Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Customer or Fraudster: Tossed Your Cookies Lately?

Detecting online fraud – The burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify a device.

Detecting online fraud – The burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify a device.

What have you got to hide when you visit a website? If you block or delete cookies you might be a legitimate customer who doesn’t want to be tracked going from Web site to Web site—and stalked by advertisers who want to target you by your online shopping habits. Or you could be a fraudster with a pile of hijacked credentials and stolen credit cards ready to engage in a virtual online crime spree. The former simply wants to stay off the advertising grid, using widely available tools such as private browsing in FireFox or periodically wiping cookies. The latter will go to much greater lengths to avoid detection by the identity of their device (computer, smartphone, iPad, etc.), using software tools and methods that typical consumers would never employ.Cookie Tracking

Consider Marketo, a SaaS application that integrates online marketing tools—email, landing pages, campaigns, lead management and more into a single application. The first time a computer first visits a Marketo-tagged web page, Marketo deposits an HTML cookie on the visitor’s computer. From that point forward, Marketo knows when your computer comes and goes and which pages it visits during a session. Down the road, if and when the computer visits the same website and the individual provides personal information (for example name and email address requesting contact) Marketo attaches the computer’s website visit history to the name, thereby providing a more complete picture of the individual’s interests, and helping marketers better “tune” their marketing to the individual. The purpose of Marketo is to help companies be smarter about their marketing by being smarter about their website visitors. If someone blocks or wipes cookies thereby blocking Marketo, there isn’t much risk of sustaining losses. The only loss in this scenario is a Web site’s ability to better market to you.

The data that uniquely identifies computers visiting websites isn’t just valuable to marketers, and can be used for a very different purpose: to prevent fraud. In this context, cookies are far less reliable as a method to identify computers. Stacy Martin, Director of Customer Support and responsible for stopping online fraud for Tapjoy (formerly named Offerpal Media) said this about cookies: “their effectiveness to thwart fraud is quite low…it’s fairly easy for someone to clear out their cookies.” In other words, where there’s a will there’s a way: even fairly unsophisticated fraudsters know to block cookies in order to defeat attempts by web sites to identify their computers. When privacy advocates began calling attention to concerns with cookies, advertisers realized that the effectiveness of cookies as a means to track web visitors was heading into decline and seized on a more reliable cookie with lower public awareness available in Adobe Flash called Local Shared Objects—AKA Flash cookies. Soon thereafter, privacy advocates raised public awareness on the growing adoption of Flash cookies, and pressure mounted on Adobe to give users a way to manage them. Adobe now offers a Flash Player settings panel that gives users this control, or you can use add-ons like BetterPrivacy for FireFox. As public awareness and control over Flash cookies increases and they enter into decline as a means to track, along comes HTML5 with more ways to store more data that can be used to uniquely identify a computer. The latest and greatest innovation in cookies is the evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site’s ability to uniquely identify their computer (e.g. wipe all traces of a cookie). There are other ways to identify your device including browser strings, IP address and even your mobile phone’s location information. The motivations held by each constituency in the cookie wars tells the story: advertisers want to accurately target and market to you…but you want to remain anonymous so they can’t….but banks, internet retailers, social gaming sites etc. want to trust and welcome returning “good” computers to deliver appropriate products and services…but fraudsters need anonymity to lie cheat and steal…and so it goes.

How to Detect Cybercrime

Responsible companies need to protect their brand, their customers and their shareholders where visitors engage them on their Web site whether it’s Web 2.0, banking or shopping. Every Web site you transact with should have a clear privacy policy easily accessible from their home page (if not, that is a red flag). Privacy policies are typically very boring, long, and filled with legal jargon (FaceBook’s privacy page is about six thousand words). But it ought to make clear what the company is doing with cookies and data it collects from you. Do they share data with third parties who will market to you? It’s a red flag if that question is not answered clearly. For example, section 5 of Facebook’s privacy policy “How We Use Your Information” outlines what Facebook does with your data; it lists both “to prevent abuse” and “to serve personalized advertising to you.” Companies will to have to balance that use appropriately for their business while consumers have to decide what’s acceptable and what’s not when it comes to their web identity.

When it comes to fighting online fraud, the burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify your device. It’s no secret in the fraud prevention business that cookies turned stale long ago. The demise of the cookie to fight fraud doesn’t do away with the need to identify a device—only the method. While online advertisers pursue an ever more persistent way to push back the line on consumer’s ability to control their privacy, software developers will continue to invent new and better ways to identify your device that don’t rely on cookies or PII to help organizations fight the “good fight” against fraud. See the difference?

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.