Why IP Blocking Is Dead: The Case for Device Fingerprinting


For years, IP blocking was the standard answer to fraud on Shopify. A suspicious order comes in from 185.220.101.42. You block that IP. Problem solved or so it seemed.

In 2026, IP blocking is the equivalent of locking your front door while leaving every window open. Fraudsters know it's there, and they walk right past it. Here's why and what actually works instead.

The Problem With IP Addresses

An IP address identifies a connection, not a person. This distinction matters because everything a fraudster needs to change their IP is cheap, fast, and readily available.

VPN services cost under $5/month. With a single click, a fraudster switches from a US IP to a UK IP to a Singapore IP. Your carefully maintained blocklist becomes irrelevant in seconds. Major VPN providers offer thousands of server locations, giving fraudsters virtually unlimited IP addresses to cycle through.

Residential proxies make fraud traffic look legitimate. Unlike datacenter VPNs (which some fraud tools can detect), residential proxy networks route traffic through real home internet connections. To your store, the fraudster appears to be browsing from a suburban household in Ohio. Residential proxy subscriptions start at roughly $10/month for enough bandwidth to run a fraud operation.

Mobile networks rotate IPs automatically. When a fraudster switches between WiFi and cellular data, they get a new IP. When their phone reconnects to a cell tower, the carrier may assign a different address. No tool, no cost the IP simply changes on its own.

Shared IPs affect innocent people. A single IP address can represent an entire apartment building, a corporate office with hundreds of employees, or a university campus with thousands of students. Block one fraudster's IP and you may lock out dozens of legitimate customers who share that connection.

The core issue is straightforward: IP addresses were never designed to be persistent identifiers. They're temporary labels assigned to network connections. Building a fraud prevention strategy on IP addresses is building on a foundation that was never meant to support it.

What Fraudsters Actually Do

Understanding the threat model makes clear why IP blocking fails. A typical fraud operation in 2026 looks like this:

The fraudster has a list of stolen credit card numbers purchased from a dark web marketplace. They need to test which cards are still active and extract value before the cardholder notices. Here's their setup:

They run a VPN or residential proxy service that automatically rotates their IP address with every request or every few minutes. They use browser automation tools or antidetect browsers (like Multilogin or GoLogin) that create fresh browser profiles with randomized settings. They generate disposable email addresses through temporary email services. They use a different name, address, and phone number for each order.

From your store's perspective, each fraudulent order looks like it comes from a completely different person different IP, different email, different name. IP blocking catches the first one (if you're fast enough). The next nine sail through.

This is why many merchants describe the same frustrating pattern: they block an IP, and the same type of fraud appears from a different IP within hours. They're fighting the symptom, not the cause.

Enter Device Fingerprinting

Device fingerprinting also called browser fingerprinting takes a fundamentally different approach. Instead of identifying the connection, it identifies the device.

Every browser running on every device has a unique combination of characteristics: screen resolution, installed fonts, GPU model and rendering behavior, audio processing capabilities, timezone, language settings, available plugins, WebGL parameters, canvas rendering results, and dozens more.

Individually, none of these signals is unique. Many people have 1920×1080 screens. Many people run Chrome on Windows. But the combination of 50+ signals creates a fingerprint that is statistically unique to each device. Research from the Electronic Frontier Foundation's Panopticlick project found that browser fingerprints are unique among large populations in the vast majority of cases.

This fingerprint has a critical property that IP addresses lack: persistence. When a fraudster changes their VPN, their fingerprint stays the same. When they clear cookies, it stays the same. When they open an incognito window, it stays the same. The only way to change a device fingerprint is to use a completely different device or a specialized antidetect browser that spoofs hardware-level signals (and even those leave detectable traces).

How Visitor ID Works in Practice

Browsify implements device fingerprinting through what we call Visitor ID. Here's the practical workflow:

First visit: When someone visits your Shopify store, Browsify collects browser and device signals and generates a Visitor ID a unique string of characters that represents that device. This happens silently, with no impact on page load or user experience.

Subsequent visits: Every time that device returns regardless of IP address, browser session, or cookie state Browsify recognizes the same Visitor ID. The visitor's history, risk score, and any blocks you've applied follow them.

