Device tracking by web sites can be a good thing

Yes, many web sites try to keep track of the physical devices from which you connect to them. This could be nefarious, but much more likely the site has very good security reasons to do it.
Written by Larry Seltzer, Contributor

It really shouldn't be considered news, but researchers have discovered the non-secret that many web sites attempt to track the physical device from which you are contacting them. A study by KU Leuven-iMinds (a tech research organization in Belgium) reveals that "...145 of the Internet's top 10,000 web sites [...] use hidden scripts to extract a device fingerprint from users' browsers. "

What evil organizations would do this and why? According to KU Leuven-iMinds, "…it is...being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and web widgets." Good lord, won't someone think of the children?

But at least KU Leuven-iMinds does note that device authentication is used for "...various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services." It's been used this way for years, and not exactly in secret. If you bank online you may have noticed that when you connect from a device you haven't used before they probably make you answer your challenge questions (like asking what your mother's maiden name is, but hopefully something better than that).

For many years, RSA has been selling a service for device profiling as part of what they call "risk-based authentication."

Device profiling analyzes the device from which the user is accessing an organization’s website or mobile application. Adaptive Authentication determines whether a device used for a given activity is a device that is typically used by the user, or if the device has been connected to previous fraudulent activities. Parameters analyzed include characteristics such as operating system version, browser type and version, and cookies and/or flash objects.

Because of device authentication, and other techniques that overreacting privacy advocates might find objectionable like geolocation, the bank can tell that someone is trying to log in to your account from some strange device, perhaps in eastern Europe.

Controversy over device tracking is not new. In 2005 the EFF expressed concern, pointing out that privacy was just one problem. It could be used anti-competitively to tie software to certain brands of product and it could be used to defeat the use of virtualized environments. Of course, there's no real evidence that any of this actually happens. A more realistic EFF concern, if it's something that concerns you, is that device authentication is often used in Digital Rights Management (DRM).

BTW, it's not just specifically for high-value sites like banking. Many two-factor authentication (2FA) systems, like Google's, forgo the two-factor stuff if the connection comes from an authenticated device.

During sign-in, you can tell us not to ask for a code again on that particular computer. From then on, that computer will only ask for your password when you sign in.

You'll still be covered, because when you or anyone else tries to sign in to your account from another computer, a verification code will be required.

The reasons for this are based on convenience rather than security; the idea is that by making 2FA less of a pain, users are more likely to use it. And it's true, even if your password is completely compromised, an outside thief will still have to provide the second factor. Of course, if your computer is compromised, the same may not be true.

Device profiling, as RSA calls it, doesn't just identify the device, it provides intelligence about the device so that the system can make intelligent decisions. If you never connect to a destination system except from a fixed broadband system in Chicago and then, suddenly, you're connecting from Turkey, the site's anti-fraud logic might very well wonder whether something is up. By the same token, device authentication is also a good way to defeat one of the major characteristics of botnets: that connections tend to come from a different device every time.

Such behavior should raise suspicion of fraud on the account and escalate it for closer examination.

To the very small extent that there is anything objectionable about device authentication, it is an objection that is answered with disclosure. Neither the banks nor the 2FA systems are making any effort to hide what they're doing and, at least in the example of Google's 2FA, they're making the fact known. If there are examples of it being used by "legit" organizations for marketing reasons, I'd like to see a real-world example. I don' see what the big deal is. This is a good thing.

Editorial standards