A lot of industry buzz surrounding Intel’s acquisition of McAfee is around the potential value proposition of Intel chips enabling hardware-based identity information that maps a user’s computing device to his or her identity. This vision has long been bantered about by other chip makers, when they talk about helping secure land-based or mobile computing platforms. Often time, the folks working for these companies get that ‘dazzled-I’m-on-to-something-big-that-will solve-PC-security-problems’ look when they discuss this vision.
Well sorry to say, at least from a fraud detection perspective, that tagging machines and linking the machines to a user’s identity works well for identifying good guys but does nothing to help identify the bad ones. Bad guys know how to take over good-guy user machines and launch their stealth attacks from them, masquerading their true identities under the cloak of a ‘good’ PC or mobile computing device.
Of course, hardware level machine identification is a good way to tag a PC, but there are other options available that are in fact more effective at catching the crooks. One thing is obvious – fraudsters won’t let the computing devices they use to perpetrate their crimes be tagged as ‘bad.’ They will just delete the tags, if they can, or use a different PC that is either not tagged or tagged as ‘good.’
In sum, hardware level tagging of users’ computing devices is a good way to tag good users and is a good way to track them. But good security means we need to identify the bad users, not just the good ones. And this approach, on its own, does nothing to stop a bad user from taking over a good machine.
Intel may one day go further and sell locked down browsing launched from a ‘secure chip’ environment – which may keep bad guys from taking over good users’ machines’ browsers. We’ll have to wait and see.
In the meantime, there are a few good client-device-identification solutions sold today that don’t require tagging a user’s PC – either with software or via hardware. And they have certainly been effective at helping prevent fraud, although they can be rendered useless by man-in-the-browser attacks that take over seemingly ‘good’ PCs. Please see our research “Privacy Collides With Fraud Detection and Crumbles Flash Cookies” G00174277 for more information on client device identification alternatives.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.