Days of 'Flash cookies' numbered

by CXOtoday Staff    May 03, 2010

Online service providers, such as online banks and e-commerce sites,
should start planning to phase out their reliance on Flash local
storage (also referred to as local shared objects and Flash cookies)
for device identification-based fraud detection, according to Gartner.
Mounting global regulatory concerns over consumer privacy, and Adobe’s
responses with new privacy settings in its Flash player, are driving
this transition.  

"The
days of tagging customer PCs to identify ‘good’ customers logging into
user accounts are numbered, as regulatory privacy concerns and privacy
settings in Adobe Flash Player 10.1 give end users explicit control
over information downloaded to their PCs using Flash Player," said
Avivah Litan, VP and distinguished analyst at Gartner. "Service
providers who depend on Flash to identify client devices - such as PCs
- in order to prevent fraud should evaluate and implement alternative
technologies."

Local shared objects (LSOs) are used widely by
banks and other online service providers to tag good customer PCs and
to prevent unauthorized and fraudulent access to customer accounts.
However, this model will become obsolete during the next three years
due to privacy concerns and new software privacy settings. Litan said
that clientless device identification is a good - and sometimes better
- substitute for identifying fraudsters and preventing unauthorized
account access. Gartner predicts that by year-end 2012, 70 percent of
applications that rely on customer PC tagging will be using clientless
device identification.

"Enterprises have two basic alternatives
to cookies when it comes to using client device identification (CDI) to
help authenticate legitimate authorized users," said Litan. "These
include special software installed on a client PC, or server-based CDI
that does not rely on any software stored on a PC."

"CDI is a
useful tool in fraud detection and gives even the savviest enterprises
that already use a host of other fraud detection tools a 15 to 25
percent lift in fraud detection rates and should not be discarded just
because Flash local storage as a CDI tool needs to be phased out," said
Litan. "A layered security approach is always the best, and CDI plays
an important role in these layers. Even two-factor-strong
authentication has been beaten by the crooks lately, so the more
security, fraud detection and user authentication layers, the better."

Gartner
advises service providers to also consider explicit and secure
downloads of tagging software that legitimate customers want on their
PCs and other devices. Some customers will be willing to opt in to
these downloads in order to partake of device-tagging benefits, such as
customized surfing navigation or being able to avoid redundant entry of
information, such as a billing address, each time a purchase is made.