Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

What Intel’s McAfee acquisition means for Identity

by Avivah Litan  |  August 20, 2010  |  2 Comments

A lot of industry buzz surrounding Intel’s acquisition of McAfee is around the potential value proposition of Intel chips enabling hardware-based identity information that maps a user’s computing device to his or her identity.  This vision has long been bantered about by other chip makers, when they talk about helping secure land-based or mobile computing platforms. Often time, the folks working for these companies get that ‘dazzled-I’m-on-to-something-big-that-will solve-PC-security-problems’ look when they discuss this vision.

Well sorry to say, at least from a fraud detection perspective, that tagging machines and linking the machines to a user’s identity works well for identifying good guys but does nothing to help identify the bad ones. Bad guys know how to take over good-guy user machines and launch their stealth attacks from them, masquerading their true identities under the cloak of a ‘good’ PC or mobile computing device.

Of course, hardware level machine identification is a good way to tag a PC, but there are other options available that are in fact more effective at catching the crooks. One thing is obvious – fraudsters won’t let the computing devices they use to perpetrate their crimes be tagged as ‘bad.’  They will just delete the tags, if they can, or use a different PC that is either not tagged or tagged as ‘good.’

In sum, hardware level tagging of users’ computing devices is a good way to tag good users and is a good way to track them. But good security means we need to identify the bad users, not just the good ones.  And this approach, on its own, does nothing to stop a bad user from taking over a good machine.

Intel may one day go further and sell locked down browsing launched from a ‘secure chip’ environment – which may keep bad guys from taking over good users’ machines’ browsers. We’ll have to wait and see.

In the meantime, there are a few good client-device-identification solutions sold today that don’t require tagging a user’s PC – either with software or via hardware. And they have certainly been effective at helping prevent fraud, although they can be rendered useless by man-in-the-browser attacks that take over seemingly ‘good’ PCs.  Please see our research “Privacy Collides With Fraud Detection and Crumbles Flash Cookies” G00174277 for more information on client device identification alternatives.

2 Comments »

Category: Uncategorized     Tags:

2 responses so far ↓