BLOG
DOC · ARTICLE

PayPal's Persistent Device Identification: Beating Cookie Clears and VPNs with Advanced Fraud Detection

PayPal employs sophisticated device identification technologies that extend far beyond simple cookies to track and link users to their activities. This involves advanced browser and hardware fingerprinting, along with behavioral analytics, to create a persistent device profile, even when users attempt to mask their identity by clearing data or changing IP addresses.

// MEDIA.CLIPVID

PayPal consistently identifies your device, even after you clear cookies, use incognito mode, or change VPNs, through a sophisticated multi-layered fingerprinting and behavioral analysis system, underpinned by technology from ThreatMetrix (now LexisNexis Risk Solutions). This robust approach enables them to build a persistent device profile for effective fraud prevention.

PayPal's device identification goes far beyond simple cookies, employing a comprehensive suite of techniques to generate a unique 'device fingerprint' for each session. When you access PayPal, a JavaScript script executes to collect hundreds of data points from your browser and hardware environment. These data points include: User-Agent strings, installed font lists, screen resolution, time zone, browser plugins, WebGL rendering capabilities, AudioContext fingerprinting, and graphics card characteristics. The 'entropy' (randomness and uniqueness) of these parameters is analyzed to create a hash or device ID. Network-level parameters like client TLS/JA3/JA4 fingerprints, TLS session ticket IDs, and preferred cipher suite order are also utilized for analysis. Simply relying on basic VPNs or changing your IP with a standard proxy will not suffice, as the underlying device fingerprint remains.

ThreatMetrix technology, deeply integrated into PayPal's infrastructure, plays a pivotal role. A notable component is the `_abck` cookie, often considered a 'supercookie' due to its resilience and ability to be re-established even after deletion. It can leverage localStorage, IndexedDB, Web SQL, or even techniques like ETags and HSTS to maintain persistence. Upon your PayPal visit, an encrypted data blob known as `sensor_data` is collected and transmitted, encapsulating all these fingerprinting details. This data is then cross-referenced against their vast database to determine if the device has been seen before and if it's associated with any suspicious activities. For true obfuscation, users require a comprehensive anti-detection solution.

What is the Role of Device Graph and Payment Graph in Account Linking?

PayPal doesn't merely evaluate individual transactions or accounts in isolation; it constructs an intricate Device Graph and Payment Graph to uncover hidden connections. The Device Graph links device fingerprints, IP addresses (including the ASN - Autonomous System Number of the ISP), geolocation data (dMAP RTT - Round Trip Time to reference servers), and user behavior patterns. If a single device is used to log into multiple distinct accounts or engage in suspicious activities, all associated accounts will be flagged.

Crucially, the Payment Graph highlights PayPal's sophistication in fraud prevention. This graph tightly interlinks payment and identity information: bank account numbers, credit/debit card BINs (Bank Identification Numbers), phone numbers, email addresses, names, and physical addresses. The golden rule here is: reusing any single one of these details will instantly link a new account to the history of an existing or flagged account. For instance, creating a new PayPal account with a pristine email but linking it to a bank card previously flagged for fraud on another account will immediately trigger PayPal's detection mechanisms, potentially leading to immediate account suspension. This underscores why simply using a high-quality router proxy to separate network environments is necessary but insufficient if payment information isn't entirely compartmentalized.

How Does a "Banned Device" Impact New Account Creation?

When a device is flagged by PayPal as a 'banned device' due to its association with fraudulent activities, policy violations, or a high 'fraud score,' any attempt to create or access new PayPal accounts from that device is highly likely to result in immediate account closure or limitation. PayPal's system not only remembers the device's fingerprint but also its associated history. Even if you endeavor to create an account with entirely new personal and payment information, the device's persistent fingerprint will be a critical vulnerability.

Metrics such as browser entropy, TLS fingerprint (JA3/JA4), and session ticket ID all contribute to establishing the device's uniqueness. If these parameters match those of a flagged device, the system automatically elevates the risk score for the current session. This creates a significant barrier for those attempting to manage multiple accounts or recover from prior suspensions. To circumvent this, professionals often resort to hardware solutions like a dedicated router proxy to ensure each account operates within a completely isolated device and network environment, minimizing cross-linking risks. This is also a key consideration for proxy for MMO use cases.

Strategies for Safely Managing Multiple PayPal Accounts?

To safely manage multiple PayPal accounts and prevent cross-linking or flagging, a comprehensive isolation strategy is imperative. Merely using VPNs, incognito mode, or clearing cookies is insufficient, as these methods fail to address PayPal's advanced device fingerprinting. The following steps are essential:

  • Independent Device Environments: Each PayPal account should be accessed from a completely separate virtual or physical device environment. This can involve virtual machines (VMs), anti-detect browser profiles with unique fingerprinting parameters (User-Agent, Canvas, WebGL, AudioContext, Font List, etc.), or even distinct physical hardware devices. The goal is to ensure each account has a completely unique device 'fingerprint.'
  • Exclusive and High-Quality IP Addresses: Each account must utilize a unique, static, or rotating IP address of high quality. Rotating 5G/LTE proxies (also known as mobile proxies) or residential proxies are optimal choices as they provide clean, legitimate-looking IPs and often feature automatic IP rotation, helping to avoid detection as datacenter proxies. Avoid cheap datacenter proxies or free VPNs, as they are typically already flagged.
  • Strictly Independent Identity and Payment Information: This is the most critical element within the Payment Graph. Every PayPal account must have a completely distinct set of identity details (name, address, phone number, email) and payment information (bank cards, bank accounts) that has never been used on any other PayPal account, especially those that have been flagged. Any reuse will lead to instant linking.
  • Natural User Behavior: Avoid suspicious behaviors such as logging in and making large transactions immediately, changing IPs too frequently, or accessing from vastly different time zones in an erratic manner. Strive to emulate normal user behavior to build 'trust' for the account.

Quick Summary

  • PayPal uses multi-layered fingerprinting (browser, hardware, network) and ThreatMetrix technology to identify devices, going beyond simple cookies.
  • The `_abck` cookie system and `sensor_data` are core components, enabling device identity re-establishment even after local data is cleared.
  • Device Graph and Payment Graph intricately link devices, IPs, and payment information, meaning reusing any detail leads to instant account linking.
  • A 'banned device' automatically triggers high-risk alerts for any new accounts created from it, likely resulting in immediate suspension.
  • Safely managing multiple PayPal accounts requires independent device environments, high-quality IPs (like 5G rotating proxies), and entirely distinct identity/payment information for each account.