NuDetect

NuData, a subsidiary of Mastercard, integrates with 3DS verification and features an anti-bot system called nuDetect, similar to Akamai’s reliance on human behavioral analysis.

Understanding nuData’s Functionality#

nuData operates through a website’s domain or server, using a fingerprinting script found in URLs containing /init/js/ or /sync/js/. For instance, Kohls.com uses the following URL for nuData integration: https://fc.kohls.com/2.2/w/w-552128/sync/js/, utilizing a customer ID for request identification.

The configuration of nuData is stored in a pageModeConfig property, and its fingerprinting script initializes a window property at window.ndsapi.

nuData’s Initial Analysis Process#

nuData examines various properties, such as:

• pageX, pageY coordinates of page elements, including the main document.
• Scroll positions: document.body.scrollLeft & document.body.scrollRight.
• Current time: Date.now().
• Numerous Math operations, likely assessing the JavaScript VM.
• Common properties like window._phantom, window.callPhantom, window.__phantomas, etc.
• Screen details: window.screen.width, window.screen.height, window.screen.colorDepth.
• Flash plugin presence.
• Navigator attributes, including language and device timezone.
• WebGL parameters:

  VERSION RENDERER SHADING_LANGUAGE_VERSION DEPTH_BITS MAX_VERTEX_ATTRIBS MAX_VERTEX_TEXTURE_IMAGE_UNITS MAX_VARYING_VECTORS MAX_VERTEX_UNIFORM_VECTORS MAX_COMBINED_TEXTURE_IMAGE_UNITS MAX_TEXTURE_SIZE MAX_CUBE_MAP_TEXTURE_SIZE NUM_COMPRESSED_TEXTURE_FORMATS MAX_RENDERBUFFER_SIZE MAX_VIEWPORT_DIMS ALIASED_LINE_WIDTH_RANGE ALIASED_POINT_SIZE_RANGE

• Canvas fingerprinting and font metrics, using a specific script to draw and analyze text on a canvas using the following script:

        var b = document.createElement("canvas");
        b.width = 200;
        b.height = 40;
        b.style.display = "inline";
        var c = b.getContext("2d");
        c.fillText("aBc#$efG~ \ude73\ud63d", 4, 10);
        c.fillStyle = "rgba(67, 92, 0, 0.5)";
        c.font = "18pt Arial";
        c.fillText("aBc#$~efG \ude73\ud63d", 8, 12);
        a = b.toDataURL()

Behavioral Analysis by nuData#

nuData tracks all page events, including keyboard (keyCode) and mouse movements (pageX, pageY), logging the sequence and timing of these events. This data suggests analysis of user interaction speed. The collected data is encoded in a proprietary format, for example:

"vce":"apvc,0,656p336o,2,1;fg,0,;zz,153,24r,2sn,;zzf,5r8,0...".

Bypassing nuData#

Bypassing nuData security requires a nuanced approach, especially considering its reliance on GPU rendering information to determine the operating system and device type.

Here are some strategies:

• GPU Rendering: Emulate consumer-grade GPUs rather than professional hardware, as nuData’s algorithms are tuned to recognize and differentiate between them.
• Behavioral Analysis: Utilize tools like ghost-cursor (found at https://npmjs.com/package/ghost-cursor) to simulate human-like cursor movements and keystrokes. Timing is crucial here; movements or keystrokes that are too rapid can be flagged as suspicious.