Online banking services and e-commerce companies will have to find other ways to authenticate customers' PCs once Adobe rolls out its new Flash Player privacy settings, security experts said.
The use of Flash local shared objects (LSOs) to identify customers' PCs has become a popular anti-fraud tool for many banks and e-commerce companies, said Ori Eisen, founder and chief innovation officer at 41st Parameter, a Scottsdale, Ariz.-based provider of anti-fraud technology. Online service providers turned to Flash LSOs (also called Flash cookies) when the HTTP browser cookies they were relying proved faulty; users could delete them and criminals could steal them, he says.
However, growing privacy concerns in Canada and elsewhere have put pressure on companies not to track users with LSOs or any sort of identifier, Eisen said. In a Feb. 8 report, "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," Avivah Litan, vice president and distinguished analyst at Gartner Inc., wrote that the European Union in December began requiring companies to give subscribers the right to opt in for tracking software on their PCs. The Federal Trade Commission is weighing penalties for companies that track consumers without their explicit consent or transparency, she said.
In light of the regulatory pressures and the upcoming new privacy settings in Adobe's Flash Player 10.1, banks and e-commerce companies should phase out their reliance on LSOs, Litan said.
In an email statement, Adobe said Flash Player 10.1 will "support the private browsing feature found in many Web browsers, so that when someone activates private browsing in their browser, it is also activated in Flash Player -- meaning there will be no local storage of information from that Flash Player session."
The new Flash Player, which is expected to be released sometime before mid-year, also will make it easier for users to access the Flash Player Global Settings Manager, where they can control their local storage settings, according to Adobe.
In the past, private browsing mode had no impact on LSOs, according to Litan. A bank would still be able to find the LSO it dropped on a user's computer in a previous session, even if the customer was in private browsing mode, she said
The new Flash privacy settings will spell trouble for companies relying on Flash for customer identification, Eisen said: "You'll have a very big challenge because you won't know if it's your users coming back." Users might end up being locked out of sites and calling the helpdesk in frustration, he adds.
Litan recommends organizations consider alternatives, including clientless device identification or secure downloads of tagging software that is customer initiated.