Security Experts:

Connect with us

Hi, what are you looking for?



Customer or Fraudster: Tossed Your Cookies Lately?

Detecting online fraud – The burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify a device.

Detecting online fraud – The burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify a device.

What have you got to hide when you visit a website? If you block or delete cookies you might be a legitimate customer who doesn’t want to be tracked going from Web site to Web site—and stalked by advertisers who want to target you by your online shopping habits. Or you could be a fraudster with a pile of hijacked credentials and stolen credit cards ready to engage in a virtual online crime spree. The former simply wants to stay off the advertising grid, using widely available tools such as private browsing in FireFox or periodically wiping cookies. The latter will go to much greater lengths to avoid detection by the identity of their device (computer, smartphone, iPad, etc.), using software tools and methods that typical consumers would never employ.Cookie Tracking

Consider Marketo, a SaaS application that integrates online marketing tools—email, landing pages, campaigns, lead management and more into a single application. The first time a computer first visits a Marketo-tagged web page, Marketo deposits an HTML cookie on the visitor’s computer. From that point forward, Marketo knows when your computer comes and goes and which pages it visits during a session. Down the road, if and when the computer visits the same website and the individual provides personal information (for example name and email address requesting contact) Marketo attaches the computer’s website visit history to the name, thereby providing a more complete picture of the individual’s interests, and helping marketers better “tune” their marketing to the individual. The purpose of Marketo is to help companies be smarter about their marketing by being smarter about their website visitors. If someone blocks or wipes cookies thereby blocking Marketo, there isn’t much risk of sustaining losses. The only loss in this scenario is a Web site’s ability to better market to you.

The data that uniquely identifies computers visiting websites isn’t just valuable to marketers, and can be used for a very different purpose: to prevent fraud. In this context, cookies are far less reliable as a method to identify computers. Stacy Martin, Director of Customer Support and responsible for stopping online fraud for Tapjoy (formerly named Offerpal Media) said this about cookies: “their effectiveness to thwart fraud is quite low…it’s fairly easy for someone to clear out their cookies.” In other words, where there’s a will there’s a way: even fairly unsophisticated fraudsters know to block cookies in order to defeat attempts by web sites to identify their computers. When privacy advocates began calling attention to concerns with cookies, advertisers realized that the effectiveness of cookies as a means to track web visitors was heading into decline and seized on a more reliable cookie with lower public awareness available in Adobe Flash called Local Shared Objects—AKA Flash cookies. Soon thereafter, privacy advocates raised public awareness on the growing adoption of Flash cookies, and pressure mounted on Adobe to give users a way to manage them. Adobe now offers a Flash Player settings panel that gives users this control, or you can use add-ons like BetterPrivacy for FireFox. As public awareness and control over Flash cookies increases and they enter into decline as a means to track, along comes HTML5 with more ways to store more data that can be used to uniquely identify a computer. The latest and greatest innovation in cookies is the evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site’s ability to uniquely identify their computer (e.g. wipe all traces of a cookie). There are other ways to identify your device including browser strings, IP address and even your mobile phone’s location information. The motivations held by each constituency in the cookie wars tells the story: advertisers want to accurately target and market to you…but you want to remain anonymous so they can’t….but banks, internet retailers, social gaming sites etc. want to trust and welcome returning “good” computers to deliver appropriate products and services…but fraudsters need anonymity to lie cheat and steal…and so it goes.

How to Detect Cybercrime

Responsible companies need to protect their brand, their customers and their shareholders where visitors engage them on their Web site whether it’s Web 2.0, banking or shopping. Every Web site you transact with should have a clear privacy policy easily accessible from their home page (if not, that is a red flag). Privacy policies are typically very boring, long, and filled with legal jargon (FaceBook’s privacy page is about six thousand words). But it ought to make clear what the company is doing with cookies and data it collects from you. Do they share data with third parties who will market to you? It’s a red flag if that question is not answered clearly. For example, section 5 of Facebook’s privacy policy “How We Use Your Information” outlines what Facebook does with your data; it lists both “to prevent abuse” and “to serve personalized advertising to you.” Companies will to have to balance that use appropriately for their business while consumers have to decide what’s acceptable and what’s not when it comes to their web identity.

When it comes to fighting online fraud, the burning issue with cookies isn’t about privacy at all—it’s about the death of the cookie as a usable way to identify your device. It’s no secret in the fraud prevention business that cookies turned stale long ago. The demise of the cookie to fight fraud doesn’t do away with the need to identify a device—only the method. While online advertisers pursue an ever more persistent way to push back the line on consumer’s ability to control their privacy, software developers will continue to invent new and better ways to identify your device that don’t rely on cookies or PII to help organizations fight the “good fight” against fraud. See the difference?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...