Device identification in online banking is privacy threat, expert says

SAN FRANCISCO--A widely used technology to authenticate users when they log in for online banking may help reduce fraud, but it does so at the expense of consumer privacy, a civil liberties attorney said during a panel at the RSA security conference on Thursday.

When logging into bank Web sites, users are typically asked for their user name and password. But that's not all that is happening. Behind the scenes, the server is taking measures to identify the device being used in an attempt to verify that the person logging in is the person whose account is being accessed under the assumption that most people use the same computer for banking.

Wachovia, which recently merged with Wells Fargo, tags the consumer's computer with a unique identifier, said Chris Mathes, an information technology specialist in online customer protection at the bank.

The technology not only can be used to allow legitimate customers into Web sites, but also to block computers that have been targeted as "bad actors," said Todd Inskeep, a senior vice president for the Center for the Future of Banking at Bank of America.

Another device fingerprinting technology provided by 41st Parameter is similar but doesn't tag the computer. Instead, the technology figures out the degree of probability that the computer accessing the site is the one that should be accessing it by querying the computer for things like time zone, language, browser type, Flash ID, cookie ID and IP address, said Ori Eisen, founder of the company. If enough of the answers match, the account can be accessed.

The 41st Parameter technology is being used by 120 large e-commerce companies, including the top five banks in the U.S., USAirways and Continental Airline, Eisen said in an interview.

Even though none of the information gathered during a log-in is personally identifiable, the bank shouldn't have to collect regular data on when, how often and from where a consumer accesses a bank account, said Jennifer Granick of the Electronic Frontier Foundation. Such information can be compiled with other more sensitive information to create profiles and cross referenced to learn more about consumers, she said.

For instance, the bank could learn who a consumer's roommate is if the same computer is used regularly to access different accounts, Granick said. Consumers also could be deemed suspicious for breaking with their patterns on deposits or withdrawals or the information could be sold to advertisers, she added.

"There is very little privacy protection in the U.S. for this type of information," Granick said. "We don't want it shared with affiliates that do advertising." There should be restrictions on how long the bank will keep the data, who it can share it with and for what purposes, she added.

Eisen said his technique was more "privacy friendly" because it doesn't assign identification numbers to devices. The questions posed to computers by his technology are akin to what WebTrends and Google Analytics find out from computers for Web analytics purposes, he said.

Granick wasn't convinced, noting that even without a unique device identifier, the bank is still able to monitor consumer transactional patterns.

Right as the session was ending, Louie Gasparini jumped from his seat in the audience to make a comment at a microphone set up for the question-and-answer session.

"The privacy issue is encumbering banks," who have a fiduciary obligation to prevent fraud, said Gasparini, who said he used to work in Internet banking at Wells Fargo and helped create Device ID at RSA, the security division of EMC.

Another attendee had a different perspective.

"The concerns are not overstated. There are fundamental deficiencies in privacy law," said Andrea Matwyshyn, assistant professor of legal studies and business ethics at the University of Pennsylvania's Wharton School. "If an end user license agreement contractually reserves the right of a company to collect data for fraud prevention purposes and if this data is then sold as a secondary revenue stream, a privacy concern would clearly exist."

[another_cissp]

None of that is an invasion of privacy. They are using public criteria to identify your browser, computer and location. Is it an invasion of privacy when the bank teller ask for your driver license when you go to withdraw money? These so called expert are just spreading FUD.

[Renegade Knight]

Yes and No. It's essentially hacking my computer to gather information that I may or may not want the bank to know. Reverse it and the bank would throw the book at me for tapping into their network to be sure that the bank I think I'm logging into is the one I am actually intending to log into.

[eswinson]

While privacy has a value and the protection of our privacy far outstrips the rights of others to invade it in the name of protecting us, I find the notion of pre-determining what evil things someone "could" do with your information a little bit overly paranoid.

If the worst thing they are going to do with it is more effectively market products and services to me, what is the real evil? Wouldn't spam be less annoying if it was actually for products and services targeted to your personal interests and needs instead of some cryptic email ad for viagra. This seems like a fair trade off for not having my money siphoned out of my account by some hacker.

