|
By Michael O'Connor, IronClad Consulting
How many people remember the Big Brother scare surrounding the Processor Serial Number (PSN) embedded in Pentium 3s (and some Pentium 2s) back in 1999-2000?
Despite some of the technical community stating that the PSN was not a solid identifier, as it could be easily masked (or, conversely, "forced" to reveal itself), Intel created quite the scare among large groups of people.
Eventually, in April 2000, the company announced that they would not include the PSN in the forthcoming 1.5GHz Willamette chip. An anonymous Intel engineer was quoted telling Wired magazine, "The gains that it could give us for the proposed line of security features were not sufficient to overcome the bad rep it would give us."
Jumping ahead 9 years, in mid-September 2009 I noticed an announcement by ThreatMetrix, touting an opposite reaction to the idea of tracking a device.
Evidently, a study done by Ponemon Institute found positive consumer reaction to the concept of CDI (Client Device Identification - sometimes called device ID or device fingerprinting) as part of a fraud prevention/consumer protection strategy. The article states that a significant percentage of surveyed individuals are more amicable to having their computer profiled/identified than they are to have to remember a password or submit to other typical security standards.
If the attitude expressed by the respondents in the Ponemon study is representative at all of the populace as a whole, could it mean the idea of device identification is no longer a scare to consumers?
The key may rest upon the question of whether or not Personally Identifiable Information (PII) is associated with the device ID's being created. The Ponemon study reveals that consumers are comfortable with a device ID concept as long as personal information is not tied to it.
This is pretty much what today's device identification vendors are marketing. The technology is intended to create a unique identifier surrounding a device without the need to collect any PII.
Some of the device ID elements may be used to tell the technology vendors specific information that is critical to judge the threat level of a transaction (for example, IP geo-location information, time differentiation, browser language, etc.). This information can be scored in some way or forwarded directly to a client company to assist them with filtering suspicious transactions. Since the client company often has individual account information for its visitors, it may combine device ID information with its own customer data to provide an even deeper profile (for example, account-to-device relationships).
Critics of device ID complain that a unique fingerprint is not always attainable, and savvy users can spoof, change, or substitute a device ID. In response to the first concern, how many fraud prevention technologies are 100 percent accurate? And wouldn't the absence of a device ID be cause for concern by itself, depending on the application? As far as the second concern goes, which fraud prevention technologies are immune to user tampering of any kind?
Add to this the fact that most CDI vendors have the ability to tell when a device ID has been tampered with in some way and the confidence level is not degraded significantly (would a device ID that had been tampered with or that came back differently than expected not be cause for suspicion?).
As is frequently stated by fraud prevention professionals, "there is no silver bullet." The same holds true for CDI. As always, the winning solution is the combination of various technologies in a layering effect.
Despite the fact that CDI has inherent weaknesses, as do all of the prior fraud prevention technologies, it is providing tremendous benefit to many companies, ranging from credit and loan issuers to social networking sites to online retailers. This is especially true when layering it with other effective technologies.
As online business continues to expand it is pleasing to see consumer fear of new technologies, including device fingerprinting, beginning to diminish. I believe that CDI, and other related technologies that tie into the actual devices being used, will become one of the most effective, powerful tools in preventing online fraud and abuse.
As long as CDI is used responsibly, including maintaining concern for where and how PII elements fit in to the picture, consumers and businesses alike will see significant benefits from this technology.
Copyright © 2008 To Present · Information-Security-Resources.com
Michael O'Connor is president of IronClad Consulting.
Only registered users can write comments.
Please login or register. |
