Device tracking by web sites can be a good thing

Device tracking by web sites can be a good thing

Summary: Yes, many web sites try to keep track of the physical devices from which you connect to them. This could be nefarious, but much more likely the site has very good security reasons to do it.

TOPICS: Security

It really shouldn't be considered news, but researchers have discovered the non-secret that many web sites attempt to track the physical device from which you are contacting them. A study by KU Leuven-iMinds (a tech research organization in Belgium) reveals that "...145 of the Internet's top 10,000 web sites [...] use hidden scripts to extract a device fingerprint from users' browsers. "

What evil organizations would do this and why? According to KU Leuven-iMinds, "…it is...being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and web widgets." Good lord, won't someone think of the children?

But at least KU Leuven-iMinds does note that device authentication is used for "...various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services." It's been used this way for years, and not exactly in secret. If you bank online you may have noticed that when you connect from a device you haven't used before they probably make you answer your challenge questions (like asking what your mother's maiden name is, but hopefully something better than that).

For many years, RSA has been selling a service for device profiling as part of what they call "risk-based authentication."

Device profiling analyzes the device from which the user is accessing an organization’s website or mobile application. Adaptive Authentication determines whether a device used for a given activity is a device that is typically used by the user, or if the device has been connected to previous fraudulent activities. Parameters analyzed include characteristics such as operating system version, browser type and version, and cookies and/or flash objects.

Because of device authentication, and other techniques that overreacting privacy advocates might find objectionable like geolocation, the bank can tell that someone is trying to log in to your account from some strange device, perhaps in eastern Europe.

Controversy over device tracking is not new. In 2005 the EFF expressed concern, pointing out that privacy was just one problem. It could be used anti-competitively to tie software to certain brands of product and it could be used to defeat the use of virtualized environments. Of course, there's no real evidence that any of this actually happens. A more realistic EFF concern, if it's something that concerns you, is that device authentication is often used in Digital Rights Management (DRM).

BTW, it's not just specifically for high-value sites like banking. Many two-factor authentication (2FA) systems, like Google's, forgo the two-factor stuff if the connection comes from an authenticated device.

During sign-in, you can tell us not to ask for a code again on that particular computer. From then on, that computer will only ask for your password when you sign in.

You'll still be covered, because when you or anyone else tries to sign in to your account from another computer, a verification code will be required.

The reasons for this are based on convenience rather than security; the idea is that by making 2FA less of a pain, users are more likely to use it. And it's true, even if your password is completely compromised, an outside thief will still have to provide the second factor. Of course, if your computer is compromised, the same may not be true.

Device profiling, as RSA calls it, doesn't just identify the device, it provides intelligence about the device so that the system can make intelligent decisions. If you never connect to a destination system except from a fixed broadband system in Chicago and then, suddenly, you're connecting from Turkey, the site's anti-fraud logic might very well wonder whether something is up. By the same token, device authentication is also a good way to defeat one of the major characteristics of botnets: that connections tend to come from a different device every time.

Such behavior should raise suspicion of fraud on the account and escalate it for closer examination.

To the very small extent that there is anything objectionable about device authentication, it is an objection that is answered with disclosure. Neither the banks nor the 2FA systems are making any effort to hide what they're doing and, at least in the example of Google's 2FA, they're making the fact known. If there are examples of it being used by "legit" organizations for marketing reasons, I'd like to see a real-world example. I don' see what the big deal is. This is a good thing.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • good recap

    All technology can be used for good or evil. It steps up the level of security though requiring someone to emulate many traits of a device or have multiple passwords to compromise a system. Not like intercepting a yahoo cookie and then taking over their account.
  • I think Larry works for NSA

    Because he is saying some 'crayzeeeeee' stuff lately. Terrible title for an article. Why? Because you can generalize the title to almost any subject where there are pros and cons. But since the author has chosen to use the word 'good' in the article he is assuming most people will reject the idea of being tracked by their portable devices. Larry is the type of person who would give up all his freedoms as long as the people stealing them made him feel more secure. Keep up the good propaganda Larry. Your doing a great job for the NSA.
    • yep

      So we had an oped from an NSA spook who said the NSA doesn't overstep it's boundaries and we're all really just in a huff about nothing. Then Larry bashed Lavabit and co for their insolence in providing secure email. And now this. Not a word of how the tech could be misused, but plenty of shots fired at 'overreacting' privacy advocates
  • One of my credit card accounts

    which I only access twice a month (once to print the statement after receiving their email, and once on the due date to make the payment) ALWAYS asks for the "unfamiliar computer" challenge question, even though I ALWAYS use the same computer to log on!

    I have had technical service from my office supply store's technicians, and have two generic "keep you running" services from reliable companies, and I can only assume that their occasional "optimizations" erase all cookies, even the ones needed for this bank to recognize the same computer. It's just a minor annoyance, but it seems that if the credit card website programmers are aware of this being a common practice, they would just "skip the middleman" and SAY they have to ask for the second factor every time.
    • Cookies

      It's probably just a case of the cookie expiring between accesses. Many of them are only good for a week or two so there is no record of you using that computer the next time you connect.
  • I understand the logic

    Credit card issuers often advertise this as a feature. The customer gets a call from their card issuer asking if they are in London. The answer is no, they are in their home town shopping. Someone in London hacked their card number and is trying to buy the Crown Jewels with it. In another, the young bachelor with a blue jeans kind of life gets a call asking if he is in a certain store buying a tuxedo. And he confirms that he is, because he is getting ready to get married. Minor delay buying the tuxedo, major protection.

    And I read about a similar incident with a user (of Google, possibly, but not sure) in which the customer was awakened and told that a hacker had been foiled because, the user was online two hours earlier, and someone in China just tried to log into the account.

    So at best, it's like a neighbor calling the police because a strange car is in your driveway and she knows you are out of town. At worst, it COULD be like Yakov Smirnoff's joke about the Soviet postal service: they come to your house, take you downtown, and READ your mail to you. Or like that Sandra Bullock movie "The Net."
  • Virtual PCs for hire

    What happens to device tracking when I rent/lease a VM and use a zero client to get there? Not many people do this now, but in the future, it will make SO much sense. After all, VMware & others are hard at work separating the OS, program & profile layers, such that I could log onto a different piece of hardware every day and all my settings would just follow me. Perhaps the tracking cookies would be hidden in the profile... ?