Security Experts:

Up Next: 911 For the Web

The day after Twin Towers fell, all kinds of security measures changed and new ones were implemented overnight. Is there a Web identity 911 equivalent wake-up call coming—a single event that will suddenly jolt us into enforced standards overnight?

I am old enough to remember the security-free era of air travel when you could walk (or run) from the ticket counter to your gate without waiting in line to be ID’d, scanned, frisked or now pulled aside to be seriously groped by a TSA agent as my wife was on a recent trip leaving Phoenix. Those innocent care-free days of security-free air travel we took for granted are gone forever to reduce the risk of terrorist acts being committed aboard commercial aircraft.

The best the TSA can do is to narrow the margin of risk that a terrorist will evade our airport security systems and blow up a plane—but they can never eliminate all risk because every security measure can be broken, and there are practical limits to what methods they can employ. And without exception, everyone is opted in to a security check—you have no choice but to submit to security checks if you want to fly. The Web may soon be headed down a similar path to an era when most Web Sites will require that you surrender the anonymity provided by your device—mobile phone, computer, iPad, whatever—before you are allowed to enter a Web Site. Digital fingerprinting, technology that identifies your device to the Web sites you visit, will be a key enabler to reining in the carefree era of anonymity we enjoy today on the Web.

Device Fingerprinting

Notice that I said carefree—not risk free. Without a digital fingerprint to verify you, there is risk that someone other than you may be logging in to your account, using your credit card, or creating a new account in your name. Fraud and cybercrime flourish on the Web today because of device anonymity—take it away, and it gets a lot harder for someone to impersonate you from their device. Some Web Sites already require you to identify your device and register its identity with them as a factor to authenticate you; SaaS applications like and online banking come to mind. Most of them use methods that are easily evaded or spoofed. I recently travelled to Calgary where I logged in to my bank from my hotel to review some credit card transactions. The online banking system intervened when it compared my IP address from the hotel with the one they knew me by in San Jose and displayed this message:

Network Device Fingerprinting

The bank prevented me from accessing my account because my hotel IP address didn’t match the expected IP address. Bear in mind that a fraudster would know how to fool the system by spoofing the IP address to get around this speed bump. If not, it’s only a matter of having the credentials to get in. When the IP addresses failed to match, the system prompted me for personal data as a means to authenticate me. But a fraudster might have my stolen credentials and simply enter them as I would: the last four digits of my social security number, the 3 digit code off the back of my credit card and my first and last name. If the bank had my digital fingerprint—a form of authentication that can’t be spoofed like an IP address or cookie, I would feel a bit more secure and less inconvenienced. Should the bank (or any Web Site) have the authority to force you to register your computer’s digital fingerprint in order to transact with them? Put it another way, which bank would you do business with: one that doesn’t take extra precautions like device fingerprinting to protect you or one that lets you in with only a simple name and password with no other form of authentication? I for one am happy to give up my device fingerprint to enjoy a little more peace of mind…with a caveat: don’t sell, trade, or use my digital fingerprint for any purpose other than to authenticate me.

I’ve focused on device fingerprinting as a means to prevent fraud, however the same technology can be used to direct online advertisers on how best to target you. If the FTC moves forward with a do-not-track initiative that lets anyone opt-out of having their device tracked for advertising purposes, I suspect most will opt-out because it’s easier to say no than yes. Businesses will have to offer incentives like discounts, cash or other forms of consideration in trade for device tracking opt-ins. The good news here is that as advertisers get better and smarter about targeting, they will become more cost efficient, more relevant and less intrusive to consumers.

I think it’s a safe bet that we’re at the dawn of an era when device fingerprinting is commonplace both for online advertising and fraud prevention. On September 12 2000, the day after Twin Towers fell all kinds of security measures changed and new ones were implemented overnight. Is there a Web identity 911 equivalent wake-up call coming—a single event that will suddenly jolt us into enforced standards overnight? The technology and motivation are certainly there (who really brought down Wiki Leaks with denial of service attacks?) but I believe the era will creep up on us rather than crash into us in a single cataclysmic event.

Are you ready to surrender your anonymity on the Web by mandate to make the Web a safer place? The line starts over there—have your ID out and ready to show.

view counter
Tom Grubb has over 20 years of experience in the technology industry. He is currently Vice President of Marketing at Nimsoft, a provider of Unified Monitoring solutions for virtualized data centers, hosted and managed services, cloud platforms, and SaaS resources. Most recently Tom was VP of Marketing at ThreatMetrix, a provider of online fraud prevention software. Tom has held marketing and product leadership positions at Sybase, Intuit, Vormetric and Embarcadero Technologies. Mr. Grubb co-founded Bluecurve, a systems monitoring and performance management software company that was acquired by Red Hat in 2000. He began his technology industry career as an analyst and product reviewer for Ziff-Davis and IDG’s PC World Magazine