RSA 2009: Benefits and dangers of device fingerprinting

By on
RSA 2009: Benefits and dangers of device fingerprinting

Device fingerprinting has security experts and privacy advocates split down the middle.

A panel at the RSA Conference discussed current and emerging forms of the practice, which involves identifying each device used to access an account with a unique tag or signature.

With each device assigned its own 'fingerprint,' administrators can then be instantly alerted to potential fraud.

For some companies, the practice is already paying big dividends.

Wachovia Bank online customer protection specialist Chris Mathes said the practice is already paying dividends for his company.

"Device fingerprinting gives us a very powerful tool for us to look at devices as they are coming in," Mathes explained.

"If I have already identified a device as being owned by a bad guy, I can decide whether or not I even want to let them in the front door."

The practice also has its detractors. Electronic Frontier Foundation civil liberties director Jennifer Granick warned that the information banks gather from the digital fingerprints could be used for more than just security.

"The question is what kind of privacy protection is there, and the answer is very little," said Granick.

"One thing we really do not want is for this information to be shared with affiliates who do advertising or marketing, because then you have the same problem we have with cookies, but much worse."

While the situation appears to put security and privacy at odds, there may be a system that can allow for a compromise.

41st Parameter founder and chief executive Ori Eisen suggested that banks look to adopt so-called 'tagless' fingerprinting which uses components such as javascript and system profiling rather than simpler cookie or IP tracking 'tag' components.

Eisen said that not only could the tagless system be far more accurate and reliable than tag systems, but the collected data would also be less likely to raise privacy concerns.

"What we are going to ask is 300 questions that you could ask about the vendor's APIs, but none of it is personally identifiable information. I would never know who is on the other end."

Copyright ©

Most Read Articles

Log In

|  Forgot your password?