Security is an onion that keeps growing ? and ?Smart cookies? are another ring.
Browser cookies are a simple means of tracking how a browser is interacting with a website. Each one carries some history of such events, but also basic elements of software identification.
They’ve long been a target for fraudsters intent on “cookie poisoning” (impersonating a browser session) for this reason. But make them more hardened and might they also be a good way of authenticating an actual user?
One company, Digital Resolve, claims they can, and have invented “smart cookies” which can be used as an extra layer of user authentication with a claimed high degree of security.
The deeper recesses of a smart cookies are an industrial secret, but the company will tell us that each one contains information unique to that user’s browsing, which cannot be spoofed. These would include login access patterns, married to data from the http headers.
The cookie has an “expiration system” to overcome attempts to get round it by stealing or reusing it.
It’s a great idea in principle, but you do need a system at the back end – called Fraud Analyst - to make sense of these cookies. It is transparent to the user, but not entirely transparent to the company using this sort of technology. Equally, all authentication systems have a back-end cost, so that’s not a disadvantage as such.
Solving the security conundrum posed by phishing-type fraud is going to be messy, multi-faceted, and probably quite expensive.
No comments:
Post a Comment