going to turn out to be a fraudster doing something very sophisticated.
So for us, the trend is exactly that, and it’s only going to continue, and we need to provide the tools that are best in class for businesses to adjust as quickly as possible to those changes. And in our opinion, providing signals is the best way to do that. We can’t keep up constantly with all of the different ways that every industry is getting attacked, but we can provide the best-in-class signals, which then empower the engineers on the company side to keep up with the trends and use those signals to best prevent fraud.
Swapnil Bhartiya: When you look at agentic AI, as you rightly mentioned, it’s not just the good guys who are using these technologies. Bad guys are also using them. Some of the bad guys are some of the smartest people, and you also don’t know what their motivation can be – it could be state-sponsored. I mean, we don’t really know – it’s a big, huge market. How are you seeing these fraudsters becoming even more sophisticated? Have you seen some cases where you’re like, “Hey, that was not possible before the arrival of OpenAI or ChatGPT or LLMs,” where you’re like, “You know what? It’s actually an uphill battle for us.” Also, as I say, as a good guy, you have to be right 101% of the time; a bad guy has to be right only once. So it’s not even an even playing field there.
Dan Pinto: Yeah, no, that makes sense. I mean, generally, the way that we look at it and our customers look at it is that you’re never going to catch 100% of the fraud, but you want to make it as difficult as possible for the fraudster. So you want to make that 1% as small as possible, basically waste as many resources on their side to try to make anything happen.
But yeah, we’ve seen some crazy things. So for example, one of our customers is an identity platform that does real-time verification of IDs, and you have to join the platform – you’re on video, your face has to show up, and you have to hold up an ID card, for example. And they’ve shown us some of the things that we’ve been able to detect. Essentially, it’s like AI masks that people are wearing on top of their real face, which looks exactly like the person on the ID. And it’s real-time – like you can turn a little bit and you can’t tell that it is not the person. The only way to actually prevent it is to actually pass your hand fully over it, because it kind of breaks the AI mask. So there are a number of techniques like that.
On the tech side, this is relatively old now, but it used to be that fraudsters would use unsophisticated messages sent to people in order to try to filter out and not waste time with people that are going to be smarter and figure out the scam by the end. But now, using LLMs, you can actually tailor the message that you’re going to use to defraud someone to the very specific accent of English that they use in one part of England, because you’re sending it to a person that is living in that part of England, right? So there are a lot of really specific things that you can do nowadays.
One last one I want to share, because this one’s super interesting to me – it’s kind of related to this podcast. So likely someone is going to make a deepfake based on my video in this interview and then use it to send to our employees to ask them for gift cards to be sent out. And we’ve seen that trend as well, where in the very early days of the business, like early 2020, that wasn’t happening at all. Then we started getting text messages and emails. As soon as somebody joined the company, they would scrape LinkedIn, start sending messages to the employees pretending to be me. And obviously it doesn’t look that sophisticated, or didn’t back then, but it’s getting closer and closer, especially with this future deepfake that’s likely going to happen, that people might fall for it in the future.
So it’s going to take device intelligence, training employees – all these different things in order to keep ahead of the curve.
Swapnil Bhartiya: As you earlier gave an example of somebody who used just agentic AI and didn’t have any experience in coding and set up a website – sometimes, when we look at security tools, developers don’t like to talk to security folks because they know they will slow them down. They will even stop the progress, because there will be something that is breaking. So security tools can be seen as friction in terms of innovation and progress. How do you folks strike a balance where, while you empower companies to be able to prevent fraud, at the same time, it doesn’t disrupt their business and user experience?
Dan Pinto: Yeah, so a couple of things I can mention about that. For us, our company was started by two software engineers, so we’re exactly in that same camp. We don’t want to talk to salespeople; we want to actually just use the tool immediately. So our business is fully self-service, right? You can go to the website, you can sign up, get full access, read our documentation. It’s fully open.
Then the other angle of the question is: for our customers, what can we help with? So imagine you’re a fintech business. You’re trying to make sure that you’re balancing between fraud and friction. You want to make sure that you catch enough of the bad actors, but you don’t have a false positive where you accidentally think that someone is a bad actor, right?
So let’s say you have a very privacy-aware customer that’s coming to your website. They’re using a VPN. If you use a historical method, you might say, “Oh, block everybody that’s on a VPN,” but that’s not going to be good enough, especially if people start adopting that tool more. So you need to figure out: how can you trust that visitor more?
