Can Device Identification Help Prevent Fraudsters from Using Your Personal Data Against You?

According to a new study by researchers at Carnegie Mellon University it is now possible to exploit an individual’s place and date of birth to predict his or her Social Security number. Most of us have fed the worldwide web (often willingly, sometimes not) enough personal data about ourselves to leave pieces of us in the form of data that fraudsters can use to identify us: credit card numbers, birthdates, personal tastes…just about anything and everything that could be used to identify us. The Carnegie study reveals that personal data available from online sources such as Facebook can now be used to construct our Social Security numbers-personal private data that until now was considered reasonably save from intelligent guessing by networks of compromised computers.

Here’s an excerpt from the Carnegie study that spells out the problem:

‘Although defense mechanisms to detect repeated abuses are in place at those services [for instance, the SSNVS tracks incorrect attempts at verifying SSNs, and financial institutions blacklist (for various days or months) IP addresses originating 3 or more failed logins or transactions], ‘‘botnets” of compromised computers allow attackers to test-cheaply and covertly-vast numbers of variations of targets’ SSNs, strategically distributing simultaneous attempts across services, compromised machines, and target accounts.’

Device Identification would make it difficult to “strategically distribute simultaneous attempts across services” because ThreatMetrix would identify the source of the attempts, even if the fraudster is hiding behind a proxy. “Cheaply and covertly” are consistent with what I’ve said in previous blog entries about how the technology tools and means to commit fraud are making a bad problem much worse as they enable far more people to jump into the online fraud business. The more we reveal about ourselves online, the more easily we can be identified by who we are and what we do. Online banking, purchasing, gaming, dating and social networking rely on the ability for us to identify that we are who we claim to be without our physical presence-this creates the opportunity for fraud. On the web, we’re defined by data in the form of attributes that can be (and are) used to authenticate our identity: birth date, street address, favorite pet, height, color of eyes, Social Security number and more. The Carnegie study shows that it’s quite possible to correlate those data from various sources to get a more complete and accurate picture of a person for credentialing. This is something new that has the potential to wreak havoc in the online world.

Those personal data attributes scattered across the worldwide web present a new form of risk. Device Identification (when it’s done right) can take back some of that risk by providing a reliable point of reference to authenticate who’s at the computer. By profiling the computer instead of the person, ThreatMetrix Device Identification offers these advantages as a method to authenticate identity online:

• Instantly identify a computer within seconds at the moment a connection is made: manage the risk of a device connection before you provide someone access to your web site
• Passive, non-intrusive identification: because data is supplied by the visiting computer and its connection instead of the person, authentication requires no knowledge of or inputs from web site visitor
• Even if personal data such as Social Security numbers are compromised, ThreatMetrix Device Identification helps companies and institutions prevent fraudsters from using them to establish illicit accounts

Will device identification become a must-have factor to authenticate identities on the worldwide web in the next few years?