Avivah LitanA lot of industry buzz surrounding Intel’s acquisition of McAfee is around the potential value proposition of Intel chips enabling hardware-based identity information that maps a user’s computing device to his or her identity. This vision has long been bantered about by other chip makers, when they talk about helping secure land-based or mobile computing platforms. Often time, the folks working for these companies get that ‘dazzled-I’m-on-to-something-big-that-will solve-PC-security-problems’ look when they discuss this vision.
Well sorry to say, at least from a fraud detection perspective, that tagging machines and linking the machines to a user’s identity works well for identifying good guys but does nothing to help identify the bad ones. Bad guys know how to take over good-guy user machines and launch their stealth attacks from them, masquerading their true identities under the cloak of a ‘good’ PC or mobile computing device.
Of course, hardware level machine identification is a good way to tag a PC, but there are other options available that are in fact more effective at catching the crooks. One thing is obvious – fraudsters won’t let the computing devices they use to perpetrate their crimes be tagged as ‘bad.’ They will just delete the tags, if they can, or use a different PC that is either not tagged or tagged as ‘good.’
In sum, hardware level tagging of users’ computing devices is a good way to tag good users and is a good way to track them. But good security means we need to identify the bad users, not just the good ones. And this approach, on its own, does nothing to stop a bad user from taking over a good machine.
Intel may one day go further and sell locked down browsing launched from a ‘secure chip’ environment – which may keep bad guys from taking over good users’ machines’ browsers. We’ll have to wait and see.
In the meantime, there are a few good client-device-identification solutions sold today that don’t require tagging a user’s PC – either with software or via hardware. And they have certainly been effective at helping prevent fraud, although they can be rendered useless by man-in-the-browser attacks that take over seemingly ‘good’ PCs. Please see our research “Privacy Collides With Fraud Detection and Crumbles Flash Cookies” G00174277 for more information on client device identification alternatives.
Category: Uncategorized Tags:
2 responses so far ↓
1 Tweets that mention What Intel’s McAfee acquisition means for Identity -- Topsy.com August 20, 2010 at 9:17 pm
[...] This post was mentioned on Twitter by kevinbocek, Avivah. Avivah said: What Intel’s McAfee acquisition means for Identity — Does nothing to stop the Bad Guys http://bit.ly/bXcm3A [...]
2 yoav santo August 23, 2010 at 4:29 am
to aviva
hi i am yoav santo from mutagim
we are interested in e gov statusfaction models and in gov services satisfaction models.are you the one to be bothered with those issues
yoav