And one way, for example, is through the other device intelligence signals that we have, or device fingerprinting itself, because we can link it together, and we can say, “Sure, this visitor is coming through a VPN today, but they came three other times, and they were well-behaved those three other times, so likely you can trust them coming through, and they don’t have any of the other risk signals that we would normally make available to you,” and you would allow that customer to continue down the process.
Or if it’s an extremely well-behaved customer, you can even skip a step in the process, right? Like, don’t require an SMS code to be sent to their device, because they’ve already put in the username and password and the fingerprint is matching, right?
So for us, it’s about providing those tools to the business, and for some businesses it might be, “How do I lock my systems down more?” And for some businesses it might be, “How do I make my systems less locked down for the customers that I can trust?”
Swapnil Bhartiya: You also mentioned that you folks only provide the signals, but they can choose the solution they want. Talk about the importance of partners. Do you also partner with other companies, or do you leave it totally to your customers that they can pick and choose whatever solutions they want, or do you have a very good network of partnerships also where they complement your services?
Dan Pinto: Yeah, that’s a great question. So stylistically, we chose to partner a lot from the very beginning because it allows us to focus on what we do best. Since we focus purely on the signal detection, providing best-in-class information to businesses, that means that we need to partner on two ends of the spectrum.
So first is the actual way that the code is integrated on the page. We partner with companies like Cloudflare, Akamai, Fastly in order to share the JavaScript, block bad actors on the page – all those things that could potentially happen that are bad. But because we don’t control the blocking side, we only do detection.
And similarly, on the other side, since we don’t do decisioning, we partner with a number of decision engines – different companies that you can see on our website, and they fit different markets, right? So some focus more on fintech, some focus more on account registration, some focus on account login, and each of them are companies that we’re happy to work with. We want to provide the best-in-class tools for any business to operate in the way that they want to operate.
Swapnil Bhartiya: What kind of growth have you seen? As you earlier mentioned, the company has been around for a bit, but it picked up momentum recently. So talk about what kind of growth you’re seeing, what kind of investment, and what plans you have for the future.
Dan Pinto: Yeah, just to clarify: there was no business from 2013 to 2020 – it was just the open source library. Since 2020, we started the business, and it’s grown really quickly from that point. We started with self-service developers coming to our website and using it. Then we moved into the mid-market, and then the last couple of years, we’ve seen a further acceleration of growth because of the enterprise.
Since our business is available via API, it’s very broad in terms of use cases, and it’s easy to consume, it’s helped us get into the enterprise much more quickly than we should based on the age of the business, and things are going really well. We’re at about 150 employees now, doubling year over year in terms of revenue currently. So yeah, looking forward to getting more customers and helping prevent more fraud.
Swapnil Bhartiya: It’s almost June, so we are in the middle of this year. Any major projects, anything in the pipeline? Of course, you cannot share too many details – we’ll talk about it when the product or service is already out. But is there anything in the pipeline that you would like to tease your viewers with?
Dan Pinto: Yeah, I mean, one thing that I personally really like that we launched relatively recently is our residential proxy detection. So residential proxies are an interesting method of fraud because they allow someone, somewhere internationally, to pretend like they’re in different places in the United States, because of the use of certain services that allow you to change your location pretty easily, right? So it goes through, let’s say, a router in Oklahoma, and then it can go through a router in New Hampshire, and then each of those times, you can do a new attempt to either commit fraud or, again, appear like you’re an anonymous person if you want to. That’s the main use case for regular people – to hide where they’re based. But again, it allows fraudsters to do bad things.
So we’ve developed some technology that allows us to detect that significantly better through two methods. One is the data – so knowing which IP addresses are being used as residential proxies. And the other, which is much more interesting and more in our wheelhouse, is the ability to detect in real-time if it is a residential proxy in that very request.
So there are a number of things that we can do in terms of other network requests at the same time that our code is run to see if unusual things happen. So basically, does the time that it takes to connect to a certain location take longer than it should? Because maybe it’s doing multiple hops before it gets to that server. And then we can use that information and provide that as a signal back to the business of, “Wait a second, this person may not actually be in Oklahoma – check and determine what you want to do with them.”
Swapnil Bhartiya: Dan, thank you so much for joining today and talking about Fingerprint and the whole landscape of how you folks are helping organizations in catching fraud. Thanks for the great insights, and I look forward to chatting with you folks again. Thank you.
Dan Pinto: Yeah, thanks a lot for having me.
