New Flash privacy settings will impact customer authentication

Changes in upcoming version of Adobe Flash Player will mean banks and others can't rely on Flash LSOs to authenticate customers' PCs.

Online banking services and e-commerce companies will have to find other ways to authenticate customers' PCs once Adobe rolls out its new Flash Player privacy settings, security experts said.

The use of Flash local shared objects (LSOs) to identify customers' PCs has become a popular anti-fraud tool for many banks and e-commerce companies, said Ori Eisen, founder and chief innovation officer at 41st Parameter, a Scottsdale, Ariz.-based provider of anti-fraud technology. Online service providers turned to Flash LSOs (also called Flash cookies) when the HTTP browser cookies they were relying proved faulty; users could delete them and criminals could steal them, he says.

However, growing privacy concerns in Canada and elsewhere have put pressure on companies not to track users with LSOs or any sort of identifier, Eisen said. In a Feb. 8 report, "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," Avivah Litan, vice president and distinguished analyst at Gartner Inc., wrote that the European Union in December began requiring companies to give subscribers the right to opt in for tracking software on their PCs. The Federal Trade Commission is weighing penalties for companies that track consumers without their explicit consent or transparency, she said.

In light of the regulatory pressures and the upcoming new privacy settings in Adobe's Flash Player 10.1, banks and e-commerce companies should phase out their reliance on LSOs, Litan said.

In an email statement, Adobe said Flash Player 10.1 will "support the private browsing feature found in many Web browsers, so that when someone activates private browsing in their browser, it is also activated in Flash Player -- meaning there will be no local storage of information from that Flash Player session."

The new Flash Player, which is expected to be released sometime before mid-year, also will make it easier for users to access the Flash Player Global Settings Manager, where they can control their local storage settings, according to Adobe.

In the past, private browsing mode had no impact on LSOs, according to Litan. A bank would still be able to find the LSO it dropped on a user's computer in a previous session, even if the customer was in private browsing mode, she said

The new Flash privacy settings will spell trouble for companies relying on Flash for customer identification, Eisen said: "You'll have a very big challenge because you won't know if it's your users coming back." Users might end up being locked out of sites and calling the helpdesk in frustration, he adds.

Litan recommends organizations consider alternatives, including clientless device identification or secure downloads of tagging software that is customer initiated.

On the server-based client device identification side, there are systems that use JavaScript launched from a company's login page to analyze the browser and gather information to identify a customer's PC, according to Litan. Vendors offering this kind of technology include 41st Parameter, ThreatMetrix Inc., Arcot Systems Inc., and Iovation Inc., she said.

Dig deeper on Secure user and consumer authentication methods

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close