This reminds me of my favorite hackathon project. The idea was to guess which college/university a person attended when they visited our website. I put a list of links to college bookstores in a hidden iframe. Then I had javascript that scanned the list to see which links were showing the "visited" color.
Browser people quickly realized the intrusive potential of this "feature" and disabled getting the visited status of a link.
You can still do this today via CSS. Simply add an ::after pseudo-element to the :visited link with a URL that you control, e.g.: (semi-pseudocode example):
The user's browser will handily automatically send a request to the site, logging their visit on your end.
Not 100% sure if browsers block this (they probably can, or otherwise definitely should!) via cross-origin policies or whatever, but if you control the site that the links are on then you can set the cross-origin policy yourself, without any need of a hidden iframe or similar things that are 'obviously scary' to safety-conscious Chromium browsers.
After posting that, I got some emails from others, and someone shared a cool technique involving detecting how long it takes to paint the link to the screen. https://ndev.tk/visted/
How do you inspect an iframe from a third party? Since the iframe can't be read by a script from your site. Is there something missing in the explanation?
Apart from creepyness, it is absolutely amazing that the bank does that. I'm very impressed that a bank has such creative hacker minds to build a warning system like that.
This is actually very common for any kind of security fingerprinting use-case in the browser, especially in banking/payments.
If you work forwards from "wow, fonts are a weird fingerprint technique" it seems clever.
But the reality is it's much more straightforward if you just work it backwards. Someone said: we have access to the customer's browser, what can we grab to throw into our ML model? You look in the DOM spec, grab every piece of data you can get from the customer's system and send it all. Fonts is one thing that ended up being useful.
(I am not condoning this practice, just happen to be aware of it very well.)
I suppose they have also been in contact with Teamviewer and maybe they were the ones who suggested this solution being that they were the ones adding that hidden font.
I'm guessing they see enough fraud that such a system quickly paid for itself.
Still on the fence whether the creepiness is worth it, though. Seems like there are easier alternatives like "graylisting" where a transaction is in a pending state for 2-3 days where it's cancellable (and maybe can be expedited with a phone call). Seems like that'd offer a nice middle-ground between scanning your computer and protecting from scammers.
As one of their customers, I think their password policies are extremely unhelpful to creating secure logons, and make it almost impossible to use a password manager.
Its cool but really annoying that they still don't have a good API for importing my transactions to a budgeting app. At least their US site still requires logging in and scrapping, and of course their 2FA is still cell number only.
My local credit union teller told me that they chat up old customers who are moving money around to see if they are being scammed. Supposedly they did help one person who told them what they were up to and they stopped them.
> Companies that routinely deal with remote access scams (I'm thinking especially of crypto exchanges) could check for this font and display specific warnings only to people who had TeamViewer installed on their Windows machine (probably disproportionately represented among scam victims).
> TeamViewer is a long way from the only software being used for this, but it's kind of a cool opportunity.
Fingerprinting by detecting installed fonts is certainly interesting, esp since it could be used by both offense and defense.
Digging in deeper, I’m wondering if it would be possible to craft a font that consists of Javascript fragments which could be rendered and eval’ed when a page loads. There must be something in the browser’s rendering process that would block this, right?
I don't think this is what OP was talking about but fonts are Turing-complete and can introduce all manner of exploits.[0] However, getting the font installed seems like the hard bit - I don't see how loading it or detecting it in a website makes anything new possible.
I was actually wondering if you could use this as another form of authentication (ignoring that WebAuthN and other such standards exists). For example create a font dynamically that when printing a specific string just outputs some form of data (eg. JWT encoded in a font glyph) that can be drawn to a canvas and read by the page.
Could be some form of incredibly sticky authentication, unless the user removes the font will never go away. Nefarious and not sure there would ever be a legitimate usecase but sounds doable.
> Websites can see what fonts your computer has installed
They can? I looked into this once - I was putting together a demo site for a friend who does graphic design (like physical signs) and he had a lot of unusual fonts installed on his computer that he would have liked to use from the website. He wanted a dynamic drop-down of all installed fonts so he could select the one to use in the demo, but as far as I could tell, Javascript doesn't allow that specifically because it could lead to browser fingerprinting/security problems.
Just spitballing but even if you can’t enumerate the fonts, you could draw text with the targeted font on a hidden canvas element and check if the resulting pixels roughly resemble what would be expected versus a “fallback” font?
I guess we need a "load fonts" opt-in flag for the Canvas API that sets the "no readback" flag that also gets tripped when loading non-same-origin images?
What blows my mind is that youtube is full of scam baiter videos clearly demonstrating that a good majority of scammers use Teamviewer, yet Teamviewer themselves do little to nothing to make it difficult for scammers to continue this.
Many of the more recent of these scam-baiting videos show them using AnyDesk instead. I watch these channels and haven't seen Teamviewer in a while. Perhaps Teamviewer's tactics have successfully scared them away? They've added quite strong and clear warnings to the software.
Seems similar to the story about Russian hackers being instructed to leave computers alone that have Russian language enabled. I don't think enough people are cognizant of the fingerprint that their browser leaves behind.
Safari doesn't let web sites used user-installed fonts in order to defeat fingerprinting like this, I'm surprised other browsers don't have the same mitigation!
I can confirm at least one Australian retail bank uses this fingerprinting too.
In the past two weeks I have been locked out of an online banking portal with team viewer being one of the signals used to try to verify a suspicious looking transaction.
Team viewer used to install a font, but that doesn't seem to be how they identify that anymore.
someone should ping Pleasant Green and all the other scam-baiters. If they talk about it, more banks might implement it, and it could actually save a lot of people. Then they need something like this also for AnyDesk
does teamviewer start any webserver on a local port which the banking page could connect to and check a _running_ instance? Would be much more interesting for fraud detection than a _installed_ instance
you can't query local services from a remote webpage unless you use a dns rebinding attack which is probably a bit over the top for "whitehat" activity.
but only because the local service in this example is not prepared to accept the websocket connection, the teamviewer client would be able to do this to enable some functions on the teamviewer website if a instance is running
Browser people quickly realized the intrusive potential of this "feature" and disabled getting the visited status of a link.