[setjeff15081947]

"eswinson" ... a voice of rationality amidst the hysterical hollering of the Privacy-Squad. Agree with you whole-heartedly on targeted E-mail too. I'm currently getting pleas from Nigerian princes and offers to help me with my mortgage payments. The latter is my favorite; haven't had mortgage payments in 10 years. Fortumately, all these are directed to my "Junk-Mail" account on AOL. Where else?

[mjconver]

Yeah, eswinson has it right, I don't see the evil in this.

I remember a couple years ago when I was returning a rental car after my car was in shop, and when my credit card was hit with the third charge in 20 minutes (gas, car return, repair bill), it was declined. When I called the credit card company, they said it was because those charges were suspicious. Since I only ever used that card for airline tickets and online computer parts, I was outside my profile. Was I ticked off? Heck no.

I see this device ID profiling as another extension of the same kind of artificial intelligence. I like it.

[Renegade Knight]

One difference is that your CC company only looked at the data submitted to them. They didn't tap into your computer without your knowledge to do the job.

In the past my CC company called me up to make sure a charge was legit. Kudos to them.

[willdryden]

I travel a lot in my job. Had a lot of U. S. car rentals, hotels, food and gas. I got an overseas contract and part of the deal was that they provided air transport. I arived in London and my card was rejected for a car rental. Pissed? You bet. I was stranded in a foriegn country with less than 2 nights hotel money on me. I couldn't call the credit card ompany because all the pay phones required a credit card and it was rejected there as well. When I got home, I called and canceled the card.

[vapnut]

I would rather have my bank tag my computer (and I agreed to allow them to do this) than to be forced to have my computer tagged by the likes of Microsoft. Making banking online secure and safe outweighs any supposedly evil tracking the banks may do, as if they have the time, resources or inclination to do such things anyway. Now Microsoft on the other hand....

[c|net Reader]

If you agree up front to your computer's being tagged, and you understand the information used for that purpose, and the information is used for *nothing* more than validating your login, the practice seems perfectly reasonable. If the tagging is done surreptitiously, if the information and its use is not clearly explained beforehand, or it is used to track other activities among separate companies with separate accounts for the user, then the practice violates one's privacy.

There have been far too many examples of corporate types acting irresponsibly, illegally, or immorally to just hope all will behave nicely.

[epross]

My sister was a victim of identity theft. Believe me you don't want this to happen to you. I think the banks are behaving reasonably to prevent fraud. I think the privacy concerns here are way overstated.

[madams28]

How many people use facebook, myspace, youtube, etc. and put all kinds of personal info on the web? And we're worried about our bank knowing what computer we use? Seriously? This is ridiculous.
I work for a financial institution and by law, we are required to have safeguards in place to verify the identity of our members both in person and online. It's called "Multi-Factor-Authentication". So they place this reg. on us, then tell us we're infringing? Who are these nutjobs? We use RSA to authenticate our members online and we do not store, nor do we have access to, the information regarding what PC our members are connecting from, and quite frankly we don't care. It's the least of our worries.
I've had people complain that we are spying on them because they are asked security questions or are asked to further authenticate themselves when logging in from another PC...this coming from the same people who don't know what a browser is, aren't aware that updating (or having) AV is necessary, and can't tell you what operating system they have. Yep, we're spying on you. It's not like we hold your money, have your account number, ssn, address, telephone #, or anything like that. And you are worried we're stealing your information via online banking, or we know what computer you're using? Really?!
If people are this paranoid then perhaps they should bury their money in the backyard, maybe put it under their mattress, or dare I say it, not use online banking? Would they rather us just remove the safeguards? I, for one, am glad we use this technology. It's sad but true that this sort of thing is necessary in order to prevent fraud, but we may as well accept it and carry on.

[c|net Reader]

I don't use any of the services you cited. Yes, I'm worried about what banks do with the tracking information they collect, if they do. This isn't ridiculous. However, were I as free and open about my life as the type you're describing, then I agree that banks are not misusing my information.

The processes discussed here don't include RSA key fobs, but rather extracting information from a user's browser or computer to authenticate the user. If that is done without proper disclosure and protections, it is a problem.

