Options to Consider

Adding more user challenges in the form of security questions is bound to create its own set of problems in operating costs and customer experience, opined Ori Eisen, chief innovation officer at 41st Parameter.

"Imagine that a large ecomm player is used to less than one percent of their authentication logins being challenged and (ending-up) as a call center call," Eisen said. "What if this rate doubles...At one point the user experience will be unmanageable and very costly."

In her report, Litan suggested e-commerce and banking sites consider PC inspection software installed on a client PC or server-based, clientless program that can read information from the user's browser. Both approaches have their strengths and weaknesses: while PC inspection software can read information from the operating system registry, serial numbers off a hard drive or the Media Access Control ID from an Ethernet card, online banks loathe the idea of managing desktop software due to privacy and liability concerns, Litan wrote.

Clientless programs can use JavaScript launched from a service provider's login page to query the browser and gather dozens of parameters to identify a user's identity, Litan noted in her report. Vendors such as 41st Parameter and ThreatMetrix take this type of approach. However, clientless solutions "gather from the mobile devices is much cruder than what they can gather from desktop computers," she wrote.

"Certainly no method is perfect and we always recommend a layered security approach," she told eWEEK. "But cookies were proven unreliable years ago because so many users were deleting them which is why service providers turned to Flash local storage. And now Flash local storage will be proven unreliable and non-ubiquitous so many of the fraud detection systems will be thrown off guard."

Adobe Systems spokesperson Wiebke Lips said local storage capabilities in Flash Player and other similar Web technologies were designed to "enable rich Internet applications that help users transparently and securely save their information."

"Many businesses rely on Flash technology because it helps them provide rich functionality and compelling experiences that can reach more than 98 percent of users on the Web," Lips said. "However, Adobe has never promoted the use of local storage capabilities to store persistent, unique machine IDs without user consent. We also believe that as businesses choose fraud prevention approaches, their information retention policies need to be clearly communicated, so that users always have a choice over how their identifying information is stored."