Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    Adobe Flash Player Private Browsing May Force Change in Fraud Fight

    Written by

    Brian Prince
    Published April 12, 2010
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      When the final version of Adobe Flash Player 10.1 hits desktops later this year, it will bring with it new functionality designed to allow users to automatically clear Flash cookies after a Web session. But while the feature may be lauded in the name of privacy, it may also force online banks to change how they fight fraud.

      Flash cookies, also known as LSO (local shared objects), are used by many banks and e-commerce sites to identify legitimate users and block unauthorized or fraudulent access. In a report entitled, “Privacy Collides With Fraud Detection and Crumbles Flash Cookies,” Gartner analyst Avivah Litan writes that the practice of using HTTP browser cookies for authentication gained steam roughly three years ago due to guidelines imposed by the Federal Financial Institutions Examination Council.

      “Most banks responded by implementing stronger authentication that depended in large part on knowing that their online banking customer was logging in from a known PC,” Litan wrote. “Upon entering a user ID to log into an online banking session, the bank Web server would check for the presence of this cookie…If the bank software could not find the cookie – for example because the user was logging in from a different PC – then the bank software would generally challenge the user with a series of questions that only the legitimate user could presumably answer.”

      But a growing desire for privacy led users to delete their browser cookies more often, meaning banks had to find something else to rely on, the report noted. Enter Flash LSOs, which are “basically hidden from casual users who aren’t aware of them and don’t know how to delete them.”

      Now that approach could be threatened as well, Litan told eWEEK. Flash Player 10.1 will respect the privacy settings configured in the user’s browser so that LSO behavior automatically follows the browser’s lead without any additional user interaction. All the major Web browsers, including Internet Explorer and Firefox, already have a private browsing mode where cookies are not stored by the browser.

      “In my opinion, this is a big deal in the fraud world,” she said. “Many banks, card issuers and online retailers rely in part on device identification to successfully detect fraud. And in many of these cases, the device identification they use is based on Flash local storage.”

      Options to Consider

      Adding more user challenges in the form of security questions is bound to create its own set of problems in operating costs and customer experience, opined Ori Eisen, chief innovation officer at 41st Parameter.

      “Imagine that a large ecomm player is used to less than one percent of their authentication logins being challenged and (ending-up) as a call center call,” Eisen said. “What if this rate doubles…At one point the user experience will be unmanageable and very costly.”

      In her report, Litan suggested e-commerce and banking sites consider PC inspection software installed on a client PC or server-based, clientless program that can read information from the user’s browser. Both approaches have their strengths and weaknesses: while PC inspection software can read information from the operating system registry, serial numbers off a hard drive or the Media Access Control ID from an Ethernet card, online banks loathe the idea of managing desktop software due to privacy and liability concerns, Litan wrote.

      Clientless programs can use JavaScript launched from a service provider’s login page to query the browser and gather dozens of parameters to identify a user’s identity, Litan noted in her report. Vendors such as 41st Parameter and ThreatMetrix take this type of approach. However, clientless solutions “gather from the mobile devices is much cruder than what they can gather from desktop computers,” she wrote.

      “Certainly no method is perfect and we always recommend a layered security approach,” she told eWEEK. “But cookies were proven unreliable years ago because so many users were deleting them which is why service providers turned to Flash local storage. And now Flash local storage will be proven unreliable and non-ubiquitous so many of the fraud detection systems will be thrown off guard.”

      Adobe Systems spokesperson Wiebke Lips said local storage capabilities in Flash Player and other similar Web technologies were designed to “enable rich Internet applications that help users transparently and securely save their information.”

      “Many businesses rely on Flash technology because it helps them provide rich functionality and compelling experiences that can reach more than 98 percent of users on the Web,” Lips said. “However, Adobe has never promoted the use of local storage capabilities to store persistent, unique machine IDs without user consent. We also believe that as businesses choose fraud prevention approaches, their information retention policies need to be clearly communicated, so that users always have a choice over how their identifying information is stored.”

      Brian Prince
      Brian Prince

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×