A bank has a tremendous amount of personal information, and clients agree to permit that. So long as that information and the client's activities are not used for non-bank marketing, I find nothing to complain about.

[cjwall67]

Until identity theft is taken seriously by lawmakers and enforcement (It's not the same as simple property theft, guys!!), I don't have a problem with this sort of security. I travel in the U.S. and Canada regularly, such that I can be in 2 or 3 states in the same day. Just try policing that spending and banking profile without ready access to enough personal info to verify transactions. That being said, the law also needs to come down hard on those who sell and share such info for marketing or other purposes. A particular bank's database may be plenty secure, but any sharing of access to seemingly insignificant chunks of personal information only leaves the door open for the dishonest. It's like the impending threat of a government-operated health information database. Can you imagine the potential damage from just one user with poor security habits and access to that kind of information?

[madams28]

Maybe I should clarify...Credit Unions don't do anything with the information they collect through these means, and none of their members are spammed, marketed to, or contacted by any third parties. I can't speak to what large banks do with this sort of information, I moved away from banks long ago in favor of Credit Unions.
Banks may use info for other purposes such as advertising their services as the article states. But, as some have said previously, if it keeps me safe then I don't really see the problem. Now, I fail to see how this part of the article holds any real weight.:
"Granick wasn't convinced, noting that even without a unique device identifier, the bank is still able to monitor consumer transactional patterns."
I say great! Monitor my transactional pattern and call me if it looks suspicious, what is the harm? We can argue all day about this, but if by some chance this is a breach of privacy then I'm sure we can come up with a better way of doing it. One would be to put regs on the banks to only allow them to use what information is gathered via online banking for security verification purposes and no more (as it should be). Or, an "opt-out" policy for customers to allow the bank to use info as they see fit, etc. I saw that the article stated that a bank CAN possibly do this, but I don't see where it said that any bank IS using this information for these purposes.

[Renegade Knight]

This seems like a good use for an authorized TPM cookie. Then with full knolwedge the bank can access the TPM see the authorization and know that the comptuer is the same as is normally used.

[basraw]

PLEASEEEEEEEEEEEEEEEEE

Don't let the PORN web sites find out about this!!!

Hacked Passwords will be a thing of the past!!!!

[dl1321]

Its one of these times that so called experts have a wrong idea of what an expert is.
1. This technology is more than two years old (so its not news)
2. The information gathered is not that sensitive. Any site you visit gathers most of this.
3. If you ask your Bank what kind of a person you are (which is privacy sensitive) they only know you from your credit card transactions, (off course most of them know your civilID, passport etc..) your income your loans etc..
4. A more privacy sensitive profile of yourself is held by google (if you have any google account). This info is available to google.
5. Personal profiles available to the public for one self can be built if you have a facebook , or myspace or any other community network account.

Get real people.

[IKE:)]

This technology is a PRIVACY INVASION ???
Those smart a... lawyers should have filed a lawsuit against Microsofts invasion of privacy (through indirect control of their product running on my and your computer, and against the illegality of EULA'S, as that's what they are, an ILLEGAL. Microsoft is spying on and controlling our computers to the point where they can just switch them off.
God, what an arrogant company....

[yiannaki]

I agree with the overwhelming majority of commenters that there is little, if anything, to be concerned about and lots (security-wise) to be glad of. Sounds to me like another case of some left-wing legal loon in the ACLU looking for another another way to protect the criminals from the law-abiding.

[xceo37]

My sentiment regarding this subject is that the banks are responsible for what may happen to our accounts if it is not our faults. Their method is probably the most secure to know that it is ME getting into my accounts and not a hacker. After all, they are protecting their own interests. Entering the bank is probably just as secure as any other site. I will keep my accounts and continue banking on line.

[LouieGasparini]

This is a great discussion, glad to see it being vetted here. Seems to me that the overwhelming consensus here is an endorsement for fighting fraud with these tools. This is good.

We should encourage innovation in this area. More needs to be done to combat fraud.

Lets not handcuff the good guys. Privacy here means keeping my secure assets private between me and my selected service providers. If they can use better techniques to identify the money movement request is from me and not a fraudster, then this is good. My privacy IS protected.

Louie Gasparini
Self