"The days of tagging customer PCs to identify 'good' customers logging into user accounts are numbered, as regulatory privacy concerns and privacy settings in Adobe Flash Player 10.1 give end users explicit control over information downloaded to their PCs using Flash Player," said Avivah Litan, vice president and distinguished analyst at Gartner. "Service providers who depend on Flash to identify client devices - such as PCs - in order to prevent fraud should evaluate and implement alternative technologies."
Local shared objects (LSOs) are used widely by banks and other online service providers to tag good customer PCs and to prevent unauthorised and fraudulent access to customer accounts. However, this model will become obsolete during the next three years due to privacy concerns and new software privacy settings. Ms Litan said that clientless device identification is a good - and sometimes better - substitute for identifying fraudsters and preventing unauthorised account access. Gartner predicts that by yearend 2012, 70 per cent of applications that rely on customer PC tagging will be using clientless device identification.
"Organisations have two basic alternatives to cookies when it comes to using client device identification (CDI) to help authenticate legitimate authorised users," said Ms Litan. "These include special software installed on a client PC, or serverbased CDI that does not rely on any software stored on a PC."
PC inspection software provides richer information than serverbased clientless CDI software. It can read information from the operating system registry, serial numbers off a hard drive or the Media Access Control ID from an Ethernet card. The barrier to using this setup is that banks and other online service providers are strongly averse to managing and supporting desktop software, even if they can delegate most of the support function to a third party. They don't want responsibility for user desktops and computing devices due to liability, privacy and support concerns.
Serverbased clientless CDI programmes are less reliable than LSOs when it comes to identifying good customers but can be more reliable in identifying fraudsters who are posing as firsttime or spontaneous customers, or who have figured out how to get around cookie identification (for example, by using maninthebrowser attacks). Serverbased CDI identifies a user's machine by reading information from the user's browser.
"CDI is a useful tool in fraud detection and gives even the savviest organisations that already use a host of other fraud detection tools a 15 to 25 per cent lift in fraud detection rates and should not be discarded just because Flash local storage as a CDI tool needs to be phased out," said Ms Litan. "A layered security approach is always the best, and CDI plays an important role in these layers. Even twofactorstrong authentication has been beaten by the crooks lately, so the more security, fraud detection and user authentication layers, the better."
Gartner advises service providers to also consider explicit and secure downloads of tagging software that legitimate customers want on their PCs and other devices. Some customers will be willing to opt in to these downloads in order to partake of devicetagging benefits, such as customised surfing navigation or being able to avoid redundant entry of information, such as a billing address, each time a purchase is made.
Additional information is available in the report "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," which is available on the Gartner's website at http://www.gartner.com/....
Ms Litan will provide more commentary on the future of identificationbased fraud detection at Gartner's Security & Risk Management Summit 2010, 21-23 June in Washington DC. This Summit is the premier conference and meeting place for IT and business executives responsible for creating, implementing and managing a proactive and comprehensive IT strategy for information security, risk management, compliance and business continuity management. Members of the media can register for the Summit by contacting Christy Pettey, Gartner PR, at christy.pettey@gartner.com. For further information on the Security & Risk Management Summit 2010, please visit www.gartner.com/us/itsecurity.
Additional information from the event will be shared on Twitter at http://twitter.com/... and using #GartnerSecurity.