Blocking a fraudster: When you identify a fraudulent order, you block the associated Visitor ID. That device is now permanently blocked from your store. The fraudster can change their IP, use a different email, switch browsers, and clear every cookie but they cannot change their Visitor ID without changing their physical device.

Auto-blocking: Browsify assigns a fraud score to each visitor based on their device signals, network characteristics, and behavioral patterns. When the score exceeds your threshold (we recommend 80 out of 100), the visitor is automatically blocked before they reach checkout. No manual review needed.

Comparing the Two Approaches

Factor IP Blocking Device Fingerprinting (Visitor ID)
What it identifies Network connection Physical device
Persistence Minutes (VPN switch) Permanent (follows device)
Cost to bypass $5/month VPN New physical device
False positives High (shared IPs) Low (device-specific)
Detects VPN/proxy users Some apps detect; blocking is blunt Yes with granular control
Catches repeat offenders Only if same IP Yes regardless of IP
Blocks incognito mode No Yes
Blocks cookie clears No Yes
Works on mobile networks Poorly (IPs rotate) Yes

The practical difference is stark. IP blocking is a game of whack-a-mole that the fraudster always wins. Device fingerprinting changes the economics entirely instead of needing a $5 VPN to bypass your defenses, the fraudster needs a new device.

When IP Blocking Still Has a Role

To be fair, IP blocking isn't completely useless. It still works in specific scenarios:

Country-level blocking is effective if you don't ship to certain countries and want to prevent traffic from regions with high fraud rates. This is a broad filter that reduces exposure.

Blocking known datacenter IPs (used by bots and scrapers) removes automated traffic that isn't coming from real browsers. This complements device fingerprinting rather than competing with it.

Blocking specific ISPs known for hosting fraud operations can reduce exposure to certain attack vectors.

The key insight is that IP blocking works as a broad filter removing entire categories of traffic but fails as a targeted defense against individual fraudsters. Device fingerprinting handles the targeted blocking that IP addresses can't.

The most effective approach combines both: use IP/country blocking as your broad first layer, and Visitor ID as your persistent second layer for catching and blocking individual bad actors.

The Ad Pixel Bonus

There's a benefit to pre-checkout device fingerprinting that gets overlooked in most fraud discussions: it protects your advertising data.

When you block a fraudster by IP (after they've already placed an order), your ad pixel has already fired. Meta, Google, and TikTok recorded a "Purchase" event for a person who wasn't a real customer. Their algorithms learned from it.

When you block a fraudster by Visitor ID (before they reach checkout), the pixel never fires. Your conversion data stays clean. Your ad platforms learn from real buyers, not fraudsters. Over time, this means lower CPAs, better ROAS, and more accurate lookalike audiences.

This is arguably the highest-ROI benefit of device fingerprinting not just preventing the direct cost of fraud, but preventing the indirect cost of corrupted advertising data. Read our full guide on pixel pollution →

Making the Switch

If your store currently relies on IP blocking alone, transitioning to device fingerprinting is straightforward:

  1. Install Browsify from the Shopify App Store. It runs alongside any existing fraud tools without conflict.
  2. Keep your existing IP blocks. They still serve as a broad filter. Visitor ID adds a persistent layer on top.
  3. Set your fraud score threshold. Start at 80 (out of 100) to auto-block high-risk visitors. Adjust based on your store's false positive rate.
  4. Monitor for one week. Review your Browsify dashboard to see how many visitors are being detected and blocked by Visitor ID that would have bypassed IP-only blocking.
  5. Block known fraudsters. Look up the Visitor IDs from your recent chargeback orders and add them to your permanent block list.

Most merchants report catching previously undetectable repeat fraudsters within the first few days visitors who had been bypassing IP blocks for weeks or months.

The Bottom Line

IP blocking was a reasonable defense when most fraud was unsophisticated. That era is over. Fraudsters in 2026 rotate IPs automatically, use residential proxies that look like real traffic, and know exactly which signals traditional fraud tools check.

Device fingerprinting changes the game because it targets the one thing fraudsters can't easily change: their physical hardware. A $5 VPN bypasses an IP block. Bypassing a device fingerprint requires buying a new device.

Try Visitor ID on your store install Browsify free →


Related Reading