Security Experts:

Customer or Fraudster: Tossed Your Cookies Lately?

Detecting online fraud - The burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify a device.

What have you got to hide when you visit a website? If you block or delete cookies you might be a legitimate customer who doesn't want to be tracked going from Web site to Web site—and stalked by advertisers who want to target you by your online shopping habits. Or you could be a fraudster with a pile of hijacked credentials and stolen credit cards ready to engage in a virtual online crime spree. The former simply wants to stay off the advertising grid, using widely available tools such as private browsing in FireFox or periodically wiping cookies. The latter will go to much greater lengths to avoid detection by the identity of their device (computer, smartphone, iPad, etc.), using software tools and methods that typical consumers would never employ.Cookie Tracking

Consider Marketo, a SaaS application that integrates online marketing tools—email, landing pages, campaigns, lead management and more into a single application. The first time a computer first visits a Marketo-tagged web page, Marketo deposits an HTML cookie on the visitor’s computer. From that point forward, Marketo knows when your computer comes and goes and which pages it visits during a session. Down the road, if and when the computer visits the same website and the individual provides personal information (for example name and email address requesting contact) Marketo attaches the computer’s website visit history to the name, thereby providing a more complete picture of the individual’s interests, and helping marketers better “tune” their marketing to the individual. The purpose of Marketo is to help companies be smarter about their marketing by being smarter about their website visitors. If someone blocks or wipes cookies thereby blocking Marketo, there isn’t much risk of sustaining losses. The only loss in this scenario is a Web site’s ability to better market to you.

The data that uniquely identifies computers visiting websites isn’t just valuable to marketers, and can be used for a very different purpose: to prevent fraud. In this context, cookies are far less reliable as a method to identify computers. Stacy Martin, Director of Customer Support and responsible for stopping online fraud for Tapjoy (formerly named Offerpal Media) said this about cookies: “their effectiveness to thwart fraud is quite low…it’s fairly easy for someone to clear out their cookies.” In other words, where there’s a will there’s a way: even fairly unsophisticated fraudsters know to block cookies in order to defeat attempts by web sites to identify their computers. When privacy advocates began calling attention to concerns with cookies, advertisers realized that the effectiveness of cookies as a means to track web visitors was heading into decline and seized on a more reliable cookie with lower public awareness available in Adobe Flash called Local Shared Objects—AKA Flash cookies. Soon thereafter, privacy advocates raised public awareness on the growing adoption of Flash cookies, and pressure mounted on Adobe to give users a way to manage them. Adobe now offers a Flash Player settings panel that gives users this control, or you can use add-ons like BetterPrivacy for FireFox. As public awareness and control over Flash cookies increases and they enter into decline as a means to track, along comes HTML5 with more ways to store more data that can be used to uniquely identify a computer. The latest and greatest innovation in cookies is the evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site’s ability to uniquely identify their computer (e.g. wipe all traces of a cookie). There are other ways to identify your device including browser strings, IP address and even your mobile phone’s location information. The motivations held by each constituency in the cookie wars tells the story: advertisers want to accurately target and market to you…but you want to remain anonymous so they can’t….but banks, internet retailers, social gaming sites etc. want to trust and welcome returning “good” computers to deliver appropriate products and services…but fraudsters need anonymity to lie cheat and steal…and so it goes.

How to Detect Cybercrime

Responsible companies need to protect their brand, their customers and their shareholders where visitors engage them on their Web site whether it’s Web 2.0, banking or shopping. Every Web site you transact with should have a clear privacy policy easily accessible from their home page (if not, that is a red flag). Privacy policies are typically very boring, long, and filled with legal jargon (FaceBook’s privacy page is about six thousand words). But it ought to make clear what the company is doing with cookies and data it collects from you. Do they share data with third parties who will market to you? It’s a red flag if that question is not answered clearly. For example, section 5 of Facebook’s privacy policy “How We Use Your Information” outlines what Facebook does with your data; it lists both “to prevent abuse” and “to serve personalized advertising to you.” Companies will to have to balance that use appropriately for their business while consumers have to decide what’s acceptable and what’s not when it comes to their web identity.

When it comes to fighting online fraud, the burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify your device. It’s no secret in the fraud prevention business that cookies turned stale long ago. The demise of the cookie to fight fraud doesn’t do away with the need to identify a device—only the method. While online advertisers pursue an ever more persistent way to push back the line on consumer’s ability to control their privacy, software developers will continue to invent new and better ways to identify your device that don’t rely on cookies or PII to help organizations fight the “good fight” against fraud. See the difference?

Subscribe to SecurityWeek

Subscribe to the SecurityWeek Email Briefing
view counter
Tom Grubb has over 20 years of experience in the technology industry. He is currently Vice President of Marketing at Nimsoft, a provider of Unified Monitoring solutions for virtualized data centers, hosted and managed services, cloud platforms, and SaaS resources. Most recently Tom was VP of Marketing at ThreatMetrix, a provider of online fraud prevention software. Tom has held marketing and product leadership positions at Sybase, Intuit, Vormetric and Embarcadero Technologies. Mr. Grubb co-founded Bluecurve, a systems monitoring and performance management software company that was acquired by Red Hat in 2000. He began his technology industry career as an analyst and product reviewer for Ziff-Davis and IDG’s PC World Magazine