A report from Gartner highlights how the reliance on Flash cookies as an authentication mechanism by online banks may need to change with the release of Adobe Flash Player 10.1. Flash Player's "Private Browsing" feature will make it easier to clear Flash cookies, and e-commerce businesses will need to adjust, some say.
When the final version of Adobe Flash Player 10.1 hits desktops later this year, it will bring with it new functionality designed
to allow users to automatically clear Flash cookies after a Web
session. But while the feature may be lauded in the name of
privacy, it may also force online banks to change how they fight fraud.
Flash cookies, also known as LSO (local shared objects), are used by
many banks and e-commerce sites to identify legitimate users and block
unauthorized or fraudulent access. In a report entitled, "Privacy
Collides With Fraud Detection and Crumbles Flash Cookies," Gartner
analyst Avivah Litan writes that the practice of using HTTP browser cookies for
authentication gained steam roughly three years ago due to guidelines
imposed by the Federal Financial Institutions Examination Council.
"Most banks responded by implementing stronger authentication that
depended in large part on knowing that their online banking customer
was logging in from a known PC," Litan wrote. "Upon entering a user ID
to log into an online banking session, the bank Web server would check
for the presence of this cookie...If the bank software could not find the
cookie - for example because the user was logging in from a different
PC - then the bank software would generally challenge the user with a
series of questions that only the legitimate user could presumably
But a growing desire for privacy led users to delete their browser
cookies more often, meaning banks had to find something else to rely
on, the report noted. Enter Flash LSOs, which are "basically hidden
from casual users who aren't aware of them and don't know how to delete
Now that approach could be threatened as well, Litan told eWEEK.
Flash Player 10.1 will respect the privacy settings configured in the
user's browser so that LSO behavior automatically follows the browser's
lead without any additional user interaction. All the major Web
browsers, including Internet Explorer and Firefox, already have a
private browsing mode where cookies are not stored by the browser.
"In my opinion, this is a big deal in the fraud world,"
she said. "Many banks, card issuers and online retailers rely in part
on device identification to successfully detect fraud. And in many of
these cases, the device identification they use is based on Flash local